Outsourced Security: Consider it Carefully

November 10, 2000

Hosted security can ease IT headaches, although data protection remains a concern.

Demands on IT leaders to stay on top of the latest security products, while at the same time continuously upgrading staff expertise to handle security attacks, have brought MSPs (managed security providers) to the forefront. These service providers promise to ease the burden on enterprise security staff via outsourcing.

The number of companies offering managed security services has grown dramatically in the past few months, with everyone joining the fray. IDC estimates the managed security market will grow to $2.24 billion in 2003 from $512 million in 1998.

Making the decision to have an outside party manage -- and have privileged access to -- something as sacred as a company's stored data and business information is a course that must be followed carefully, says Don Ursem, vice president of network operations at VocalPoint, a San Francisco-based ASP (application service provider) that offers voice-enabled Web content.

"In my case, there was a lot of caution because I know certain providers advertise certain services, but it was pretty typical to hear horror stories," says Ursem, who evaluated seven MSPs before choosing Pleasanton, Calif.-based Intira. "You do not put your company's crown jewels in someone else's hands unless you checked all the boxes to make sure they have infrastructure levels to carry out this."

According to Ursem, VocalPoint chose Intira because it offers three key features: air-tight security in its data centers, an option for inserting additional controls into the VPN, and good cross-site synchronization.

"It's a lot more consistent if [security] is done in a data center 24/7 then if I go out and hire a security professional," Ursem says. "That is something we want to be able to present to our customers, because we want to build [their] comfort level."

Managed security providers have found prosperity in the dot-com market in particular due to the budget and staffing constraints that many start-ups must contend with. Bargain book site Allbooks4less.com, for example, is the poster child for outsourcing; its business infrastructure is based on an ASP model, according to the company's CEO, John Vogus.

Vogus says his Hauppaugh, N.Y.-based business needed a powerhouse vendor to protect his company against crippling threats it could never manage on its own.

"If someone steals a [shopper's] credit card, by law I'm only liable for $50. We take that seriously," says Vogus. "But ... if a hacker comes in or someone cracks into my server and overrides my site, my business stops. I shut down. That's disastrous."

MSPs offer an interesting solution, but the decision to go with outsourced security is not an easy one considering the variety of solutions a company has to choose from and the gravity of the problem.

Some companies, such as Counterpane, provide around-the-clock IDS (intrusion detection services), monitoring firewall and IDS logs for break-in attempts, and responding immediately when something is found. Other companies, such as RIPTech and Intira, will manage the entire security infrastructure of a company, from configuring and maintaining security devices to monitoring sites around the clock. The remaining offerings fall in the middle, with companies such as myCIO.com, NetSolve, and many others offering a combination of monitoring and assessment services.

You can find something for everyone, but it takes a bit of digging to find the best MSP to fit the criteria of your company. Before beginning the search, create a detailed description of your company's security needs. Are you simply looking for a monitoring solution? Do you also want assistance with configuration? Would you like periodic audits and assessments?

Once you have determined what services you will need from an MSP, research in detail the prospective companies. A few key items to focus on include service agreements, knowledge of staff, and liability if a break-in or problem occurs.

Managed security services offer great benefits to those companies willing to accept the risk that goes with handing the keys to the kingdom to a third party.