Widely tipped as the boom for security at the turn of the century, managed security services are now taking off, buoyed by a raft of new technologies and an increasingly complex security environment.
"There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know." - Donald Rumsfeld
On February 12, 2002, Donald Rumsfeld mounted the podium at a US Department of Defense news briefing and offered a series of comments which immediately became the target of comedians, commentators and talk-show hosts throughout the world. While the statement sounds a tad ridiculous at first, Rumsfeld's known knowns, known unknowns, and unknown unknowns is an entirely valid and logical reflection on the challenge of providing security in a fluid environment. In fact, it can be applied to just about any situation where security needs to be maintained in the face of evolving and diverse threats.
One environment where the analogy is particularly useful is network security. For any business, being connected to the Internet means tackling the known knowns such as email-borne threats, the known unknowns, such as potentially dangerous websites, as well as the unknown unknowns, which are perhaps only detected using computer forensics. As a result of this constantly changing environment and increasing complexity, managed security services (MSS), which initially surged, then died back, are again growing at a clip.
Although MSS failed to meet initial market expectations, the sector generated $US170 million in 2006 and is now the fastest growing segment of the security industry. It is expected to reach $US283 million by 2011. According to IDC security market analyst, Patrik Bihammar, a confluence of legal, technological and demographic circumstances has lead to this renewed vigour.
"If you go back 10 years there were limitations on the space, because we lacked the technology and the broadband to make it work effectively, but we're now at the stage where the benefits outweigh the costs," Bihammar said. "There was also a reluctance in the past to hand over the care of sensitive data to an external party, but the increasingly complex environment, and a raft of more mature offerings have lead to a shift in perception."
Stronger than ever
Founder and CEO of managed software service provider Virtual Office, Craig Allen, agreed the MSS market was stronger than ever, but said the change had been gradual rather than precipitous. He suggested the increasing interest in externally managed security services was largely due to the way Internet-borne threats have constantly adapted to corporate responses. "Ten years ago people were talking about email viruses, and they resolved that using scanning software, and that is no longer a major threat, but it didn't stop there," Allen said. "Now the major threat we are seeing comes from within, from disgruntled employees, or employees using the Internet for non-business purposes."
As a result, the provision of corporate security has become a multilayered beast, requiring increasing levels of sophistication, and the ability to constantly monitor the threat environment both within and beyond the corporate network.
"Managed security services are definitely about providing layered security so that what isn't stopped at the firewall can be detected and stopped internally before it is even recognised as a threat," Allen said. "The really good hackers don't want to leave any footprints, they want to come in and sneak around, and pick up bits and pieces of information without anyone noticing." Symantec Asia-Pacific vice-president of channel sales, John Donovan, said the generic threat common in the late 1990s had been replaced with more targeted, and often directly malicious attacks.
"The market for MSS didn't grow as quickly as was initially expected, but the landscape has changed. As a result, the 'look-what-I-can-do' attacks have been replaced by breaches which are more professional and more commercially driven," he said. "These days people are looking for data they can sell or manipulate, and we are seeing multi-stage attack, where what seems like a small breach to the network was actually a way to facilitate a much larger attack."
And while some of the largest and most technologically advanced companies should be the best protected, they are also those most likely to be targeted. Just this month one of the largest online share trading firms in the US, TD Ameritrade Holding Corporation, suffered a breach of its internal customer information databases, leading to an estimated 6.3 million customer email addresses falling into the hands of spammers.
The unauthorised code, which was effectively stealing customer emails, was discovered and deleted with the help of managed security services provider, ID Analytics, in mid-September, following internal investigation of stock-related spam. According to a statement from the company the theft, while annoying, stopped short of constituting a threat to individual identities because the company had managed to quarantine different customer information.
"While the financial assets our clients hold with us were never touched, and there is no evidence that our clients' Social Security Numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them," CEO, Joe Moglia, offered in an apologetic company press release.
However, the fact that the "unauthorised code" managed to enter the company network in the first place, and remain there for an undisclosed period, provides a disturbing wake-up call as to the insidious nature of such targeted incursions.
So what's in it for the channel?
While large institutions such as banks and government departments were introduced to MSS along with a spate of outsourcing which occurred at the end of the 1990s, the next wave of adoption predicted to bring the service into the mid-level enterprises has been slow in breaking.
Nonetheless, according to Juniper Asia-Pacific carrier partner group director, James Wilson, the current wave of MSS adoption is now creating opportunities for security providers of all sizes and specialisations. "There is an emerging need in the market for secure communications in a very broad context; that is to say that the need for security is broad and the way it is provided is similarly broad," Wilson said. "As access methods speed up and become more attractive to business users, there is a widening use of the network to a larger group of users. This needs to be secured to prevent loss of productivity or more importantly loss of customer and employee data."
According to Wilson, as mid-level and small enterprise increasingly embrace the Internet to increase productivity, streamline business practices and improve customer communications, they also increase their vulnerability to external and internal threats.
"The rise of the extranet as a means of streamlining supply and distribution within communities of interest suggests that this expansion is only just beginning," he said.
The result is an expansion not only in the overall demand for MSS, but also in the spread of demand across different sectors. Thus, companies which initially struggled as demand sagged through the early years of the new millennia are now doing a brisk trade.
MSS specialists, Seccom Networks, was founded five years ago in response to what it saw as an important trend towards the outsourcing of security provision and management in Europe and the Americas.
"We found it very hard in the first two or three years to get some traction in the Australian market, but in the last 12 months things have really started to come along," CIO, Gavin Matthews, said. "The mid sector was slow to adopt outsourcing generally in Australia, they have been very traditional in keeping their data in-house, but you just can't afford to do that anymore from a security point of view."
And while the top end of town has been increasingly taking advantage of MSS in line with improvements in technology, the key driver in the mid-market has been the increasing complexity of the security challenge, and the prohibitive cost of employing internal security personnel. "When we look at the actual cost of running security internally, and the costs to the business of data loss, or productivity loss if the network goes down, MSS is the best option for them," Matthews said. "The key things they are telling us is that they don't have the time to dedicate someone to IT, and they know they need to be doing more to protect themselves, but they don't just know how."
Service delivery manager for managed security specialists Editure, Robin Guy, said mid-level companies rarely had the breath of experience to identify threats as they emerged.
"The skills required for the smaller environment and the larger environment are the same, but the cost justification to employ a security specialist just isn't there for small companies," he said. "We get to leverage our experience across 100-200 different clients, so we can get exposure to a threat and know how to combat it before it comes anywhere near our the bulk of our customers." At the same time as the demand side of the equation heats up, technology vendors have come to the party with a range of increasingly affordable appliances and technologies.
"What we can now offer is bang for your buck, whereas the all-in-one appliances we had five years ago didn't have the performance or the features to make them really attractive to the mid sector," Matthews said. "Now you can get the combination of affordability and performance, as well as real-time monitoring and high-level security, that was just impossible before.
Moreover, according to Editure's Guy, the combination of spam filtering and security technologies makes it possible for resellers to offer a full security solution which actually saves on operational costs.
"Spam is a key vehicle for viruses and attacks, and if you're cutting out spam, you're also cutting out up to 90 per cent of email traffic, which saves on the bandwidth they used to need to transport that traffic," he explained. And while the whole commercial landscape has changed substantially in recent years, opening up the mid and small business sectors, effective marketing remains a key challenge for the MSS channel.
While the big end of town is largely forced on high grade security solutions in order to mitigate IT risk, selling security into small businesses is still similar to selling insurance, according to Virtual Office's Allen. "Smaller businesses don't buy into managed security, or any other type of security until they've been compromised," he said.
It's not only the very small companies that exhibit a reactive approach to security, according to Seccom Networks' Matthews. He said most companies only sought out external providers once their capacity to respond to threats internally had been demonstrably compromised. Nonetheless, he said other factors such as compliance were becoming increasingly important to the market.
"Around 50 per cent of the people we speak to have had some form of intrusion data loss of malicious attack within 60 days of contacting us," he said. "However, we are also seeing more interest coming from the compliance side of things, as the mid-market have to make sure they have their systems in place to fulfill the requirements of larger partners, or industry legislation."
As a result, the major challenge for security resellers remains one of marketing. The least destructive virus is always that which has been prevented from entering the corporate network in the first place, favouring a reseller channel well versed in "what if" scenarios. "Being a managed security service provider is very much like selling insurance, expenditure on IT security is still often seen as an intangible, while physical security is still seen as necessary," Matthews said.
Marketing the message when it comes to MSS may well lie in demonstrating to the same customers the real value contained in their data and information systems. "The reality for most SMBs when it comes to keeping up with security threats means recognising and protecting their most valuable assets," Allen said. "It might be a warehouse or a diamond ring, or stock or whatever, it's all connected with IT now. SMBs aren't security companies; they rely on specialists to provide those services."
Protection not just from the known knowns, which are obvious to all, and the known unknowns, which are clear to some, but especially from the targeted, malicious attacks, to which many companies may not even realise they are subject.