IT security typically has been deemed one of those services best provided in-house. But the stigma attached to outsourcing security and Security as a Service -- namely that an outsider does not know your company well enough to protect it -- may be falling away, as businesses look for more ways to cut costs.
Certainly, some heavy-hitter providers believe attitudes are changing. This month, McAfee Inc. announced its new
Meanwhile, last April, IBM launched some hosted and managed services that it says help midsized businesses better manage risk and improve the security of their IT systems, all while offering cost savings over traditional products. Indeed, much of IBM's security strategy during the next 24 months will focus on moving security technologies into the cloud and expanding its managed services offerings, said Jason Hilling, an enterprise services business line executive with IBM Internet Security Systems. That includes providing some hosted implementations of technologies that once were located only at the customer premises.
"Because the economy is struggling, I think there will be enough excitement in the marketplace over the cost benefits of Security as a Service that we are going to see a much higher degree of willingness to look at it as a real viable option," Hilling said.
Hilling contended that a midmarket company with between 500 and 700 employees can realize costs savings from 35% to upwards of 60% by doing security as a managed service. Savings diminish as the deployment gets larger and more complicated, and the costs of managed services escalate.
Yet outsourcing security is not just about cost. The world is becoming very hostile, said Sadik Al-Abdulla, solutions manager of security at CDW Corp.
"We have seen a substantial uptick in security incidents over the last two quarters, and even the automated attacks are going after data," said Al-Abdulla, who oversees CDW's advanced security practice, which has a strong midmarket bent (typically for companies with 1,000 to 2,500 users). "Maybe I am biased because I am in the security business, but I honestly believe that a single person can't keep up. I think a team of people who only do security can. So the question for the CIO becomes, do I hire a team or a company? There are reasons to answer that question both ways."
A word about definitions: Like most IT monikers, Security as a Service takes various shapes. It can refer to a traditional managed services model, in which a company hires an outside provider to configure, manage and even maintain its security infrastructure. These services can be dispatched remotely using a connection over the Internet.
Another model, "in-the-cloud" services, allows a company to use security technologies that are not located on its premises. One such cloud service that has gained traction is email security: Companies point their email to a cloud-based provider for cleansing before it's delivered to the on-premise mail server. Web security is also catching on, as cloud-based providers have resolved latency issues. A third model, Security as a Utility, usually refers to an arrangement in which companies pay a monthly fee to lease security hardware for their premises and pay for the services to manage and maintain it.
To get a better sense of the IT security outsourcing space, we asked Hilling and Al-Abdulla to talk about the nuts and bolts of handing over security to an outside provider. Here is an edited version of their responses. (The interviews were conducted separately.)
How does the expense of managed security services compare with the salary of an
IT security expert?
Hilling: An organization that has, let's say, three reasonably sized intrusion prevention devices that they are looking for a managed service provider to manage and monitor for them, that is going to run you on average $1,200 to $1,500 per device, per month. So you're looking at around $3,700 a month times 12 months -- it is quite a savings over the cost of a fully loaded person. And one person is not going to be enough to monitor those devices. Technically, you are going to need a minimum of four people to run a shift 24/7. So, there is really significant savings to be realized.
The cost of a cloud solution is generally priced per user. Depending on volume, it ranges anywhere from a little under $1 to upwards of $3, $4, $5 and even $7 per user. The reason there is such a variance is because the price goes down very quickly with volume, and the price also goes up based on the number of features the customer chooses to consume for their users. In most all cases, you can build tangible ROI and TCO models that show positive gains vs. doing all of this in-house. What you're really doing is leveraging economies of scale of these providers.
Al-Abdulla: Some people view managed security as someone managing firewalls and intrusion prevention. Others view it as a larger question, including user provisioning and access control. The most typical definition is that managed perimeter, so firewalls plus intrusion prevention plus analysis of intrusion events. And in that case it is probably fairly equivalent to a single full-time security individual.
We charge by managed device with a premium if we are actually doing incident analysis and response. So, if the organization is large enough to have five Internet points of presence and five firewalls, we would price on a per-firewall basis, plus the additional premium if we are doing analysis of the security events.
What does a company need, going into Security as a Service? And how long does it take to get up and running? Hilling: In the cloud model, if you want to deploy email security you have your IT team update a single line within a text file on one of their DNS servers and the cloud service is turned on. … Once you make that change it only takes a matter of hours for that change to propagate across the entire Internet.
In response to emerging threats, cloud-based security services are an ideal way to be able to turn up security without having to worry about the hardware procurement, the configuration, testing, the deployment. Sometimes when a threat is around the corner, people don't have the time to wait.
Al-Abdulla: We have a firm belief that not all organizations are created [equal] and not all security needs are the same. So our approach to the customer is to start with an assessment of needs and vulnerabilities to bring both the organization up to speed on what needs to be addressed, [then] move from assessment into design and implementation, so getting them healthy in their security infrastructure. At that point the customer and CDW jointly make the decision about is this something the customer will continue to operate or transition management of to CDW.
So, what do they need to get into managed services?
Al-Abdulla: If you make the assumption that there is a freshly implemented, clean system that is performing as designed, how long does it take to spin off on managed services? It is really a couple of weeks, where you're getting all the monitoring platforms in place, all the contact strategy in place, the escalations, how does the customer want to be notified when an incident occurs, what level of responsibility are they taking on. … So it's a week to two weeks, but that is from the assumption that they have a fully stable, effectively configured perimeter. Getting to that point can vary wildly depending on where they are coming from.
What kind of human interaction do you get with Security as a Service?
Hilling: In all of the different models we have described there is absolutely a 24/7 support requirement, regardless of who is the provider of that service. In our managed security services group, we have eight security operation centers spread around the world … and all of those security operations centers work in tandem to provide unified support for our customer.
In the cloud-based services it is really a similar situation. The work that the individuals picking up the phone are doing is different, but having that broad global 24/7 is necessary for customers to feel comfortable that somebody is watching out for their environment.
Al-Abdulla: During the implementation of the managed services, both organizations agree to a certain level of change control and level of communications plan. Let's say an important code update comes out for the firewall and under the managed services agreement we are the ones responsible for being aware that that update is out there and making the decision that it should be applied. Customers are assigned a service account manager, and that person coordinates and quarterbacks all customer-initiated requests.
In most all cases, you can build tangible ROI and TCO models that show positive gains vs. doing all of this in-house.
Jason Hilling executive, IBM Internet Security Systems
The final case is incidents. What the customer is paying for as part of the managed service is for us to [perform] that first level of analysis … on those incidents. If an incidence occurs, we typically alert them immediately and we start the incident response procedure, which involves getting them information they need to understand what that incident is. That is about when what is covered under a managed services stops, and the incident response starts. Some organizations prefer to handle that in-house or engage another party for that. But one of the things they are able to access is our incident response team, should they want to work shoulder to shoulder with us.
And yes, they can always pick up the phone and get to somebody familiar with their environment 24/7.
The rap against Security as a Service is that it comes as one size fits all. Can it be
tailored to the particulars of a company?
Hilling: I think the tailoring piece is where there a little bit of a misconception in the marketplace, and the misconception is that when you outsource security you're getting what the provider tells you you're going to get, and that's it. In fact, that's really not the case, whether the provider is IBM or one of the other market leaders.
There is, in most cases, a broad spectrum of configurability and customization available. To give you some examples, we have a variety of different offerings, ranging from managing firewalls, monitoring intrusion detection and prevention devices to log and event management. All of those services are available in a variety of different service levels: standard, select and premium. The service levels help dictate how quickly things get done, how much interaction the customer has with the provider and the level of configurability and flexibility available for the various technologies that they have purchased.
Al-Abdulla: We do allow some flexibility in the managed services contracts. People want to draw the lines in different places for how much they do and how much we do. And yes, we do assign human beings to each and every one of these contracts to be the champion inside of CDW. This is a highly tailored and customized service.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.
This was first published in February 2009