Middle East users pass on MSS offers

Although an increased number of vendors are now offering managed security services to end users, the majority of local firms remain blind to their benefits.

  • E-Mail
By  Peter Branton Published  April 17, 2005

Introduction|~||~||~|Two weeks ago, Symantec proudly announced to the IT community that it had obtained its second annual Statement of Auditing Standard No. 70 (SAS 70) for its managed security services (MSS) security operations centre (SOC) in Alexandria, USA. The report validated Symantec’s 24x7x365 security monitoring, management and response service for its enterprise customers. “Companies looking to outsource the management of their critical infrastructure should require third-party reviews to be performed on their service provider’s internal controls,” said Grant Geyer, vice president of Symantec’s managed security services unit. “Symantec customers can be assured that with the completion of our second annual SAS 70 Type II audit, our managed security services continue to be consistent, safe and reliable,” he added. The third party endorsement of Symantec’s MSS operation was well timed, especially as it has just introduced another string to its outsourcing bow —Symantec Hosted Mail Security. The new solution incorporates anti-spam and antivirus technologies, as well as the vendor’s Symantec Security Response offering. The anti-spam element of the service comes from Brightmail, which Symantec acquired last year, while the anti-virus component is Symantec’s own technology. Companies subscribing to Symantec’s latest service re-route their incoming and outgoing mail to one of the vendor’s hosting centres. Once there, the messages will be scanned before being sent on to the enterprise or out to the internet. This eliminates the need for on-site hardware and software and related management on a company’s network. A web-based management console lets administrators set e-mail policies and run reports. According to Symantec, users of the MSS offering benefit from safer systems and a lighter workload for network managers and security teams. Outsourcing corporate filtering also gives inhouse teams the opportunity to implement more rigorous policies and ensure sensitive information isn’t leaving the company via e-mail. “Multiple threat defences, such as anti-spam, antivirus and content filtering, combined with the easy management and deployment benefits inherent in a hosted solution, dramatically reduces the total cost of ownership associated with e-mail security, ” explained Vikram Suri, country manager, Symantec Gulf & Levant. “Backed by the industry’s leading information security vendor, Symantec Hosted Mail Security provides cost savings that can be measured in terms of reduced hardware, network bandwidth and administrator resources.” ||**||Global growth|~||~||~|Sales pitches such as Symatec’s appear to be working and MMS is certainly growing in popularity globally. IDC reported worldwide investment in MSS to be US$2.2 billion last year, and predicts that the market will continue to grow at a compound annual growth rate (CAGR) of 26.7% through to 2006 when it will reach a value of US$5.7 billion. The simple reason for this success is that outsourcing select security responsibilities by forming a partnership with an MSS provider (MSSP) can be a good solution for enterprises that do not want the responsibility of managing their own security. Although the company will still own information security and business risk, contracting with a third party allows it to share risk management and mitigation approaches. MMS can also provide a systematic approach to managing an organisation’s security needs. The services may be conducted by a specialist inhouse team or outsourced to a service provider that oversees several companies’ network and information systems security. “Even those organisations that can afford ample inhouse security expertise may not be getting the return on investment (ROI) that they anticipate,” says Jef Gielkens, EMEA alliance manager for ISS. “Highly paid IT employees spend their shifts watching management consoles instead of strategically planning ways to improve security posture. Allowing a third party to handle day-to-day security monitoring and management gives organisations an opportunity to reallocate inhouse resources to more strategic initiatives,” he adds. As security technologies and best practices change rapidly to keep pace with the escalation of threats and vulnerabilities facing businesses, many IT professionals are lacking the skill sets necessary to perform all the essential security functions within an organisation. A report by IDC states that even though the number of certified security professionals is growing year over year, the demand for these professionals is currently exceeding the supply. The range of services offered by MSSPs varies in their ability to meet an individual organisation’s security requirements. Availability and confidentiality must be key considerations for any business assessing the viability of this service, as is the integrity of information assets critical to the organisation’s mission. It is therefore vital that a company specifies its security requirements in detail and demands candidate MSSPs to demonstrate their ability to meet them, both as part of evaluation and selection and while providing ongoing services. “An organisation needs to understand the level of information security risk in outsourcing any managed security service when they make the request for proposal (RFP),” says Abdul Karim Riyaz, business technologist for Computer Associates (CA). “The costs to establish, operate and manage MSSP service delivery should not exceed the anticipated benefits.” The cost of setting up MSS and monitoring security on a single network is difficult to calculate because the service is dependent on the client’s infrastructure, topology, components and service level. The example provided by Ayman Esmat, chief technology advisor at ISS Middle East, suggests that leveraging a managed protection provider yields a 55% saving over inhouse security. “If we assume managing an infrastructure that has 12 high availability firewalls and six intrusion detection systems (IDS), engines would cost around US$37,671 monthly which translates to US$452,051 annually,” Esmat explains. “We could then factor in, for instance, ten full-time security staff providing 24/7 365-day coverage, managing the firewalls and IDS engines, attending two training classes per year, 20% employee turnover, equipment costs allocated over three years and a maintenance cost of 15% of total equipment cost. Thus, the incurred cost for inhouse security management will be US$82,592 monthly; this adds up to US$995,102 annually,” he continues. The benefits of working with a reputable and competent MSSP can potentially be far superior to anything an organisation can achieve on its own. The service provider is in a position to spread the investment on analysts, hardware, software and facilities across several clients, which reduces the per client cost. “The customer can convert the variable costs of performing the security management inhouse to the fixed costs of services. The service also means that the customer is not depreciating internal assets and it can experience cash flow improvements resulting from the transfer of software licenses and personnel to the MSSP,” Riyaz says. ||**||Contracts|~||~||~|Signing a contract with a managed security service provider also provides an enterprise with greater freedom than if it were to invest in the infrastructure itself. Security concerns are also taken away from a CIO, and should issues of underperformance occur, there is the autonomy for businesses to terminate the contract with the MSSP and move to another provider. However, unless there are serious breaches, most companies cannot afford to write off their investment in security systems and start over. Justin Doo, managing director of Trend Micro Middle East and Africa, believes the potential benefit of outsourcing, rather than the possible cost reductions, is likely to prove more of a driver to businesses in this region. “Dubai has a very competitive cost base when it comes to recruiting, which to some extent would negate the value of outsourcing here. It is more likely that companies would see greater operational benefits,” he says. “This is a completely different way of doing business and with the growing move within businesses both here [Middle East] and internationally to focus on their core competencies, MSS can help toward these types of objectives.” An inhouse IT staff that deals with security issues on a part-time basis or looks after a limited number of security incidents, will not be as competent as someone who manages security across several different clients and creates a wide range of solutions. Security vendors claim that for businesses with limited resources, utilising MSS can bridge the lack of monitoring expertise for companies that cannot manage their security devices effectively. MSSPs have insight into security situations that is based on extensive experience, dealing with hundreds of potentially threatening situations every day. “As viruses become more virulent, technologies and procedures are becoming increasingly complex. To analyse and react to new updates as fast as physically possible a lot of effort is needed. It takes up to 20 people 24 hours a day, seven days a week to monitor for new virus outbreaks,” says Eugene Kaspersky, founder & head of anti-virus research at Kaspersky Lab. “Not many companies have the capacity to do that.” A typical virus detection device managed by Symantec, for example, can receive approximately 9.5 million alerts in a month and reduce this to 1500 events that could potentially present a danger. These events are then forwarded to analysts based at various SOCs. These state-of-the-art infrastructures, managed by trained personnel, typically narrow the alerts down to approximately 350 actual attacks, with an average of three severe incidents. Saudi Telecom (STC) was relatively forward thinking when it embarked on an MSS project by joining forces with Ubizen in June 2002, contracting the provider to establish a security operations centre and train its personnel. The facility, which went live in early March 2003, is based on Ubizen’s operation centre standards, and OnlineGuardian technology manages over 600 devices on the network, ranging from firewalls to policy management probes, authentication servers and network intrusion probes. “Saudi Telecom is continually working to build effective relations with its customers. Part of our responsibility is to ensure that our customers’ personal information is secure. [The project was] based on the best and latest technology available, ensuring our customers receive accessible and efficient service with the security they need,” says Sami Mulla, IT security general manager at STC. Since the implementation, Ubizen has continued to provide the operator with security operations, expert services and security intelligence lab services, ensuring that STC’s security devices remain up-to-date. ||**||Local fears|~||~||~|Despite the persuasive arguments in favour of the adoption of MSS, customer insecurity still inhibits the market, particularly in the Middle East where the market is still at an embryonic stage, with only a small number of hosting firms, internet service providers (ISPs) and selected vendors offering outsourced security services. Such reservations are not entirely unfounded as the offering is not risk-free. In deciding to work with a security service provider, an organisation needs to treat the venture as a risk sharing decision. Regardless of the extent of the third party’s role, the client remains responsible for managing and responding to manifested risks. Even though confidentiality agreements and contracts with MSSPs entail strict and detailed service level agreements (SLAs) and independent auditors monitor supplier performance, trust is the key issue. Enterprises in the region have high regard for confidentiality of their information. MSSPs will have access to sensitive client information and details about the client’s security posture and vulnerabilities. Intentional or accidental release of such information can be extremely damaging to the client; hence the main stumbling block for the uptake of MSS. Furthermore, the shared operational environment used by the majority of MSSPs to serve multiple clients can pose more risks than an inhouse environment. Enterprises are not comfortable using third-party IT infrastructure that is being shared by other organisations. “Sharing a data transmission capability such as a common network, or a processing environment such as a general purpose server, across multiple clients could hypothetically increase the chances of one organisation having access to the sensitive information of another,” says Jamie Bliss, software sales manager for Sun Microsystems in the Middle East & North Africa. ||**||Lack of demand|~||~||~|The lack of demand for such services is diminished further because most local enterprises have reservations about handing over their critical systems to foreign companies. In a bid to overcome the reluctance of regional players to trust a foreign MSS vendor, outsourcing providers are keen to form partnerships with local companies. One example of this is the Symantec and Information Management Technologies (IMT) joint venture in Saudi Arabia. The Saudi company fronts the operation while drawing on Symantec’s worldwide network of SOCs to provide early warning against any potential threat to enterprises. However, one of the greatest risks to an enterprise embarking upon a third-party relationship, comes from inadequate planning, lack of communication and the review process between the provider and the client. “Like any business relationship, MSS partnerships can fail at any stage — they require attention, care and diligence,” says Riyaz. “An organisation needs to take account of a great many factors in its decision-making processes before engaging a service provider. There are some costs associated with giving up control of critical assets and security technologies. A business may lose out on the experience, knowledge and skill development that would ordinarily be associated with managing security system itself,” he adds. This raises an important point of consideration for potential MSS subscribers. Prior to handing over the keys of its data castle to a third party, a company must develop legitimate contingency plans and ensure that it will still have appropriate resources to implement them should the MSS provider go out of business, deliver poorly or becomes more expensive. “Many vendors have a hidden agenda about how they perceive the ideal customer relationship. They structure their professional relationships to achieve this business goal. For some, the priority is not the vendor’s role in enabling customer success, but rather they build a velvet cage to lock-in customers,” says Bliss. “While outsourcing works for some end user companies, others fear the associated loss of control and high exit barriers,” he adds. Ultimately, security management and monitoring services may be able to offer customers the opportunity to focus on their core competencies. Enable them to lower the total cost of ownership (TCO) of their security systems and allow them to rest assured that experts manage their networks. However, Gulf countries have a long way to go in the MSS space. “MSS is still seeing low adoption in the Middle East. This is purely due to the nature of the market,” says Heini Booysen, software programme manager at IDC Middle East & Africa. “Indeed, businesses here [the Middle East] are very hesitant to outsource even a normal IT infrastructure, to say nothing of the very sensitive IT field of security,” he adds. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code