The long history of security in IT has meant a popular and traditional way of provisioning emerged. This typical product and sales cycle worked for a long time, though in recent years it has been challenged with the emergence of new technologies. The Cloud demonstrated how convenient a managed services approach can be, prompting other established IT sectors, such as security, to adopt a similar approach.
A transition to managed services is something the security industry has had to look into. With the exception of a few failures, WatchGuard Technologies Asia Pacific vice-president, Scott Robertson, said the change has been an easy one.
“The service provider understands the need for security, and they have been able to offer best practices and enterprise-level service and security for even the smallest of customers,” he said. In situations where the managed services provider does not understand security, Robertson said it has led to compromised websites and botnet infections.
“Would they have happened anyway? Probably,” he said. “But many times we call a company to let them know of a breach or their website hosting malware only to be told it is ‘outsourced’ and the customer has no idea what to do next.”
Seccom Global co-founder and director, Michael Demery, said the appeal in managed security services lies in simplifying the cost and technical expertise that would be required by our customers to deliver these services in-house. The changing nature of information security, as well as the technical expertise and management cost associated with it, means security lends itself well to being delivered as a managed service.
“Due to our single focus of providing managed security services from the inception, it has not been a difficult leap for us,” Demery said.
Managed services also enable providers to deploy solutions in varying setups depending on what they are trying to achieve with their offering. Barracuda Networks A/NZ country manager, Mike Romans, said there is also flexibility to allow the solutions to scale as the customers’ requirements scale.
“They may want to multi-tenant their security appliances, or they may want to spin up individual virtual licenses for each client,” he said.
A difference in approach
As with many IT solutions, traditional security has often involved one-time purchases from vendors with a view to deploying a solution which will be revisited at some point in the future. However, AVG Technologies security advisor, Michael McKinnon, said this model is no longer effective in the constant security threat landscape of today. “In an always-on and connected world, businesses need to constantly defend themselves from threats in all directions,” he said.
Keeping appliances and equipment up to date is a daily process. Defending from malware and remediating incidents by restoring from backups also takes time. “It seems there’s always something to do in a business that is security related, and it’s become a mission-critical practice, right alongside things like managing cash flow and profitability,” McKinnon said.
The biggest difference Palo Alto Networks A/NZ regional director, Armando Dacal, identifies between managed and traditional security is with responsibility and ownership of monitoring, logging and resolution of all security incidents.
“When an organisation chooses to take on management of their own security infrastructure, they sometimes find it difficult to allocate sufficient resources to handle these threats in an adequate manner,” he said.Read more: Viator breach highlights susceptibility of online payments: CipherCloud
As such, Dacal expects managed security to be an attractive option for providers in this scenario, as they have an “economy of scale and accumulated knowledge” of current threats and exploits across multiple deployments.
Finding the right fit
When an organisation is faced with the decision of choosing what provision model works for them, Tenable Network Security Asia-Pacific vice-president, Attley Ng, suggests looking it from a business perspective.
“First, it needs to be understood that if the business is meeting its compliance and security risks, requirements, and obligations, this can be determined with a proper audit and gap analysis,” he said. In turn, analysing the gaps in compliance will enable the business to determine what is required to bolster the security to the required level.
From that point on Ng said it becomes about cost benefit analysis. This step looks at what is the cost to purchase the necessary technologies and manage those technologies internally versus outsourcing. “For most SMBs, the outsourcing option would likely be the cheaper alternative,” Ng said.
CipherCloud technology VP, Debabrata Dash, said the decision process of selecting managed security is similar to selecting a Cloud service. “The managed approach works for customers who require cost efficiency and quick access to the latest version updates,” he said. If the business is already using Cloud services, which Dash said many of them are, security has to look over the expanded infrastructure.
Dash cautions against sorely relying on the service provider for security in the Cloud. “They will cover network level security, but most privacy regulations pin data level protection on the customer,” he said. “So if an organisation is putting sensitive data into Cloud applications, they need to make sure they have the visibility and security tools needed to extend protection into the Cloud.”
With the changing threat landscape, Symantec Pacific technology senior director, Sean Kopelke, sees the managed security services model providing value to businesses.
“Organisations spend a lot of time going through millions of logs to identify serious attacks and trying to prioritise their response,” he said. To successfully defend against the types of targeted attacks found today, Kopelke said the focus needs to be expanded from a prevention model to a detection and response one.
He warns of putting too much faith in network security alone, as it by itself is not going to solve the issue. “Adversaries are targeting all control points from the gateway to email to the endpoint,” Kopelke said. “Organisations need security across these control points working together, with incident response capabilities and global information intelligence, to beat the bad guys.”
Method in the managed
The introduction of managed services may have come with a slight learning curve for the channel, though the new model is also creating opportunities for partners and resellers. BAE Systems Applied Intelligence APAC cyber security head, Craig Searle, said the approach needs to be more than just delivering a product, but also managing the entire services offering around it.
“The challenge for resellers will be that they will require not only knowledge of the product, but also of which managed service providers are more reputable and therefore better for clients,” he said.
Dimension Data security practice national manager, Jason Ha, points out a lot of organisations are “fundamentally under-prepared” for a security incident. “Businesses run fire drills all the time but you don’t head of an IT security drill,” he said. Ha adds there needs to be a plan in place and a solid understanding of all the tasks involved during, and after, an incident.
It is thanks to this environment Ha has seen demand for managed security services grow in Australia. Dimension Data acquired a local managed security provider, Earthwave, to capitalise on this demand, and the security service is currently being rolled out worldwide.
“The biggest opportunity we see is having the capability to manage the whole threat lifecycle from initial threat and risk assessment all the way through to incident response,” Ha said