Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.
This bumper crop of emerging managed security providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.
Security expertise
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available—or affordable—in-house.
Ask for a client list and check references: does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.
Policy development and refinement
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.
Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised.
Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.
Breadth of services
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet. We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.
Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.
Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP.
On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that
http://www.isp-planet.com/technology/mss_what_to_look_for.html
