• United States
by Steve Taylor and Joanie Wexler

How are managed security operations run?

Sep 04, 20032 mins

* Managed security musings

Last time, we broached the question of whether outsourcing network security increases or mitigates risk to your organization. In addition to the traditional managed security service providers, such as EDS, IBM, ISS and Counterpane Internet Security, the global network service providers are getting into the act. AT&T and Equant, for example, announced managed security services this summer.

AT&T offers network-based firewall and intrusion detection services to its Web hosting customers. At Equant, both CPE- and network-based versions of managed firewall, intrusion detection, antivirus and URL filtering services are available. For its part, MCI offers some customer security services in partnership with ISS.

What’s important in evaluating a managed security service from a carrier is to find out, in as much detail as possible, how the service is actually run. For example, when asked, Peter Glock, head of Equant’s security product line shared the following reassurances about his company’s managed security services:

* Security operations staff is separate from the network operations staff. “The network staff doesn’t touch the security infrastructure and the security staff doesn’t see the Equant network,” he said.

* There are just 140 people running the day-to-day global security operations (not thousands, as we’d expected) and, according to Glock, just 20 can log onto a given customer’s device to make a change.

* Rigid operational procedures permit device changes only when the change arrives via an authenticated route by personnel using a SecurID token with a digital certificate and 128-bit SSL encryption.

* Customers can audit what’s going on with their own security equipment through a special Web portal, “where we can demonstrate for them that there is no unauthorized access to their security,” Glock said.

Should the entity watching over the security processes guarding your network have some skin in the game, perhaps with some parameters for shared liability spelled out in the agreement?

Glock is frank: “We try and run away from any contingent liability,” he says. He says that when pressed, Equant offers to purchase cyber liability on the customer’s behalf, with a markup. “Customers usually figure they might as well just buy it themselves.”