Managed Security Services Protect and Defend

Background
Twenty percent of enterprises will experience a serious Internet security breach between now and 2005, according to a Gartner survey from spring 2002. Furthermore, Gartner concluded that 90% of cyber attacks during that period will exploit known security flaws, for which a patch or solution is already available at the time of the attack.

With new security risks appearing daily, and with so much at stake, network security has never been more important, says Mark Bornstein, manager of service provider marketing for virtual private network (VPN) and security solutions at Cisco Systems.

But staying on top of security today is a monumental task, Bornstein concedes. First, enterprises and small- and medium-sized businesses need to develop solid security policies. They must determine from whom they're trying to protect themselves, what resources they have for security, and how to prioritize those resources. What's more, a company's network needs must be considered. How many sites and users must be connected? How can the company allow e-commerce customers and business partners access without compromising security? How will the network's security solutions provide for future growth?

Next, Bornstein says, companies need to test, evaluate, purchase, configure, and deploy security hardware and software. IT staff and users must be trained. "Once all that's done," he says, "you've got to proactively manage, monitor, and update all those products around the clock across your entire network." If you don't, and an attack occurs, all your other efforts will have been for nothing.

Given the list of responsibilities, a company has to question whether developing top-notch network security expertise is key to its core business. If the answer is no, a better alternative is to outsource the job to a service provider, for whom security is a core competency.

"Managed security service providers have done all the testing on the necessary hardware and software," Bornstein says. "They've got the staff, the resources, and the expertise." Chances are, a managed security service provider can handle your company's security needs better and less expensively than you can.

Fortunately, there are a growing number of managed security service providers from which to choose. In fact, the managed security services market is poised to boom from $900 million in 2001 to more than $2.6 billion in 2005, according to a July 2002 survey from the Yankee Group.

Managed services are a win-win for customers and providers. Enterprises are able to reduce the complexity, costs, and risks associated with network security while taking advantage of the latest technologies and expertise. At the same time, providers can leverage networking infrastructures and expertise without significant additional investment, while creating longer-lasting relationships with customers. And income from high-margin managed services can help providers offset declining revenues elsewhere.

What You Need to Know
Managed security services can include intrusion detection services (IDS), VPNs, antivirus management, authentication, security intelligence, and more.

Such well-known companies as AT&T, Bell Canada, Equant, IBM, SBC, and Sprint offer a variety of managed services, including security. In addition, smaller companies such as Counterpane and Predictive focus specifically on managed security services. Each provider's offerings differ from the others in at least some respects.

For instance, Sprint's managed security services include firewall support, IDS, and authentication, as well as a new e-mail service that blocks viruses, network attacks, and spam from entering the enterprise's network, according to Mickey O'Dell, director of managed services for Sprint.

Meanwhile, IBM's services are set apart by the range of services offered, according to John DeBacco, director of segment business management for IBM Business Continuity and Recovery Services. IBM offers incident management, vulnerability testing, IDS, firewall support, antivirus protection, wireless security, and other services. While many companies focus on specific areas of security, IBM offers a total end-to-end security environment with a global reach, DeBacco says.

As with most managed services, customers can choose between using their own security hardware and software and simply turning over the management to a provider, or hiring a provider that deploys and maintains its own security equipment.

With premises-based managed security services, for instance, security hardware devices are often hosted on the customer's network but are managed remotely by the provider. Alternatively, in a managed multiprotocol label switching VPN solution, the security hardware typically resides at the service provider's location, which is the final point for connectivity on the customer's network, Bornstein says.

What You Need to Ask
With the security of your company's network at stake, and with typical service-level agreements (SLAs) lasting two to five years or more, it's critical to find the right service provider for the job. Some key questions to ask include:

• What security skills does the provider offer? The complexities of security today go far beyond just hardware and software, says Mike Heller, senior manager of service provider marketing at Cisco Systems. "Think more of skills and expertise than just of equipment when you consider what a security provider can do for you," he says.
• What information will you receive? What reports and information about security—such as attempted attacks and intrusions—will be made available, and how often? Does the provider offer a Web portal so customers can monitor network security or report problems? A key advantage of using a managed security service is the information about potential Internet threats that the provider can offer. BHP Billiton, a global natural resources company, depends on IBM's managed IDS service for the critical information on potential attacks it offers, says Jim Kates, the company's U.S. lead information security officer. IBM monitors BHP Billiton's network, analyzes the data, and compares it to information gathered from other IBM security customers. Because of its large customer base and global reach, IBM can provide a much broader perspective on potential attacks than BHP Billiton could obtain using only its own data, Kates says. If BHP Billiton hadn't been using IBM's managed security service, he adds, the company might not have been fully warned about some potential network threats until it was too late.
• What does the provider control, and what do you control? It's important to know exactly which aspects of security the provider will control and where, Heller says. Will the equipment reside on the provider's premises or yours? How much control will your company have?
• How involved will the service provider be in your company's business? Will it send a representative to your organization's IT staff meetings? At a minimum, the service provider should understand its customers' business objectives as well as their network security requirements.

Is the provider recommended by Cisco? For best results, companies with Cisco equipment should consider a provider with Cisco hardware and software on its network, Heller says. Such a partnership can ensure end-to-end network quality; simplified, cost-efficient network management; higher network availability; and services that are more reliable, scalable, secure, and easy to deploy and expand as needs change. The Cisco Powered Network program qualifies service providers that use Cisco equipment in their networks end to end and follow best practices in security, design, operations, and maintenance. Providers that comply are designated with a unique program logo.

Further Reading

For More Information
Read more about the benefits of using service providers with the Cisco Powered Network designation, plus user stories, presentations, and white papers.

Search for providers who offer Cisco Powered Network designated services.