Responsibility handover

A secure IT infrastructure is of paramount importance to businesses and it is becoming a common practice for organisations to turn to managed security service providers (MSSPs). However, are CIOs in the Middle East ready to hand over corporate data to a third party?

  • E-Mail
By  Sarah Gain Published  March 23, 2005

|~|Zarouni---ADIB-IN.jpg|~|We assessed security outsourcing in the region and concluded that the market was not mature enough,” says Abu Dhabi Islamic Bank’s Adel Ahmed Al Zarouni.|~|In 2003, when the Abu Dhabi Islamic Bank was exploring the possibilities of utilising the services of a managed security service provider (MSSP), Adel Ahmed Al Zarouni, the bank’s senior vice president of IT, was not convinced by the prospects available at the time. “When we assessed security outsourcing in the region we concluded that the market was not mature enough. There was only one vendor (Datafort) that was ready in the Middle East region at that time and we did not want to risk it,” he says. Two years on, a survey conducted by research group IDC places the worldwide investment in MSS at US$2.2 billion last year. The analyst house forecasts the MSS market to continue to grow at a compound annual growth rate (CAGR) of 26.7% toward 2006 to reach a value of US$5.7 billion. However, MSS in the Middle East is still in an embryonic stage, with only a small number of hosting firms, internet service providers (ISPs) and selected vendors offering this service. Outsourcing selected security responsibilities by forming a partnership with an MSSP can prove to be a good solution for enterprises that do not want the responsibility of managing their own security. Although the company will still own information security and business risk, contracting with a third party allows it to share risk management and mitigation approaches. The municipal government of the city of Stirling Heights, in Michigan, USA, made the decision to entrust the management of its online security requirements to Internet Security Systems, (ISS) as part of a major five-year drive to overhaul its IT infrastructure. “Like all city governments, we are entrusted with highly sensitive information and cannot afford to have problems with online security. Our network has never been hit with a virus, a worm or any of the security issues my peers say create huge problems for them. I can confidently credit our success to ISS,” says Steven Deon, network administrator at Stirling Heights. Managed security services can provide a systematic approach to managing an organisation's security needs. The services may be conducted by a specialist inhouse team or outsourced to a service provider that oversees several companies' network and information systems security. The functions of a MSSP include 24/7 monitoring and management of intrusion detection systems, firewalls, overseeing patch management and upgrades, performing security assessments and audits and responding to emergencies. This diverts the burden of performing the chores manually away from a company’s IT administrators. Today, CIOs are seeking support that will free operational resources for higher value-added activities that involve core competencies and business strategies. According to Jef Gielkens, EMEA alliance manager for ISS, “Even those organisations that can afford ample inhouse security expertise may not be getting the return on investment (ROI) that they anticipate. Highly paid IT employees spend their shifts watching management consoles instead of strategically planning ways to improve security posture. Allowing a third party to handle day-to-day security monitoring and management gives organisations an opportunity to reallocate inhouse resources to more strategic initiatives.” As security technologies and best practices change rapidly to keep pace with the escalation of threats and vulnerabilities facing businesses, many IT professionals are lacking the skill sets necessary to perform all the essential security functions within an organisation. A report by IDC states that, “Even though the number of certified security professionals is growing year over year, the demand for these professionals is currently exceeding the supply.” Another research and consulting firm, Gartner Research, says by the end of 2005 approximately 60% of enterprises globally will be outsourcing the management of at least one aspect of their IT security. Further research by the Meta Group, predicts that managed virtual private network (VPN) and firewall aspects of security will be the first to reach maturity on a worldwide scale. Jamie Bliss, software sales manager for Sun Microsystems in the Middle East and North Africa, agrees that the ‘mix and match’ style of a multisourcing approach is likely to be the way that most Middle Eastern organisations decide to take up MSS offerings. “Multisourcing delivers many of the benefits of outsourcing, but unlike outsourcing, multisourcing offers businesses the ability to pick and choose what to outsource and what to keep inhouse,” says Bliss. “It also [allows] businesses select the best supplier for each service. This approach allows businesses to retain control over their IT direction,” he adds. ||**|||~|Riyaz---CA-In.jpg|~|The costs to establish, operate and manage MSSP service delivery should not exceed the anticipated benefits, says CA’s Karim Riyaz.|~|The range of services offered by MSSPs varies in their ability to meet an individual organisation’s security requirements. Availability and confidentiality must be key considerations for any business assessing the viability of this service, as is the integrity of information assets critical to the organisation’s mission. It is therefore vital that a company specifies its security requirements in detail and demands candidate MSSPs to demonstrate their ability to meet them, both as part of evaluation and selection and while providing ongoing services. “An organisation needs to understand the level of information security risk in outsourcing any managed security service when they make the request for proposal (RFP),” says Abdul Karim Riyaz, business technologist for Computer Associates (CA). “The costs to establish, operate and manage MSSP service delivery should not exceed the anticipated benefits,” he adds. The cost of setting up MSS and monitoring security on a single network is difficult to calculate because the service is dependent on the client’s infrastructure, security topology, components and service level. The example provided by Ayman Esmat, chief technology advisor at ISS Middle East, suggests that leveraging a managed protection provider yields a 55% saving over inhouse security. “If we assume managing an infrastructure that has 12 high availability firewalls and six intrusion detection systems (IDS), engines would cost around US$37,671 monthly which translates to US$452,051 annually,” Esmat explains. “We could then factor in, for instance, ten full-time security staff providing 24/7 365-day coverage, managing the firewalls and IDS engines, attending two training classes per year, 20% employee turnover, equipment costs allocated over three years and a maintenance cost 15% of total equipment cost. Thus, the incurred cost for inhouse security management will be US$82,592 monthly; this adds up to US$995,102 annually.” The benefits of working with a reputable and competent MSSP can potentially be far superior to anything an organisation can achieve on its own. The service provider is in a position to spread the investment on analysts, hardware, software and facilities across several clients, which reduces the per client cost. “The customer can convert the variable costs of performing the security management inhouse to the fixed costs of services. The service also means that the customer is not depreciating internal assets and it can experience cash flow improvements resulting from the transfer of software licenses and personnel to the MSSP,” Riyaz states. Signing a contract with a managed security service provider also provides an enterprise with greater freedom than if it were to invest in the infrastructure itself. Security concerns are also taken away from a CIO, and should issues of underperformance occur, there is the autonomy for businesses to terminate the contract with the MSSP and move to another provider. However, unless there are serious breaches, most companies cannot afford to write off their investment in security systems and start over. In addition, the shortage of qualified security personnel has placed immense pressure on IT departments to recruit, train and retain staff. Outsourcing means that these issues, with the prohibitive costs associated with them, become the responsibility of the MSSP. Furthermore, if an organisation outsources repetitive security monitoring and protection functions, they are then able to focus internal resources on more critical business initiatives. When the University of Colorado Hospital (USA) made the move to contract ISS to provide MSS, the arrangement afforded Joe Bajek, director of IT, great peace of mind that the healthcare organisation’s highly confidential patient data was being protected. “That confidence frees me up to focus on the hospital’s overall IT risk management strategy and other critically important business initiatives. It also helps me sleep a little more soundly,” he says. Justin Doo, managing director of Trend Micro Middle East and Africa, believes the potential benefit of outsourcing, rather than the possible cost reductions, is likely to prove more of a driver to businesses in this region. “Dubai has a very competitive cost base when it comes to recruiting, which to some extent would negate the value of outsourcing here. It is more likely that companies would see greater operational benefits,” says Doo. “This is a completely different way of doing business and with the growing move within businesses both here [Middle East] and internationally to focus on their core competencies, MSS can help toward these types of objectives,” he adds. ||**|||~|Eugene-Kaspersky-In.jpg|~|Viruses are becoming more virulent and technologies are becoming increasingly complex, says Kaspersky Lab’s Eugene Kaspersky.|~|An inhouse IT staff who deals with security issues on a part-time basis or looks after a limited number of security incidents, will not be as competent as someone who manages security across several different clients and creates a wide range of solutions. Security vendors claim that businesses with limited resources, utilising MSS can bridge the lack of monitoring expertise for companies that cannot manage their security devices effectively. MSSPs have insight into security situations that is based on extensive experience, dealing with hundreds of potentially threatening situations every day. “As viruses become more virulent, technologies and procedures are becoming increasingly complex. To analyse and react to new updates as fast as physically possible a lot of effort is needed. It takes up to 20 people 24 hours a day, seven days a week to monitor for new virus outbreaks,” comments Eugene Kaspersky, founder and head of anti-virus research at Kaspersky Lab. “Not many companies have the capacity to do that,” he adds. A typical virus detection device managed by Symantec, for example, can receive approximately 9.5 million alerts in a month and reduce this to 1,500 events that could potentially present a danger. These events are then forwarded to analysts based at various specialised security operations centres (SOCs). These state-of-the-art infrastructures, managed by trained personnel, typically narrow the alerts down to approximately 350 actual attacks, with an average of three severe incidents. Saudi Telecom (STC) was relatively forward thinking when it embarked on a MSS project by joining forces with Ubizen in June 2002, contracting the provider to establish security operations centre and train its personnel. The facility, which went live in early March 2003, is based on Ubizen’s operation centre standards and OnlineGuardian technology manages over 600 devices on the network, ranging from firewalls to policy management probes, authentication servers and network intrusion probes. “Saudi Telecom is continually working to build effective relations with its customers. Part of our responsibility is to ensure that our customers’ personal information is secure. [The project was] based on the best and latest technology available, ensuring our customers receive accessible and efficient service with the security they need,” comments Sami Mulla, information security general manager at STC. Since the implementation, Ubizen has continued to provide the operator with security operations, expert services and security intelligence lab (SIL) services, ensuring that STC’s security devices remain up-to-date. It is not uncommon for organisations in the Middle East to have multiple, improvised solutions to handle the same types of security problems and have no enterprise-wide security strategies. Moving management duties to a capable security service provider will simplify and strengthen the enterprise's security posture. According to Riyaz, “Third party service providers can provide an independent perspective on the security set up of an organisation. They can often provide an integrated, more coherent solution and thereby eliminate redundant manpower, hardware and software.” When managed by skilled professionals, service security technologies such as firewalls, intrusion detection systems (IDSs), virtual private networks (VPNs) and vulnerability assessment tools are far more effective and can protect the client’s network from unsecured VPN endpoints. Despite the persuasive arguments in favour of the adoption of MSS, customer insecurity still inhibits the market. Such reservations are not entirely unfounded as the offering is not risk-free. In deciding to work with a security service provider, an organisation needs to treat the venture as a risk sharing decision. Regardless of the extent of the third party’s role, the client remains responsible for managing and responding to manifested risks.||**|||~|JamieBliss---Sun-In.jpg|~|Outsourcing may not be the right solution for everyone, says Sun Microsystems’ Jamie Bliss.|~|Even though confidentiality agreements and contracts with MSSPs entail strict and detailed service level agreements (SLAs) and independent auditors monitor supplier performance, trust is the key issue. Enterprises in the region have high regard for confidentiality of their information. MSSPs will have access to sensitive client information and details about the client’s security posture and vulnerabilities. Intentional or accidental release of such information can be extremely damaging to the client; hence the main stumbling block for the uptake of MSS. Furthermore, the shared operational environment used by the majority of MSSPs to serve multiple clients can pose more risks than an inhouse environment. Enterprises are not comfortable using third party IT infrastructure that is being shared by other organisations. “Sharing a data transmission capability such as a common network, or a processing environment such as a general purpose server, across multiple clients could hypothetically increase the chances of one organisation having access to the sensitive information of another,” points out Sun Microsystems’ Bliss. The lack of demand for such services is diminished further because most local enterprises have reservations about handing over their critical systems to foreign companies. In a bid to overcome the reluctance of regional players to trust a foreign MSS vendor, outsourcing providers are keen to form partnerships with local companies. One example of this is Symantec and IMT’s joint venture in the Kingdom of Saudi Arabia (KSA). The Saudi company fronts the operation while drawing on Symantec’s worldwide network of SOCs to provide early warning against any potential threat to enterprises. However, one of the greatest risks to an enterprise embarking upon a third party relationship, comes from inadequate planning, lack of communication and the review process between the provider and the client. “Like any business relationship, MSS partnerships can fail at any stage — they require attention, care and diligence,” warns Riyaz. “An organisation needs to take account of a great many factors in its decision-making processes before engaging a service provider. There are some costs associated with giving up control of critical assets and security technologies. A business may lose out on the experience, knowledge and skill development that would ordinarily be associated with managing security system itself,” he points out. This raises an important point of consideration for potential MSS subscribers. Prior to handing over the keys of its data castle to a third party, a company must develop legitimate contingency plans and ensure that it will still have appropriate resources to implement them should the MSS provider go out of business, deliver poorly or becomes more expensive. “Many vendors have a hidden agenda about how they perceive the ideal customer relationship. They structure their professional relationships to achieve this business goal. For some, the priority is not the vendor’s role in enabling customer success, but rather they build a velvet cage to lock-in customers. While outsourcing works for some companies, others fear the associated loss of control and high exit barriers,” says Bliss.||**|||~|Jef-Gielkens---ISS-In.jpg|~|Even organisations that can afford inhouse security expertise may not be getting the ROI that they anticipate, says ISS’ Jef Gielkens.|~|Ultimately, security management and monitoring services may be able to offer customers the opportunity to focus on their core competencies. Enable them to lower the total cost of ownership (TCO) of their security systems and allow them to rest assured that experts manage their networks. However, Gulf States have a long way to go in the MSS space. “MSS is still seeing low adoption in the Middle East. This is purely due to the nature of the market. Indeed, businesses here Middle East] are very hesitant to outsource even a normal IT infrastructure, to say nothing of the very sensitive IT field of security,” says Heini Booysen, software program manager at IDC Middle East and Africa. Tier one vendors are going to be aggressive in their push for MSS over the next few years so it is important for CIOs to remember that outsourcing is not the only option available when managing complex heterogeneous environments. Some end users may decide to solve their security management issues themselves by implementing a combination of network and systems management technologies. “Even though significant capital expenditure is required, an inhouse approach that involves sophisticated management technologies enables companies to reduce operations costs and maintain full control over the network simultaneously,” he notes. “Outsourcing is not the right solution for all companies all the time,” says Sun Microsystems’ Jamie Bliss. “Different approaches work for different businesses and the right solution may change as organisations evolve. Many companies benefit from an approach that leverages the competencies and inherent cost advantages of both internal IT resources and outside vendors.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code