Managed security services: dipping a toe in the water

HOWEVER, THE VAST MAJORITY OF UK businesses are still struggling with IT security. According to PWC’s 2014 Global State of Information Security survey, the number of security incidents detected in the UK in the past 12 months increased by 69 per cent. Worryingly, over 16 per cent of UK businesses do not know how many security incidents they had last year. The data suggests that beaches are increasing while rising IT security spend is failing to counter the threat. In response, should organisations start thinking about shifting IT security into a managed service?

The case for outsourcing
IT security is a moving target that requires organisations to keep highly paid information security professionals sharp with continual training. IT security monitoring needs to be constant as attacks can happen at any time of any day. Having 24 x 7 x 365 coverage, complete with a rapid response team on standby, is not cost-effective for anybody other than the largest of organisations.

The financial burden of hiring, training and keeping security expertise up-to-date is substantial. If the cost of people is already high, add in the expense of buying and maintaining the physical IT security hardware, software and processes that help to protect organisations and it becomes hard to justify the bulk of IT security remaining in-house. Although many organisations are increasingly outsourcing elements like email and payment processing, IT security has still tended to remain an in-house activity. Concern over allowing third party access to sensitive data or systems is often the primary issue.

The reality is that employees themselves pose a far greater risk than external organisations that are dedicated to information security. Other fears, such as IT managers outsourcing themselves out of a job and cultural issues around loss of control, may initially play a part in resisting a move to managed IT security services. In reality, the IT manager’s time is now freed up to concentrate on more business-critical elements rather than high-maintenance, time-consuming ‘housekeeping’ chores.

Initial fears of outsourcing or managed security services, though, are quickly outweighed by the benefits of cost-reduction and service enhancements, once they are fully understood.

Standards and audited ability
However, picking a managed security service provider is not like choosing an electricity supplier; the selections criteria and evaluation process is far more complex. Aside from cost and list of features, the most pertinent differentiator for service providers is adherence to external standards and audited ability.

Probably the most impressive is the ISO 27001, which is an Information Security Management System standard that evolved from the British Standard BS7799 for managing information security. ISO 27001 is used in conjunction with other standards from the ISO 27000 family, such as the ISO 27002 that contains additional audit guidelines. ISO 27001 is often seen as comparable to SAS 70, which is an auditing standard run by the American Institute of Certified Public Accountants.

Another major standard is the Payment Card Industry Data Security Standard (PCI DSS), which was created by credit card companies, including VISA and MasterCard, to ensure that data is secure when handling credit cards. Even though it is the merchant payment service provider that needs to be PCI-certified, the standard also applies to physical facilities, such as the datacentre. This includes access control, surveillance, procedures for visitors and a limit to who has access to the equipment that handles and stores transaction-related data. If your business is going to be engaged in online sales, then PCI compliance is a good idea.

It is also vital to ask questions about where your data is stored. Who owns the servers, racks and even the datacentre? How secure is the datacentre itself? What certifications does the datacentre hold for data and physical security? Some providers tend to be vague about these questions, especially if they are co-located or worse, located in a jurisdiction with different privacy laws to those of the customer.

Before getting into the specifics of the technical infrastructure, just like any other supplier, it is wise to understand the business as a whole, its pedigree and the people you are dealing with. Even creating a shortlist can be a daunting task. One starting point is industry groups. The Cloud Industry Forum has created a Code of Practice for Cloud Service Providers that includes organisations that offer customers remotely-hosted IT services of any type. These services include, but are not limited to, multi-tenanted services accessed via the Internet.

Firewalls – a good place to start
Companies looking to outsource their IT security can dip a toe in the water by having their firewalls managed. Every single organisation that has access to the Internet needs some form of firewall protection, and somebody to set up, monitor and manage this critical gateway. In the event of a security incident, organisations will need to analyse firewall logs to quickly identify the cause of the issue. They should then interpret the results and undertake remediation to minimise the possible damage and prevent further risk. This often takes a whole team of experienced individuals to accomplish.

Managing firewalls is time-consuming ‘bread and butter’ work for information security professionals, which can often make the task a good test case for switching to managed security services.

Managed firewall services provide the equivalent of a dedicated in-house manager or department and typically offer the features of larger, best-of-breed vendor products. The service provider delivers a centralised management function and VPN capabilities to allow manageable site-to-site and remote access. A typical service can scale from a single branch office to a global deployment that adheres to consistent corporate security policy.

A managed service will include hosting the firewall hardware in a carrier class environment or placing it on the client site and managing it remotely. In either case, the service takes care of the replacement of faulty hardware, management to firmware revisions and applying the latest security patches. In what is often called a ‘security as a service’ offering, all hardware, software licences, configuration, policy creation, maintenance, support and on-going management is supplied as part of the service, with no need to purchase any of the products outright. This allows organisations to utilise just operational budget for security infrastructure, and benefit from the elasticity of service-based security.

The primary advantage of using a managed firewall service is that customers can implement a tailored perimeter security service, managed by security experts, with very little up-front cost or higher OPEX associated with maintaining additional in-house security expertise.

Taking the next step
Assuming that moving to a managed firewall has been a success, the next step for many organisations is a fully managed security gateway. These services have much in common with a managed firewall in terms of capital expenditure reduction and expertise but offer additional granular options to protect against different types of threats.

As a minimum, a managed security gateway service includes both firewall and VPN software, delivered on a hardware security appliance. The range of hardware available ensures that organisations can scale to meet traffic volume. Added to the base services are additional security service modules, which can be purchased at the start of the contract, or easily added as and when necessary during the term of the service, depending on individual security and business requirements.

With the massive rise of mobile devices and remote working, organisations often add secure mobile access modules. These provide enterprise-grade remote access via SSL VPN for simple, safe and secure mobile connectivity to email, calendars, contacts and corporate applications on smartphones, laptops or PCs.

The majority of managed security gateways will also offer proactive security, such as intrusion prevention and detection systems that aim to prevent attacks. These systems generate alerts prompting security response teams to investigate the event and take action. Other security add-ons such as Anti-Virus protection, Data Loss Prevention, and email and web content services, are also available to offer complete gateway protection.

SLA for peace of mind
In order to identify key services and processes required to meet the needs of the business, it is standard business practice for managed service providers to offer a Service Level Agreement (SLA). The quality of the SLA is often a deciding factor in winning and retaining customers. The SLA will include service descriptions, delivery points, service availability, support and escalation procedures. It is the responsibility of the managed service provider to ensure that the customer fully understands all of these aspects of the SLA. Once an SLA has been accepted, it is critical to put mechanisms in place to capture service delivery data to validate that the service has been delivered as agreed. The reporting element provides peace of mind and also a basis for discussions between service provider and customer on how services can evolve to meet business requirements.
Even though the majority of the emerging managed services are offered by large, single-source providers, many small and medium businesses prefer to outsource their IT processes to trusted third parties. Before rushing into any managed service, it is always recommended that organisations talk to these trusted third parties who can provide an impartial assessment of its strengths, weaknesses and overall value for money. In many cases, these same IT suppliers might well have complementary services, system deployment skills and management expertise as well as experience in implementing security and related business continuity solutions.