What To Look For In A Managed Security Provider

By Lisa Phifer | Jun 21, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/789001/What-To-Look-For-In-A-Managed-Security-Provider.htm

Courtesy of ISP-Planet and The Internet Security Conference Insight Newsletter

Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.

This bumper crop of emerging Managed Security Providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.

Security Expertise
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available -- or affordable -- in-house.

Ask for a client list and check references: Does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: Can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.

Policy Development and Refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.

Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.

Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.

Courtesy of ISP-Planet and The Internet Security Conference Insight Newsletter

Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.

This bumper crop of emerging Managed Security Providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.

Security Expertise
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available -- or affordable -- in-house.

Ask for a client list and check references: Does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: Can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.

Policy Development and Refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.

Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.

Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.

Breadth of Services
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet. We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.

Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.

Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP.

On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that provides secure application services, located in a secure data center.

In this column, I focus on managed firewall/VPN providers, but they aren't the only game in town.

Service Reach and Flexibility
Look for an MSP who offers what you need today, but ask about migration for services you expect to need in the future. If you buy a managed firewall service today, will you need an additional or different platform to add secure remote access? Does the MSP offer integrated provisioning, monitoring, and billing that encompasses every service you've purchased? Make sure your MSP lets you leverage your investment in multiple services. You may not own the CPE, but you still want a cohesive solution that efficiently implements your security policy.

When managed security services are sold by network access providers, it is easy to overlook the obvious: are you purchasing a service that's ISP-dependent? If so, is that acceptable? Consider roaming users that require national or international access. Where are your MSP's points-of-presence? Has your MSP joined a roaming alliance like GRIC or IPass? Can your managed site-to-site VPN include international branch offices? What is the impact of doing so on cost and performance?

Drill down to uncover integration issues. What authentication methods are supported, and can they be integrated with your own user database or authentication server? What constraints are imposed on IP addressing, and will you be required to renumber? Ideally, you'd like a managed service that adapts to your business, not one that requires you to adapt to it.

Security-Readiness of Your Provider's Own Network
One can think of an MSP as a highly-specialized Application Service Provider (ASP). As such, you should expect an MSP to employ the same--or better--in-house security practices you'd expect from any ASP. Ian Poynter and Dianna Kelley offered excellent advice on this topic in their Insight column, "Ten Things To Ask Your ASP". Among the questions they recommend asking: Is your ASP's facility physically secure? Has the ASP's architecture and code been independently reviewed? What is the ASP's disaster recovery plan? How does the ASP safeguard your information from other customers and its own employees? Make sure that, while your MSP is guarding customer networks, it doesn't leave a NOC "back door" open to attack.

Conclusion
Fortune 500 companies who already outsource IT operations may look to these existing outsourcers for integrated network security services. Similarly, business-grade network service providers like Sprint and MCI/WorldCom may be the first place their subscribers will look to "add" outsourced security. But, as a Forrester Research brief suggests, companies should also consider MSPs like ISS eServices that specialize in security: "Look to suppliers that have a strong track record [and] live or die on the business." Finding the right MSP isn't simple, but knowing what questions to ask can help get you started.