|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Securing all fronts By Penny Jones, ZDNet Australia April 27, 2005 URL: http://www.zdnet.com.au/insight/security/soa/Securing-all-fronts/0,139023764,139189733,00.htm
 Securing what is sacred to a business takes more than just a new program -- it can be a full-time job, which at times is better left to the experts.
But managing security can be a big headache, and it can be easy to get wrong, especially when basic perimeter security is not enough. Attacks from inside the business are growing and the complexity of the business environment is changing with globalisation. The ability to work remotely, and new technology being designed to link aspects of operation, raise new issues for what was once deemed a simple procedure. An unprotected firewall can open up thousands of doors for hackers wanting access to your business operations, and spam is constantly being slammed for the thousands of employee hours it can cost each year. Add to this the growing issue of lost business due to down-time, and the ethical issue of keeping your clients safe, and it becomes easy to see why security is no light topic. Frost & Sullivan analyst James Turner says one of the main reasons the nature of security has had to change is that hackers are becoming much more money-hungry, and extortion and identity theft are becoming a lot more common.
"As capitalism consumes the world, the hackers are coming around to the market's way of thinking and they are looking for their own piece of the action," Turner says.
When a good MSSP is employed, a company should be able to expect constant monitoring and management of both internal and external network operations, depending on the services assigned to your provider. The idea is that as a client, you should rest easy knowing a team of experts is monitoring patch updates and keeping up with world security trends. However, like most outsourced services, companies will not be able to hand over their liability in regards to security to the provider. Modesto says what IT staff will be able to do though, is show higher management that they have taken big steps to make their company secure. Other benefits of handing over the lock and key are glaringly obvious, he says. "Cost would have to be the biggest one, on top of expertise. You can have some tough service level agreements (SLAs) written," Modesto says. "But every security provider will tell you that security is one thing that can never be 100 percent assured -- you simply can't guarantee that. Having a managed security provider is all about minimising exposure and managing security effectively -- something a lot of businesses cannot afford. For good security your infrastructure needs to be managed by someone with the time and the right tools and skills set -- things that when dealing with security, are not cheap." Australian e-mail security penetration tester Neal Wise, partner at Assurance.com.au, agrees. He says as far as labour and costs go, making your security problem someone else's can be a very attractive offer. "There are perceived cost savings with managed security, as security personnel are not cheap, and you get round-the-clock service-that is obviously the number one benefit in this time when so many threats loom," Wise says. "But you have to manage the security relationship right as no one is going to understand your security needs better than you are."
Melbourne-based MSSP Dimension Data has clients in Europe, the US, and South Africa. National security manger Neil Campbell says in all continents, cost is only part of the reason his clients choose managed over in-house models. "Most of our clients do not have the resources to deal with security properly so cost is one reason they turn to managed security, but a lot of people are also tempted by the fact that you are handing over that part of the business risk to someone else," Campbell says. "Many businesses find it is quite difficult to attract and maintain security personnel, especially if operating as an SME."
But when should companies consider coughing up the bucks and moving on to managed security? Frost & Sullivan's Turner says: "A business should consider moving to a managed security service provider when they estimate that the risk of loss outweighs the cost of the service, and the cost of maintaining the in-house skills needed to manage it." "If your business is in any way reliant on connection to the Internet 24x7, then ideally you either have 24x7 security staff or an MSSP. The MSSP can provide good network security muchmore cheaply than most companies can provide it themselves because they are the specialists and they have economies-of-scale which make it more affordable," he adds. General acceptance of managed security may be growing, but reputations of unreliable providers still, to some degree, hold the service back.
Industry cowboys still exist -- there are numerous horror stories of people signing up with an unreliable provider only to find out months down the track monitoring has not been maintained at its promised levels, or that small start-ups are facing insolvency rendering all contracts at risk and costing companies dearly.
Security software company Sophos resells its products to large ISPs who in turn sell the software as part of a managed service. Sophos managing director Rob Forsythe says he views the general company cut-off for the hire of specialised security staff to be businesses with less than 1000 employees. "A larger enterprise would buy our product direct, and manage their own network which would allow them greater internal flexibility, but a smaller one, to have the same level of security, would have to look for outsourced flexibility," Forsythe says. "Then you also have the difference in cost in relation to having the capital expenditure per month, instead of the outright cost and total cost of ownership."
"Security is something most organisations can afford to have, but they don't always realise that you get the best bang for your buck so you really want to know what it is you are needing," he says. "Like in most industries there are plenty of shonky salesmen out there, you have to be really careful you are getting a reputable operator for your money. You need to really ask what it is you want from your service: if they have around-the-clock appropriate staffing, if they have more than one operating centre, if they have good customer references and what sort of audits or reports they will offer." Security is a big concern, but trusting your security, in the first instance, must be an even bigger one to get it right. Plenty of companies have been through the trial-and-error process of doing security in-house, and that of selecting a credible security provider.
"Selecting the right person is even more important than getting your infrastructure right," Bulletproof's Modesto says.
Like with most outsourcing initiatives, your service level agreement (SLA) between yourself and your provider can either be your saviour, or the bane of your existence. The SLA could very well be the most important part of your relationship with your managed service provider. It will define the roles your provider has in regards to your company, and what you should and should not accept for your money. Traditionally, your money will ultimately drive what you can and can't have in your SLA. The more you pay, the more customisation you can expect. Standard SLAs, for instance, may simply determine how many changes you can have within your business for firewall protection under a particular cost. But no matter how small your security objective, the SLA must be clearly identified.
Frost & Sullivan analyst James Turner says contracts are one of they key areas of concern with any outsourcing venture. "No one wants to spend six months arguing over who is responsible to pay, say, for hardware maintenance. Just like with all good business projects, ownership must be attributed to each task," Turner says.
You can also add in security tests, penetration exercises, authentication and access control and auditing if suitable. But remember, with outsourcing, each service comes at a cost.
Keeping costs down and attracting qualified security staff were problems for Nintendo Australia. When it received a directive from head office in Japan to start analysing the logs from their CheckPoint firewall or a possible replacement Netscreen appliance, Nintendo Australia IT manager Peter Stroud was concerned by the expense of the project, even though he could see it was a good step. "We thought it was kind of like shutting the gate after the horse had bolted -- we were going to have to spend a lot of money but we would only have the information analysed a week after any violation," Stroud says. "We thought if we were going to spend the money on expensive software we would also look around to see if we could find something that did intrusion detection and prevention, which lead to us deciding we may as well outsource the whole thing." Price-wise, Nintendo looked at a variety of options and the most expensive quote was AU$30,000 for the installation of equipment only, and another AU$30,000 a year on top of this for the 24x7 maintenance and support of that, which is too much for the small company of only 60 local staff.
The gaming company ended up going with Network Box, an MSSP specialising in complete managed security. "We chose the Network Box because, for about AU$1200 to AU$1500 a month we were able to get our security at half the cost. We can restrict site access for staff, we have no hidden costs, we have 24x7 support," says Stroud.
Queensland-based integrated engineering and services provider Thiess approached IBM just over a year ago about problems it was having with "ridiculous" amounts of spam, viruses, and pornographic e-mails taking up valuable employee hours and leaving the company at risk of attack. "We could see the huge amount of time it took employees to sort unwanted materials from regular business e-mail, as well as the strain it was placing on bandwidth of our corporate network," says Thiess infrastructure supervisor Richard Moran. Thiess went to IBM, a reseller of MessageLabs managed security services, signed on for anti-spam, antivirus, and image control (to block distasteful Internet sites) services. As part of the service, Thiess' mail delivery and Internet access was reconfigured to pass through MessageLabs' infrastructure before making it to the desktops of Thiess employees. IBM provides all the service's 24x7 support.
"The most effective solution for us was one that eliminated e-mail threats by sitting outside the boundaries of our corporate network, filtering all e-mail prior to their delivery by acting as a first line of defence," Moran says.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
