Is outsourcing your security the best option?
Andrew Collins takes a quick look at the pros and cons of cloud-based hosted security solutions.
To say that outsourcing has become a trend would be an understatement of ridiculous proportions. Increasingly, more and more IT departments are looking to shave costs and labour by getting someone else to do the heavy lifting.
IT security is no exception. Security engineers and administrators are not cheap, and when you’re looking at bringing on new staff to handle your fancy new security appliance, outsourcing these responsibilities seems like a grand proposition.
Cloud-based services have emerged as another option to outsource this labour. Not content to offer mere communication and storage tools from the cloud, service providers are now adding tools like antivirus, mail filtering and data loss prevention to their hosted portfolios.
Typically, a hosted security service is one offered from a remote location - ie, the cloud. So instead of being connected directly to the public internet, your company’s data is routed through a service provider’s server located in a remote data centre. There, incoming traffic is subjected to tests like anti-malware or anti-spam checks and then passed onto your network, while your outgoing traffic may be checked for credit card details or data you’ve previously denoted as being too important to be leaked - all depending, of course, on what services you’re paying for.
There are several advantages to this type of service, not the least of which is around-the-clock protection.
“Most businesses and organisations we deal with have difficulty maintaining a 24/7 security operation capability,” says Peter Sparkes, Senior Manager of Managed Services, APJ, Symantec.
This is due in no small part to staffing issues.
“Finding very good security people is very difficult, particularly people who wish to work shift hours,” he says.
Your security staff might grumble about being woken at 4 am on a Sunday to deal with a virus outbreak, but a good service provider will have staff on hand for such an occurrence.
The pricing structure for these services usually takes the form of an OPEX model. There’s often a small up-front set-up fee, but the majority of the cost resides in the monthly or yearly fees you pay the service provider. These fees are based on the specific services you require and the number of users for which you require them.
Clearswift, a web and email filtering vendor, recently added a set of hosted services to its existing range of premises-based security products. Service providers can now deploy Clearswift gateways within their own data centres, and lease the use of them to customers in the form of a hosted service with a monthly fee. Previously, providers only had the option of deploying the gateways within customers’ premises, and charging an accompanying up-front fee.
The company’s Managing Director, Peter Croft, says organisations typically have diverse security environments full of different items from multiple vendors, each of which requires different skills to manage.
“You either have to get someone who can do all of that, or you've got to get lots of guys to manage your IT infrastructure,” Croft says. “It's not inexpensive to employ people and then account for their presence in your building with seating and accomodation costs.”
Despite the benefits of these services, there are worries about how secure they are. Some customers doubt the security of cloud services in general - to suggest that security itself should be placed in the cloud is almost heresy to them.
Croft explains that there are government certifications for data centre security, which address issues like certification of data centre staff, the physical location of the facility, what’s done to secure the data while it’s stored, retention policies, and so on.
So when you’re investigating service providers, check out their data centre certifications.
“If there's a hosting service out there that looks really, really, really cheap, there might be a reason for that,” Croft says. “It could come down to whether or not all the relevent security technologies have been deployed to make it safe.”
In order to overcome user reticence, cloud-based services are usually accompanied by service level agreements (SLAs). These are guarantees from the provider about things like minimum uptime, the percentage of false positives allowed by antivirus, latency caused by the service and so on. If the provider breaks the SLA, the customer is often entitled to some kind of compensation, which may be monetary or something else entirely.
Australian analyst firm IBRS reckons that cloud-based security services are a good fit for small and medium-sized businesses, which typically haven’t got the budget for specialised security experts.
In his research note, 'Internal IT security people; are they worth it?', analyst James Turner says: “... security engineers are expensive and only do security - they are an expensive, narrowly focused, resource. Combined with the overhead costs of retaining extra headcount, the cost of retaining dedicated security people is not justifiable for the SMB market.”
SMBs should therefore embrace cloud-based security services, Turner says.
And according to Sparkes, the hosted service model is also appropriate if you’re looking for a very specific solution - such as anti-spam - that either you don’t want to build in-house, or is just easier to get through the cloud.
*Andrew Collins is a freelance writer.
As the enterprise software market moves rapidly to the cloud, businesses need to know which kind...
Zscaler has revealed it is blocking 1.5 million malware attack attempts and 150,000 botnets per...
IT governance industry association ISACA has published a white paper outlining best-practice...