Security management at a higher level

The "we-do-it-all-for-you" trend among security providers sounds like a dream come true when looking for security assurances. But are the claims certifiable?
Posted September 19, 2000

Martin Goslar

It was no surprise to hear Brian Snow, the senior technical director of the National Security Agency's Information Systems Security Organization, tell an audience of security tool developers that a lot of the products they make are an "attractive nuisance."

Snow made these comments during a presentation to developers attending the July 2000 "sophisticated" hacker briefings included in the DEFCON 8 security conference in Las Vegas. His statement underscores the confounding and seemingly hopeless information and communication technology (ICT) security development efforts as more vendors come online touting proprietary solutions. Once viewed as a low-budget nuisance by corporate America, ICT security now has become the next icon of corporate survival.

Propelling this mushrooming growth in security protection development is new ICT earning potentials. Market researcher International Data Corporation (IDC) projects the security market for managed security services to grow to $2.24 billion by 2003 from $512 million in 1998. IDC also expects the market for content security to grow from $66 million in 1999 to $952 million by 2004. Another market research firm, Frost & Sullivan, values the 1999 European Internet security marketplace at $489.9 million, and predicts it will reach $2.74 billion by 2006.

ASP then, MSP now

Application service providers (ASPs) arrived on the Internet scene less than two years ago, promising several advantages over traditional software development/acquisition cycles. ASP benefits, such as rent vs. buy and installation and update savings, were touted.

ASPs provide the applications and IT infrastructures to service subscribers. Potential corporate benefits include substantial reduction in security software costs, decreases in resources required to continually update security capabilities and knowledge, and lower staffing growth for security-related duties. ASPs can also accomplish the challenge of incorporating proprietary security applications into an integrated security shield.

But as the Internet evolves, complexity and specialization continue to complicate straightforward ASP security solutions. Some ASPs are full-service firms, while others partner with organizations that contribute missing components and capabilities, such as encryption and public key infrastructure (PKI).

In response, a new form of ASP is budding in the ICT protection arena: managed services providers (MSPs). Rather than offering traditional application access, security MSPs supply both security technologies and the management of it all to assure optimal protection 24x7.

These MSP providers are so new to the online security market that security services should be outsourced incrementally, service-by-service. MSPs can be evaluated more easily in a step-by-step relationship, and control and protection pressures can be more adequately managed internally. The "all-or-nothing" approach sounds easy but too often ends in disaster.

Can security MSPs become bulwarks of protection to the nonsecurity ASP services sector and to corporations seeking reprieve from ICT assault? To help you make the first MSP cut, ask yourself the following questions:

  • What are the dividing lines between your security responsibilities and those of the security MSP?

  • How can you validate the MSP's security services (e.g., online reports including incident, incident response, and downtime)?

  • Does billing reflect security protection performance instead of services time periods?

  • What staff savings can security outsourcing accomplish?

  • How does the MSP manage data backup and disaster recovery?
  • Four major issues are central to developing effective relationships with security MSPs:

    • Capability--Your company must be able to efficiently outsource certain security functions and closely oversee MSP security services on an ongoing basis.

    • Competence--The MSP must have the skills to maintain information assurance, infrastructure protection, and telecommunication oversight.

    • Trust--Trust is a must for the security MSP to gain and maintain clients. Longevity, integrity, growth, capitalization, reputation and internal security all build the foundation for adequate credentials.

    • Responsiveness--Considering that corporate survival is at the core of these services, MSP staff responsiveness, in addition to technology excellence, is mandatory.

    Who's out there? The early MSP entrants

    Front-runners in the new security MSP space are touting their services. Unfortunately, services at this stage aren't comparable and offer overlapping or narrowly targeted options. Here's a brief overview of some of today's participants:

    One of the new MSPs offering partial through end-to-end security services is presents a flexible mix of human value-added services (e.g., centralized management and monitoring) with online, real-time security technology to match small to mid-sized corporate needs. A subsidiary of Network Associates Inc. since January 2000, this startup has access to the expertise and research development inherent in this lineage. Once its service models gain experience and fine-tuning, could scale to high volume integrated security services for large organizations. While capability requirements may be less an issue since can assist with security infrastructure evaluation via technology and services consultation, competence and trust are primarily via the parent relationships. Time will tell if this fledgling can fly using its own wings.

    Ernst & Young's June 2000 e-security venture, called LLC, offers what initially appears to be a unique entrant in an exploding e-security services industry. At its heart, eSecurityOnline's current ASP services focus on corporate infrastructure vulnerability analysis. Interestingly, its online vulnerability service amounts to back-end checking of front-end e-security decisions--plus online maintenance assurance. More services are around the corner. With trust as a competitive advantage via parent relationships, this start-up is already in second gear. Let's not forget the eyes and ears of more than 1,200 Ernst & Young IT and security consultants touting eSecurityOnline's developing services to clients worldwide.

    Another recent entry to the MSP market is RIPTech Inc., headquartered in Alexandria, Va. The company's eSentry system is based on its principal competitive advantage: client-specific databases collecting integrated security data for real-time device monitoring and security analysis.

    In this new MSP industry where revenue flows if security services produce protection and client savings, it's clear we're seeing budding business models in what previously has been a technology-intensive field. And, quite frankly, focused market strategy implemented with solid service delivery is what's mandatory in this market.

    I'll be following this trend. Be sure to check back for more details and MSP developments. //

    Dr. Martin Goslar is principal analyst and managing partner of E-PHD.COM, an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.

    0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.