What To Look For In A Managed Security Provider - Page 3
Breadth of Services
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet. We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.
Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.
Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP.
On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that provides secure application services, located in a secure data center.
In this column, I focus on managed firewall/VPN providers, but they aren't the only game in town.
Service Reach and Flexibility
Look for an MSP who offers what you need today, but ask about migration for services you expect to need in the future. If you buy a managed firewall service today, will you need an additional or different platform to add secure remote access? Does the MSP offer integrated provisioning, monitoring, and billing that encompasses every service you've purchased? Make sure your MSP lets you leverage your investment in multiple services. You may not own the CPE, but you still want a cohesive solution that efficiently implements your security policy.
When managed security services are sold by network access providers, it is easy to overlook the obvious: are you purchasing a service that's ISP-dependent? If so, is that acceptable? Consider roaming users that require national or international access. Where are your MSP's points-of-presence? Has your MSP joined a roaming alliance like GRIC or IPass? Can your managed site-to-site VPN include international branch offices? What is the impact of doing so on cost and performance?
Drill down to uncover integration issues. What authentication methods are supported, and can they be integrated with your own user database or authentication server? What constraints are imposed on IP addressing, and will you be required to renumber? Ideally, you'd like a managed service that adapts to your business, not one that requires you to adapt to it.