Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

The Evolution of Managed Security Services: A Virtual Reality

Chris Richter

In his landmark 2003 article, IT Doesn't Matter, Nicholas Carr illustrates that overspending on dedicated IT infrastructure may actually hurt a company's financial performance. Carr also points out in his 2005 article The End of Corporate Computing, that in the same way companies at the turn of the century stopped investing in equipment to generate their own electricity (instead turning to electric utilities for power), enterprises will begin looking to utility computing providers as an inevitable destination for IT. While it may be a while before companies completely adopt the idea of transferring all their IT infrastructure to a utility provider, there are a growing number of utility IT services available today that merit consideration. Among these services are managed security offerings that support Carr's premise that spending less on IT can actually benefit the bottom line.

The decision to outsource is being driven by a growing focus on risk management. It's notoriously difficult to measure the ROI on security investment, but risk management provides a compelling cost-benefit model for IT executives when making the business case for outsourcing. Enterprises can transfer and mitigate some of the risks they must manage by outsourcing. This, in turn, allows internal business processes to be streamlined, positively impacting the bottom line through cost and efficiency gains.

We will define a security utility as a service provider who delivers security services without the requirement for dedicated infrastructure to be installed on the customer's premises. This model can be delivered in the form of "in the cloud" (or WAN-based service), or as virtualized infrastructure whereby many customers share a common infrastructure within a data center.

Businesses that provide outsourced IT security infrastructure and support to enterprise customers are beginning to evolve with regard to their delivery models. These delivery models vary based on the service provider's core business model. Some providers are considered security "pure plays," offering only security-related IT services. Others, such as systems integrators, will design, deploy, and sometimes manage complex IT infrastructures. The last category is the network and hosting services provider, which can offer a range of other IT infrastructure services in addition to security. Network and hosting services providers are probably best equipped to provide true, comprehensive IT utility offerings.

The Evolving Security Outsourcing Landscape
The trend of outsourcing the management of dedicated customer premise equipment (CPE) security devices to Managed Security Service Providers (MSSPs), the typical security services pure play model, has been accelerating over the last few years and is a rapidly maturing market. Indeed, Gartner predicts that the MSSP model has nearly completed its journey through the "Hype Cycle" and will become fully mainstream in as little as two years' time.1

Remote management and monitoring of firewalls, gateway anti-virus systems, intrusion detection and prevention systems and other dedicated security infrastructure, can significantly reduce operational expenditure. MSSPs can provide higher levels of responsiveness and quicker fault resolution than enterprises can themselves and at a lower cost. This model also enables enterprises to extend 24/7/365 coverage across locations where it may have been uneconomical to do so with internal resources. Moreover, staff are freed up to focus on other projects for the business.

While MSSPs can deliver excellent benefits, other alternatives to outsourcing security IT are emerging.

Security as a Utility
A security utility promises just-in-time provisioning, lower costs, easier scalability and better reliability with a "pay-as-you-grow" delivery model. But where do these utilities reside and in what form to they exist? Security utility services can be delivered in the wide area network (WAN ) via an "in the cloud " (ITC) infrastructure; or within the local area network (LAN) via a virtualized hosting IT environment. Both utility models reduce the need for CPE devices. Capacity planning is easier as the complexity associated with scaling is reduced (before, every customer would need its own dedicated appliances - even if these appliances were not running at full capacity).

ITC security has a number of additional benefits over the traditional MSSP model in that management is simplified for the service provider as there are fewer devices to manage and monitor. Security is delivered at the edge of the network service provider's backbone, and promises more comprehensive protection and greater responsiveness. ITC security enables efficient and cost-effective deployment of a broad defense strategy, and responsiveness is also enhanced through faster provisioning and implementation of global updates.

Services such as DDoS mitigation, firewalling, intrusion detection and prevention, and spam and virus filtering of emails, are examples of security services that can be provided within the cloud, thus ensuring only clean content reaches the customer's network. In addition to the savings in capital outlay, a big benefit of ITC security is that incidents can be detected and mitigated in the cloud, far above the customer's LAN, thus preventing impact on local network and application infrastructure resources. Without cloud protection, even small attacks can overload local resources.

ITC security services are commonly delivered by network services providers (especially Tier-1s) and some MSSPs who have outsourcing arrangements with these providers.

Clouds, Kernels, and Virtualization
Not all security infrastructures can be moved into the cloud. For example, it would be impractical to create a multi-tiered firewall environment involving multiple subnets using a cloud-based approach. This is where virtualized hosting IT security services, complementing security-in-the-cloud services, create a true security utility environment.

Virtualized hosting IT services are delivered by some hosting services providers within their data centers. On shared virtualized platforms, virtual instances of security applications and other IT infrastructure are logically separated from one another. A virtual rack performs essentially the same function as a physical rack: an integrated framework for holding servers, network, security, and power equipment. In the IT infrastructure hosting scenario, the only difference is that virtual racks are located in silicon and use the same physical infrastructure for many customers. Physical racks occupy physical space and are typically dedicated to individual customers. Another key difference, of course, is cost. Outsourced virtual platforms, which make extensive use of VLANs, are typically far easier, faster, and less costly to deploy and maintain due to the elimination of physical equipment and installation. Redundancy and scalability is also much easier to realize with virtualized IT platforms.

The ideal security utility combines both ITC security with virtualized hosting IT security services. Such a model provides for true in-depth security, from the cloud to the kernel, while vastly reducing costs and reliability.

Not all enterprises are ready to make the full leap to a security utility in one go, so it is important that service providers are able to help a customer in a way that accommodates their comfort level over time. A major US travel-related company was able to realize a 30% reduction in their security IT capital and operating costs by moving only selected components of its infrastructure into a security utility environment, while keeping elements of its dedicated security appliances in their original configuration. With this staggered hybrid approach, the company aims to migrate more of its security infrastructure to its utility provider over the next 12 months.

The three pillars of information security are: data confidentiality, integrity and availability. Clearly, service providers can deliver higher levels of data integrity and network availability at a lower price-point than enterprises can because of their relative level of investment and economies of scales. However, for many IT decision makers, the thought of migrating even a small part of their IT infrastructure to a security utility can be initially unsettling. The most common concerns about security utilities relate to data confidentiality. There is a perceived risk of data "leaking" back and forth across individual companies' VLANS, and being viewed by unauthorized third-parties. While the design of VLAN architecture logically mitigates this risk, the negative perception of shared IT infrastructure still exists for some.

But the reduction in capital expenditure and total cost of ownership by moving away from CPE, combined with the operational savings of a fully-managed infrastructure, means businesses can reduce their security management costs by up to 90% in some cases, which is proving a highly compelling reason to make the cultural leap. The key to successfully migrating to a security utility is to work with an experienced services provider that can provide a complete solution involving true ITC and virtualized hosting IT security services. Such a provider will be able to provide a number of migration options, including hybrid approaches that allow companies to migrate to a utility at an acceptable pace.

1. Gartner, Inc., "Hype Cycle for Information Security 2006," 10 July 2006.


About the Author
Chris Richter, CISSP, is head of Security Products and Services at SAVVIS, a leader in IT infrastructure for business applications. Mr. Richter is responsible for SAVVIS' managed security business, strategy and product roadmap. He led the effort to develop the security services product lines to form the portfolio the company now offers, which includes the SAVVIS Security Utility, an enterprise-class suite of security services that are delivered virtually, without the use of dedicated hardware or software. His experience spans more than 20 years in security and IT services management and consulting at companies such as Cable & Wireless, Compaq Global Services, 3Com, and Sterling Software. Mr. Richter has also served as a technical advisor and board member of IT services and product companies.

© Copyright 2007 Auerbach Publications