Outsourcing your security

By Andrew Collins
Tuesday, 11 May, 2010

Today, you have several options if you want someone else to take care of your IT security. Andrew Collins explores the pros and cons of each.

To say that outsourcing has become a trend would be an understatement of ridiculous proportions. Increasingly, more and more IT departments are looking to shave costs and labour by getting someone else to do the heavy lifting.

IT security is no exception. Security engineers and administrators are not cheap, and when you’re looking at bringing on new staff to handle your fancy new security appliance, outsourcing these responsibilities seems like a grand proposition.

More of us are doing it, too. Gartner’s last ‘MarketScope for Managed Security Services in Asia/Pacific’ report states that the average managed security service provider’s client base rose 19% from 2008 to 2009.

There are several options for outsourcing security - managed, hosted, in-the-cloud, mixed-model and so on - and while many people lump them all in together, they’re wrong to do so. Each option is distinct, with its own pros and cons, and should be evaluated as such.

To cloud

Cloud-based services - also known as hosted services - are the most recent of these options to emerge. Not content to offer mere communication and storage tools from the cloud, service providers are now adding tools like antivirus, mail filtering and data loss prevention to their hosted portfolios.

Typically, a hosted security service is one offered from a remote location - ie, the cloud. So, instead of being connected directly to the public internet, your company’s data is routed through a service provider’s server located in a remote data centre. There, incoming traffic is subjected to tests like anti-malware or anti-spam checks and then passed on to your network, while your outgoing traffic may be checked for credit card details or data you’ve previously denoted as being too important to be leaked - all depending, of course, on what services you’re paying for.

There are several advantages to this type of service, not the least of which is around-the-clock protection.

“Most businesses and organisations we deal with have difficulty maintaining a 24/7 security operation capability,” says Peter Sparkes, Senior Manager of Managed Services, APJ, Symantec.

This is due in no small part to staffing issues.

“Finding very good security people is very difficult, particularly people who wish to work shift hours,” he says.

Your security staff might grumble about being woken at 4 am on a Sunday to deal with a virus outbreak, but a good service provider will have staff on hand for such an occurrence.

The pricing structure for these services usually takes the form of an OPEX model. There’s often a small up-front set-up fee, but the majority of the cost resides in the monthly or yearly fees you pay the service provider. These fees are based on the specific services you require and the number of users for which you require them.

Clearswift, a web and email filtering vendor, recently added a set of hosted services to its existing range of premises-based security products. Service providers can now deploy Clearswift gateways within their own data centres, and lease the use of them to customers in the form of a hosted service with a monthly fee. Previously, providers only had the option of deploying the gateways within customers’ premises and charging an accompanying up-front fee.

The company’s Managing Director, Peter Croft, says organisations typically have diverse security environments full of different items from multiple vendors, each of which requires different skills to manage.

“You either have to get someone who can do all of that, or you’ve got to get lots of guys to manage your IT infrastructure,” Croft says. “It’s not inexpensive to employ people and then account for their presence in your building with seating and accommodation costs.”

Despite the benefits of these services, there are worries about how secure they are. Some customers doubt the security of cloud services in general - to suggest that security itself should be placed in the cloud is almost heresy to them.

Croft explains that there are government certifications for data centre security, which address issues like certification of data centre staff, the physical location of the facility, what’s done to secure the data while it’s stored, retention policies, and so on.

So when you’re investigating service providers, check out their data centre certifications.

“If there’s a hosting service out there that looks really, really, really cheap, there might be a reason for that,” Croft says. “It could come down to whether or not all the relevent security technologies have been deployed to make it safe.”

In order to overcome user reticence, cloud-based services are usually accompanied by service level agreements (SLAs). These are guarantees from the provider about things like minimum uptime, the percentage of false positives allowed by antivirus, latency caused by the service, and so on. If the provider breaks the SLA, the customer is often entitled to some kind of compensation, which may be monetary or something else entirely.

Australian analyst firm IBRS reckons that cloud-based security services are a good fit for SMBs, which typically haven’t got the budget for specialised security experts.

In his research note, ‘Internal IT security people; are they worth it?’, analyst James Turner says: “... security engineers are expensive and only do security - they are an expensive, narrowly focused resource. Combined with the overhead costs of retaining extra headcount, the cost of retaining dedicated security people is not justifiable for the SMB market.”

SMBs should therefore embrace cloud-based security services, Turner says.

And according to Sparkes, the hosted service model is also appropriate if you’re looking for a very specific solution - such as anti-spam - that either you don’t want to build in house, or is just easier to get through the cloud.

Or not to cloud

And while cloud-based security services are great for some organisations, they don’t suit everybody. Many are still best served by an in-house, on-premises security solution, and vendors realise this.

“Customers want choice,” Sparkes says. “Once you talk to the customer about their requirements, it becomes quite clear whether a cloud-based solution is best for them, or a product-based solution is best for them, or if a mix of the two is the ultimate solution.”

In particular, Sparkes recommends an in-house deployment when customisation of the service is a high priority.

Clearswift’s Croft says the decision depends on how advanced your virtualisation strategy is. If a customer has invested deeply in virtualising their storage and other functions, Clearswift will tend to recommend a virtual security appliance over a hosted service, so as to maximise the customer’s return on its virtual investment.

Stuck in the middle

But the decision to outsource isn’t a binary one - rather, hosted services and CPE-based solutions are just the two options at either end of a spectrum. There is a middle ground, and that middle ground is known as managed security.

In such a scenario, the security hardware or software resides within your own premises. But instead of employing your own staff to manage it, you pay a third party to handle configuration, monitoring, and so on. This may involve visits from the third party’s personnel, or it may be handled entirely remotely, depending on the specifics of your kit.

Typically a customer will purchase a security product from a service provider, who can then handle its operation for a periodic fee. But a product purchase is not always involved - it is possible to employ a service provider to manage an existing security environment that you’ve already deployed.

The pricing model is much like that of hosted security - mostly bound up in OPEX. Managed security services also typically sport SLAs of their own, again addressing issues like uptime and quality of service.

Symantec’s Sparkes says these managed security services are most appropriate for those organisations that have already deployed security infrastructure, and have found they can’t adequately manage it with the staff they have.

Mix tape

Each of these variations on security outsourcing has its own pros and cons. At the end of the day, each organisation is unique, and you may find that no single model fits your company. Fortunately, there’s no reason to limit yourself to just one.

“We find a lot of companies use mixed models,” Sparkes says. “It really depends on the organisation and the best way it can provide those services - either through the cloud, CPE based, a managed service, or a combination of the above.”

So, if it pleases you, mix and match to your heart’s content.

Related Articles

Microsoft aims to be carbon negative by 2030

The company has outlined plans to be carbon negative by 2030, and by 2050 to rebate all the...

My New Year's wish — more collaborative tech policy

We need to identify tech policies and priorities that set us up to benefit from the digitally...

Telecoms operators working to restore bushfire-affected networks

Australian telecommunications operators are working to restore networks in bushfire-affected...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd