Demands on IT leaders to stay abreast of the latest security products, while at the same time continuously upgrading staff expertise to handle security attacks, have brought managed security providers (MSPs) to the forefront. These service providers promise to ease the burden on enterprise security staff via outsourcing.
The number of companies offering managed security services has grown dramatically in the past few months, with everyone joining the fray. IDC estimates the managed security market will grow to $US2.24 billion in 2003 from $512 million in 1998.
Making the decision to have an outside party manage, and have privileged access to, something as sacred as a company's stored data and business information is a course that must be followed carefully, says Don Ursem, vice president of network operations at US-based ASP VocalPoint.
"In my case, there was a lot of caution exercised because I know certain providers advertise certain services, but it was pretty typical to hear horror stories," says Ursem, who evaluated seven MSPs before choosing Intira. "You do not put your company's crown jewels in someone else's hands unless you've checked all the boxes to make sure they have infrastructure levels to carry out the task."
According to Ursem, VocalPoint chose Intira because it offers three key features: airtight security in its data centres, an option for inserting additional controls into the VPN, and good cross-site synchronisation.
"It's a lot more consistent if [security] is done in a data centre 24/7 then if I go out and hire a security professional," Ursem says. "That is something we want to be able to present to our customers, because we want to increase [their] comfort level."
Managed security providers have found prosperity in the dot-com market in particular due to the budget and staffing constraints that many start ups must contend with. Bargain book site www.Allbooks4less.com, for example, is the poster child for outsourcing; its business infrastructure is based on an ASP model, according to the company's CEO, John Vogus.
Vogus says his business needed a powerhouse vendor to protect his company against crippling threats it could never manage on its own.
"If someone steals a [shopper's] credit card, by law I'm only liable for $50. We take that seriously," says Vogus. "But . . . if a hacker comes in or someone cracks into my server and overrides my site, my business stops. I shut down. That's disastrous."
MSPs offer an interesting solution, but the decision to go with outsourced security is not an easy one considering the variety of solutions a company has to choose from and the gravity of the problem.
Some companies, such as Counterpane, provide around-the-clock intrusion detection services (IDSs), monitoring firewall and IDS logs for break-in attempts, and responding immediately when something is found. Other companies, such as RIPTech and Intira, will manage the entire security infrastructure of a company, from configuring and maintaining security devices to monitoring sites around the clock. The remaining offerings fall in the middle, with companies such as myCIO.com, NetSolve and many others offering a combination of monitoring and assessment services.
Glenn Miller, managing director of security and communications specialist distributor Janteknology, claims one of the fundamental stumbling blocks with delivering security is that customers have a tendency to want to see tangibly what they are paying for.
"They still want their pound of sausages," says Miller.
Miller has had a long history with security software and services - the bulk of which was with software vendor McAfee - and claims that, generally speaking, the smaller the enterprise the greater the resistance.
"The further down you go into the SME market, unless they have a large degree of in-house technical experience, the more these guys want to be able to see a box and touch it. It's hard to convince some people that value exists in space," says Miller.
Janteknology offers an electronic distribution of security software to its resellers based on a downloadable 30-day trial of a product followed by the purchase of a digital key (ARN, November 15, page 8).
In related news, the company has just released WebSpy's Analyzer product designed to monitor Internet usage within an organisation.www.janteknology.com.au