Managed Security Services, a new trend.

08/02/2007

We live in the so-called Age of Knowledge; however, the important intellectual evolution this implies does not mean we had the possibility to build a more functional and safer environment. The competence for knowledge in all the fields, but above all, in the business field, generates more complex and unpredictable relationships day by day.
Technology expanded our possibilities to unexpected boundaries; however, we shut ourselves in more and more reduced spaces each day, saturated with bolts, alarms, grilles and cameras, trying to resist fear and fight against insecurity by these means.
And what happens in the virtual world, this universe that we only perceive when we are connected to the web?
Nowadays, an average of twenty new vulnerabilities (Firmware,Operating Systems, middleware, Applications, ERPs, DBs, etc) are discovered per month. In most of the cases, the software is put into production when it hardly exceeds an alpha version quality. Vulnerabilities are widely spread in websites, beyond the time it takes to the software suppliers to release the patches/tweaks. Additionally, crackers have grouped themselves worldwide to share information and coordinate attacks.
To know the risks of insecurity on the web is a very important step, but to be aware of our vulnerabilities and limitations is vital.
Insecurity generates concrete and direct losses -like the stealing of ideas-, which have a negative impact in the productivity and generates serious consequences with crashes, contributing to suspicion from clients. Even more seriously, in some cases it involves the company in legal problems.
Part of the problem is based on the real impact of an attack or deliberate intrusion; it is not discerned immediately and this makes the event to be perceived less seriously than it should be.
Sometimes, the responsibility of security on the Internet is performed by personnel of the company, with the limitations that this implies: lack of guidelines, inappropriate technology, limited information, minimum resources and, in many cases, without authorization.
In other cases, the control of security rests only in a Firewall, with the belief that its presence is enough to solve this complex and changeable problem. But, due to its static protection configuration, the firewall is a technological component that does not provide invulnerability to the system; what is more, it is part of the problem, since it lets to enter intruders who attack the servers with presence on the Internet without leaving a trace.

Why to think about outsourcing security management?

As the strategic importance of the applications and the access to the Internet grow, so does the risk of exposure of security. The applications and the information that help to carry on the business are very important to let them vulnerable to external threats 24 hours a day. The potential damage is great:

• More systems and applications on public networks: The economic pressure and the globalization lead companies to introduce the Internet in more areas of their business models, such as customer service, e-commerce and the intranets.

• More vulnerabilities: Frequently, there are reported new attacks by crackers, spies and vandals, who continuously develop new methods to break and enter into the networks and servers. The information the company has can be altered irreversibly. These alterations, at least in the short term, are not always detected by the company.

• Information stealing: Even more difficult to discover. Someone can invade the system, copy critical information and discover secrets of the company.

• Data Loss: This means that the company can lose information irreversibly, noticing it or not.

• Not-planned downtime: competitors and crackers can shut down the systems causing the suspension of operations, above all, in important processes or in dates of greater processing.

• Financial loss/Reputation: The time and energy that demanded the detection of failures in the system may mean expenses not planned, decrease in productivity and impact in the moral of the personnel and, sometimes, loss of money, time, products, reputation and even lives, in some cases.

Only an integral and holistic vision can minimize the risk of security. For this, we need to conceive it as a continuous and holistic process and not as a product or one time solution.

The Model of the Managed Security Service Providers (MSSPs)

In order to minimize security risks on the Internet, it is essential a set of specialized and expert professional services that convert protection into a continuous and dynamic process. The security of information is not only a technological problem, it is extended to the capacity and honorableness of people and the efficiency of processes.

Companies have generally avoided outsourcing due to its complexity and a supposed implicit risk of loss of control and volatility of responsibilities. However, the demands on decreasing costs and improving processes along with a new model of outsourcing indicate there are new factors to be considered and a new upward tendency to change.

The security services commonly outsourced under the MSSP model are:
• Management of firewalls, IDSs and VPNs
• Monitoring of perimeter security
• Log and Incident management, forensic analysis
• Vulnerability assessments and penetration testing
• Antivirus and content filtering
• Information Protection
• On site consulting

The MSSP model offers new alternatives to satisfy specific needs. Instead of forcing companies to take the decision of a total outsourcing, the MSSP offers a decision based on complementary roles and shared responsibilities. By this way, the company and the MSSP have their roles well defined, letting the company to make good use of the real value of the outsourcing and to keep the control of IT.

The MSSP acts as a supplier of detailed information of management and technical recommendations. The company becomes a consumer of this flow of information and keeps the control of its own structure and applications. The companies use the recommendations provided by the MSSP to change and adjust the IT infrastructure, with the objective to keep the availability and the desired levels of quality.

By this way, the company keeps control of its own resources, while it uses the MSSP expertise to assist it in the daily operations and also in strategic operations of management. The company provides access to its data using a secure connection through its firewall. It can also provide physical space and access to the network for the connection of a system or appliance of the MSSP.

The market and the technology advances force the MSSP to be continuously training its human resources and acquiring the best control and management tools. Under this model, the company has the advantage to make use of high-level services/solutions without need of developing them in-company or buying them at high prices. By the same way, it can release personnel to focus on strategic activities; with the outsourcing, the IT departments can focus on applications and systems important for the business and which add strategic value to the operations of the company.

At the same time, as security personnel are among the most needed in the industry, most of the organizations do not have in-house experts in the field of security. To find the suitable person, define his or her roles, manage with consulting agencies and also with the staff in the company and pay him or her a salary is just part of the challenge. Security can be put into risk when the experts leave the company. Besides, security on the Internet can be an exhausting task, making the work of the staff much more difficult. There are needed experts to monitor the net, assess potential threats and answer to attacks 24/7.

Disadvantages of the MSSP model

Like any outsourcing, trust is a key issue, essential for the suitable coexistence between parties. The existence of contracts, NDAs (Non Disclosure Agreements) and SLAs (Service Level Agreements) should give a conceptual framework to the relationship, taking into consideration that there will always exist dark points or new situations that will require revision and incorporations in them as an appendix. To have inflexible contracts or lack of trust in an environment where complexity and changes are the constant feature, is not the best choice.

Another point to take into consideration is, naturally, that the MSSP generates a kind of dependence with the company, since there are processes or part of processes that are mixed or shared, and also the existence of shared infrastructure with other clients.

Conclusion

The key issue for any company, where the security of information is more and more critical each day, is to consider when it is really necessary an MSSP outsourcing. The decision should not be complicated; it is only necessary to answer two questions:

1) Is it strategic for the company the security function/service I am considering to outsource?

2) The function I am considering is the key business of my company? (Core competency).

If any of these questions is negative, the alternative of the outsourcing is highly viable and, in many cases, advisable.

The world is changing, promoted by the new business models based on the Internet, communications and computer science. It is on the side of corporations and SME to take the decision of focusing on their strategic businesses and outsource the operating functions that delay the continuous adaptation in a world that is advancing more and more quickly.

Federico Seineldin
Openware

Openware announces OpenDev
Openware's Research and Development Department (R&D) expands itself
Openware supports the most promising Open Source Security Project in Argentina
This security project is the innovative tool called w3af (Web Application Attack and Audit Framework).
ISO 9001:2000 certified by Openware
For Its managed services solutions, an option of Managed Service Providers (MSP´s) to help enterprises to administer their networks and systems remotly.
Openware seeks business partners in LatAm-Argentina
Argentine network security consultancy Openware is in the process of selecting new business partners across Latin America, the company said in a statement.
Source: Business News Americas
Security outsourcing on the rise.
By Matt Hines Source: http://www.infoworld.com As companies get more comfortable with outsiders managing security, the amount of security services being outsourced is growing steadily.