Would you put the security of your company into someone else's hands? ZDNet Australia finds out what benefits and peace of mind a managed service can provide.
Guy Stocker, technology manager at Parmalat, wanted to fully outsource management of the company's firewall. He was only spending one percent of his time looking after it, when really he thought it should be monitored around the clock, seven days a week.
Parmalat is one of the three main dairy producers in Australia. Operating in 35 locations around the country, Parmalat has the problem that its produce is perishable: Its products need to reach their end destination within days. The Australian dairy industry is moving towards an e-business model and Parmalat is using an SAP system to transact with its partners, such as Woolworths and Coles. Because of these external transactions, managing the firewall on the Internet link is critical.
"Because we are a 24x7 operation you cannot have a firewall managed one percent of that time, which I was doing, it is crazy," says Stocker.
And his concerns are valid. As security vendors always tell us, threats to company security are increasing every day and they are becoming more complex and harder to catch. Users are saying this too. AusCERT (Australian Computer Emergency Response Team) recently conducted its annual Australian Computer Crime and Security Survey. Sent out to 350 of Australia's top public companies, more than 200 CIOs responded. Their results back up what security vendors have been telling us.
Ninety-eight percent of the companies surveyed said they use antivirus, 95 percent said they use firewalls, and the results were also high for access control and physical security, yet 42 percent experienced a security incident in the last 12 months. The good news is that figure is down from 67 percent in the 2002 survey.
However companies often baulk at telling anyone they have experienced a security breach. With all the talk about security, it can often seem like scaremongering, but companies are experiencing breaches and they are responding to it.
Responding to these attacks, 67 percent of CIOs reported that they are now spending more money on security. This is something that John Donovan, managing director of Symantec, is seeing as well. Donovan estimates that companies are now spending about eight percent of the IT budget on security, compared to the last year's estimate of one percent. This is a significant increase, and Donovan says it would even be as much as 12 percent for larger companies.
However throwing more money at the problem hasn't made CIOs more comfortable with their handle on security, only 11 percent said they thought their organisation was managing all computer security issues reasonably well.
Why outsource
It is probably then no wonder that more companies are leaning towards managed security services. Donovan says Symantec is seeing a big increase in the managed services side of the business, in particular the monitoring and managing of security products.
|
“Timely patch application is absolutely vital to maintaining security” —Lorenzo Modesto, Sales and Marketing Manager, Bulletproof Networks |
The survey results back this up. CIOs cited the most challenging and problematic aspects of security management as; configuration management (49 percent), keeping up to date with threats, vulnerabilities, and changes in technology (58 percent), and changing users attitudes and behaviours regarding security (59 percent).
According to Lorenzo Modesto, sales and marketing manager at security service provider Bulletproof Networks, getting rid of the patch management headache is a driver to managed security services.
"Timely security patch application is absolutely vital to maintaining security. A perfect example of this is the huge impact of worms like Nimda and Slammer. Servers affected should have been patched to an acceptable level but weren't, and in both cases the worms targeted a vulnerability for which a patch have been available for several months," says Modesto.
"At its peak we were seeing infected unmanaged servers pushing in excess of 100Mb/ps of worm traffic. The people managing these servers were simply too busy to keep them up to date," he says.
Other reasons to outsource security are because it isn't one of the core competencies of the company, and it is too expensive to hire internal expertise.
From Stocker's point of view, keeping up to date with the latest upgrades and patches was a headache. He realised that managing security wasn't core to Parmalat's operations and also that he couldn't devote the time needed to manage the firewall and nor could he justify hiring an internal expert.
"I needed someone to manage the firewall totally because I'm not the expert and there is no way I am going to have an internal person be a specialist on it because how do you keep that person trained, and how do you keep them up to date with the latest things? We would probably spend more time reinventing the wheel," says Stocker. "If you've got a group that you can go to and that's all they do, then they have already got all the cuts and bruises, they know what not to do and what you should do to actually manage that type of infrastructure," says Stocker.
So the decision to outsource was fairly straightforward. When it came time to replace the firewall infrastructure, Stocker was referred to managed security provider Zento.
Shameful business
Stocker says he is very happy with Zento's service so far, and he was lucky to be referred to a good provider. Unfortunately finding a trustworthy security provider can be a bit hit and miss.
Kim Valois, director of global information security services at CSC, says there are a few security practices that she doesn't respect. She says there are some security practitioners who are "overlooking or omitting things or who border on negligent".
Valois says she ran across one such company that performed a security assessment for a client. After the assessment, this service provider gave a list of all of the security vulnerabilities the company was open to, however what it didn't provide was a complete risk assessment that includes how likely it would be that any of those risks would actually occur.
|
“I think it’s very early days in the management of IT security.” —Arthur Argyropoulos, CEO, Zento |
Arthur Argyropoulos of Zento says there are only around three managed security service providers at the moment that truly do managed IT security.
"I think it's very early days in the management of IT security. People claim 24x7 support but really they just have guys with pagers that get woken up at 3am," he says. "If [customers] meet the guys at the low end, they will have a low respect for what a managed service can provide."
Of course detecting the good from the bad isn't always easy. The best way to find a good (or bad) provider will be to ask around and find out what the experience has been for your colleagues in the industry.
However there are some basic service levels that you can check. First of all, check if they provide a true 24x7 service. Also ask for references and look for a provider that has built up relationships with its customers. And shop around.
One IT manager who was looking to fully outsource his company's security approached around 15 service providers. That might seem like a high number, but sorting out the good from the bad wasn't too difficult. Firstly some providers didn't even get back to him. Of those that did respond, he conducted interviews with them all and found that some were totally sales focused while others were technically focused. Also, only a few of the providers were willing to give quotes, and of those few, some weren't willing to break down the costs to show how much each service would cost.
CSC's Valois says you should look for providers that are straight with you and who don't try to push up budgets.
To get an idea of what a managed security provider can offer, Modesto says a typical service offering includes service configuration, ongoing and proactive patch management, ongoing monitoring, proactive response and troubleshooting within an agreed response window, and alerts of other operating system vulnerabilities when they spring up that may affect another part of the customer's network.
