What To Look For In A Managed Security Provider
There has been a bumper crop of Managed Security Providers of late. This guide to their services from the customer's point of view may help you decide what to buy -- and what to sell.
Courtesy of ISP-Planet and The Internet Security Conference Insight Newsletter
Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.
This bumper crop of emerging Managed Security Providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available -- or affordable -- in-house.
Ask for a client list and check references: Does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: Can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.
Policy Development and Refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.
Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.
Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.