Safety in numbers

25 February 2006

The cost and complexity of managing the multiple facets of security is proving too burdensome for many organisations.

Handing over responsibility for an enterprise's welfare to an outsider may seem counter-intuitive to some IT directors, but the sheer complexity of keeping up to date with threats is persuading many that precious resources are better focussed on core competencies.

Alongside the ongoing threats of hackers and viruses, the unexpected additional burden of new data protection laws has added to the appeal of turning to specialist service providers with greater experience, resources and economies of scale. As organisations seek to understand the value they are getting from security spending, outsourcing security can provide a predictable model.

Investment bank N.M. Rothschild uses managed services from MessageLabs and ScanSafe: "A managed service is simple - switch on and immediately redirect. There is no software or appliances to keep updated, and there is no negative effect on performance," says Edmund Comber, IT director at the bank. "The threats are eliminated before they hit the network."

Case Study The AirMiles Travel Company

The AirMiles Travel Company is a wholly-owned subsidiary of UK airline British Airways that enables customers to pay for discounted holidays, flights and leisure activities either with 'air miles' earned from travel, or with cash. It has over 6 million registered customers.

Enquiries and bookings are dealt with at the call centre in Warrington, Manchester, or via the website, whilst the head office is based in Crawley, West Sussex. "The network is the core of everything we do," says David Tomsett, infrastructure manager at AirMiles. "If we don't have a network we don't have a business."

This mentality led to Tomsett's decision to outsource network and firewall management to hosted service provider Affinity, who had carried out network maintenance for the previous two years. It was this shared past, coupled with the work Affinity had done for BA that clinched the deal, as there was already a foundation of trust in place. "If we'd put a tender out and gone with someone brand new it would have been very difficult," explains Tomsett. Indeed, he is currently looking to extend their contract to cover end-point security, to prevent laptops causing havoc when they are plugged into the network.

Not having time to research and test potential vendors, Tomsett asked Affinity to do the legwork for him. They came back with a white paper that recommended Check Point's Integrity product. This fitted well with the Check Point firewall software already in place. Such insight into the networks it manages enables Affinity to provide value-add service, says Tomsett, and as a result they are more like an extension of the in-house IT team than a vendor.

Tomsett estimates that the cost of outsourcing these elements of security roughly equates to the hiring of another employee, but the bonus is a 24/7 service and a wide pool of knowledge and expertise. And as a result, his team can develop their AirMiles-specific application knowledge.

"There have been a few issues where they've got it a bit wrong, but that would happen in-house. Overall, we've been very happy," says Tomsett. However, there are limits to how much he is willing to outsource. "Our email security is managed in-house because modifications need to be very fast and specific. If a vendor developed a one-size-fits-all service then we might consider it - but you can't beat the instant activity you get if you ask one of your guys to run and do it."

This simplicity is in stark contrast to the do-it-yourself model, where companies are engaged in a constant battle of penetration tests and the monitoring of service level agreements (SLAs) with third party IT providers, depending on them to find and fix vulnerabilities in their software.

Companies managing their own security often have to aggregate information manually from products bought from an assortment of vendors, to discern the health of their defences. These products do not always talk to each other, and even if they do, they only see the threats that have affected their individual organisation before. A security service that is proactive in monitoring and anticipating the potential threats in this continuously changing security environment can be appealing.

In opting for a managed security service, the problem of aggregating disparate security events is solved in one fell swoop. Service providers can also draw on the information gathered from monitoring all their customers' security.

Many vendors conduct research into new threats for which internal IT departments do not have the resources, using heuristic technology to look at how software is behaving: "At the Internet level we process more than 2 billion web requests per month which means we can see across the network with a "super eye", to monitor unusual behaviour from minute one, rather than when a virus hits," says Roger Turvey, co-founder of ScanSafe.

People are less interested in just the burglar alarm approach and are more interested in knowing exactly when there will be a break-in and what they can do about it. "The best analogy is weather forecasting, which gets better and better as you have a greater body of knowledge to draw conclusions and patterns from," says John Holland, senior vice president at Cybertrust Europe.

Lessons learnt in the lab and monitoring the web then benefit the whole customer community, although Richard Millar, VP for Northern Europe at Internet Security Systems, warns that it is important to relate that general information specifically to individual customers' assets.

But outsourcing security is no instant panacea, warns Paul Simmons, group head of information security at chemicals giant ICI: it requires careful monitoring. Having implemented a vulnerability assessment tool from Qualys, Simmons discovered that many of his third party suppliers were being economical with the truth when it came to security. His team managed to deface the ICI website in 30 minutes, for example. He dropped three vendors straight away, and now evangelises about the necessity of measuring security in order to manage it. Simmonds laments the fact he doesn't have the luxury of 50-person IT security teams, but says the vulnerability tool has paid for itself many times over.

"The key point is that it's allowing us to take a more proactive approach to security - rather than us incurring costs when we get hacked by a stupid 'script kiddie' exploit," says ICI's Simmonds. "But we've also discovered that there are a whole bunch of cowboy providers out there, and without the right tools you've got no chance of working out which is which."

While the consolidation in the rest of the security industry has not affected managed services providers as much so far, partnerships such as those between MessageLabs and ScanSafe, bundling web security with secure email management, and CSC and Symantec are increasingly common and analyst house Gartner anticipates that more mergers and acquisitions are imminent.

IT security services market forecast: Western Europe

Source: Gartner

Information Age: News, analysis & insight for IT & business leaders