Outsourcing security

Companies today have the choice of outsourcing their IT security requirements to third parties. Akhtar Pasha finds that businesses are looking beyond the traditional MSS model and availing of real-time threat analysis and compliance management services to reduce risk. All of this is driving the growth of managed security services in India

Taking the decision to outsource network security is a hard one. The stakes are high, so it’s no wonder that paralysis is a common reaction when contemplating whether to outsource or not. The potential benefits of outsourced security are tempting, and being able to significantly increase network security without hiring half a dozen people or spending a fortune is an option that is impossible to ignore. Express Computer came across many instances of companies that are outsourcing their network security to managed security services providers (MSSP). We will analyse the reasons for doing so, identify the security requirements being outsourced, and find out why businesses should look at going beyond outsourcing the management of their security devices.

Kalpit Jain, Business Head, Messaging & Security, Netcore Solutions, cites the case of its customer, Great Eastern Shipping, that faced the problem of viruses, worms and spam entering the company’s network and eating into its Internet bandwidth. Worse, Great Eastern couldn’t afford to divert server CPU resources to run security software because that resulted in critical applications and databases slowing down. Today, using Netcore’s hosted model, Great Eastern’s e-mail traffic is routed to Netcore’s data centre where viruses, worms and spam are filtered/cleared, and the resulting clean traffic is sent back to the shipping company’s network. States Jain, “By outsourcing to an MSSP, companies can avoid spending upfront, stop worrying about missing patches and updates, and prevent technology obsolescence.” On similar lines, the National Securities Depository, Ranbaxy, Batra Clinic, and many organisations in banking and insurance as well as trading houses have resorted to outsourcing their IT security.

"By outsourcing to an MSSP, companies can avoid spending upfront— and stop worrying about missing patches" - Kalpit Jain Business Head Messaging & Security Netcore Solutions

“By outsourcing the monitoring and management of security devices to MSSPs, most enterprises can enhance their IT security set-up while reducing operational costs, and free-up internal resources to deal with changing business needs,” points out Vishal Dhupar, Managing Director, Symantec India. He says that according to industry sources, in 2005, only 130-plus network breaches were reported, but more than 57 million individuals’ personal information was stolen or accessed in security breaches. This is just the tip of the iceberg, he insists.

By definition, an MSS includes remote, subscription-based monitoring and/or management of firewall, intrusion detection and prevention functions via customer premises-based or network-based devices. More companies are outsourcing their network security. This trend is driven by the fact that there is no other way to deal with the shortage of skilled computer security experts, the increasing need for businesses to open their networks to travelling employees, customers and partners, and the rising threats from the external world. For the Internet to succeed as a business tool, security has to scale. Outsourcing is the way to do just that.

In this story we will examine why MSS as a partial or complete alternative to in-house management should be considered by enterprises as an effective means to improve security management, cut costs, and improve network security. We will begin our analysis with a look at why network security is becoming increasingly strategic for enterprises. Following this, we will describe the reasons why enterprises are outsourcing the management of security. Lastly, we will look at the rationale for choosing an MSSP.

A confluence of trends

The three concurrent trends that are pushing network security to the forefront of an organisation’s IT agenda, and in turn leading to a demand for MSS are:

• Enterprise networks are opening up.
  

"Unless robust controls are established and continuously managed, the risks faced by enterprise networks will intensify" - Praveen Cherien Country Manager, Networking Site & Security Services India / Sri Lanka

A combination of technology pushing at one end and the need for improving productivity pulling at the other is compelling enterprises to open their networks to a wider range of users, access devices and access methods. For example, expanding availability of affordable wired broadband access, proliferation of WLAN access points, and the availability of high-speed mobile wireless networks are all contributing factors here. These advances represent a critical stepping-stone for enterprises in improving their market competitiveness by providing network connectivity and flexibility for all potential users of networked resources (remote users, partners, dealers, customers and business affiliates). “However, unless robust controls are established and continuously managed, the risk to the enterprise network and sensitive corporate information will intensify to the point where enterprises must respond by restricting the open access environment that they need to support their business objectives,” says Praveen Cherien, Country Manager, Networking, Site and Security Services, India/Sri Lanka.

Moreover, businesses are also overlooking crucial aspects of information security. Prosenjeet Banerjee, Head of Information Security Services at HCL Comnet says, “In most organisations security devices work in isolation with limited or no event correlation at all to other components of the IT infrastructure. Many organisations, when asked about 24x7 monitoring of security infrastructure, reply that the logs are inspected once a day—either at the beginning or end of the day.”

• Security threats are advancing in speed, sophistication and potency.

It’s almost a daily occurrence—news stories that report fresh attacks or security breaches in an enterprise network. The use of traditional security technologies (e.g. firewalls, anti-virus filtering, intrusion detection and VPNs) is becoming commonplace, and adoption of newer security technologies (e.g. behavioural-based traffic filtering) is on the rise. The logical conclusion of all these converging trends is that the malicious elements are advancing at a faster pace than enterprises can address their network vulnerabilities.

Symantec observed that denial of service attacks grew from an average of 119 per day to 927 per day during the first half of 2005—a 680 percent increase over the previous reporting period. Says Dhupar, “The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days. Additionally, an average of 54 days passed between the appearance of a vulnerability and the release of an associated patch by the affected vendor. This means that, on average, 48 days passed between the release of an exploit and the release of an associated patch. During this time systems are either vulnerable or administrators are forced to create their own work-arounds to protect their systems and networks from exploitation.” During the same period, Symantec reported 1,862 new vulnerabilities—the highest number ever recorded in the Internet Security Threat Report.

• The penalties of inadequate network protection are worsening.

There are several points that underscore this statement. Network disruption and performance degradation (as evinced by slow response times) attributable to an attack reduce an enterprise’s return on investment in business applications and network infrastructure. Simply stated, investments in applications and network infrastructure were made to support business objectives. If attackers compromise the reliability of the network and subsequently affect a user’s access to applications and the responsiveness of these applications, the enterprise is not receiving the full benefits that it anticipated when it made its investments in information technology.

The penalties for failing to comply with regulations, industry standards, and internal corporate policies keep rising too. While monetary penalties are the easiest to quantify, they are not the only penalties that are incurred. Recovery from negative publicity and damage to business and customer relationships can prove costly because failing to comply eats up time, talent, motivation and corporate resources that would otherwise be directed towards meeting business objectives.

Slices of outsourcing

Let’s look at what is being outsourced by India Inc.

• Monitoring and managing security devices.

Banerjee says, “Until a year back, the trend was to outsource only perimeter security to MSSPs. However, according to leading security research organisations, 91 percent of external intrusions into a network take place through a virus, worm or trojan. This threat may not necessarily be mitigated by a firewall or IDS/IPS that are typical perimeter security devices which an MSSP manages under the ambit of perimeter security.” To mitigate this threat, a proper anti-virus strategy at the perimeter and end-point devices as well as patching of systems is required. “We are seeing an increasing trend where organisations are outsourcing end-point management in terms of anti-virus and patch management. Businesses should evaluate remote anti-virus and patch management,” continues Banerjee.

Both security vendors and MSSPs agree on one point—that businesses are increasingly outsourcing their stand-alone security products such as anti-virus, anti-spam, worm, IDS, firewall, VPN and IPS to MSSPs. Notes Deepak Jain, General Manager & Business Head, Managed IT Services, Wipro Infotech, “Implementing security products requires a one-time investment in the range of 15-20 percent of an organisation’s overall security expenditure. Managing and maintaining security solutions is twice as big a market because it involves continuous monitoring.”

"Secure your network with real-time surveillance and round-the-clock monitoring by a MSSP" - Ganesan K S CTO & VP Engineering Microland

Organisations that have invested in complex, expensive and diverse security technologies to protect their IT assets are finding that technology alone cannot assure security. Products like anti-virus, firewalls, intrusion detection systems and other security solutions need to be updated regularly. That’s where the expertise of the MSSPs comes in handy. Reveals Ganesan K S, CTO & VP, Engineering, Microland, “Through our Managed Microsoft Security Service we are helping Microsoft in complete patch management of their operating systems. We call their customers and asked them if they have downloaded the patch and installed it, and if there are any issues they have faced while doing so.”

• Application penetration testing.

Anil Menon, the CEO of SecureSynergy says that “customer networks are vulnerable to security attacks when they are being updated, or when their applications and databases are being upgraded. This is when most attacks that cause real damage take place. It is difficult to keep track of patches and signatures (for security, applications and databases) as they are released by vendors.” To tackle this Ganesan advises: “Secure your network with real-time surveillance and round-the-clock managed security monitoring.”

Adds Deepak Jain, “Companies, particularly customer-facing organisations that are launching new applications, are going in for MSS. We feel that even employees of the MSSP should be well-qualified, and that they should have certification such as CISSP (Certified Information Systems Security Professionals) on the usage of security tools. We have seen customers demanding that only people who are certified on security handle their account.”

• Security compliance.

Expect stand-alone MSSPs to concentrate on compliance, metrics and benchmarking. Generalist outsourcers will bolster their operational security capabilities and drive down prices for tasks such as firewall monitoring, while specialists will shift to high-value services including compliance-related consulting and engagements to help clients with metrics and benchmarking their security programs.

Under the RBI’s draft rules, unveiled in February, all of India’s roughly 90 commercial banks will have to implement the Basel II Accord from March 31, 2007. Basel II will have a significant influence on banking operations. Organisations will now be able to operate with capital adequacy ratios (CARs) that are dependent on their risk management, credit control and reporting capabilities. For instance, Punjab National Bank has a CAR of 13 percent, which will come down to 10 percent as per Basel II specifications. Basel II mandates that the CAR should exceed 9 percent. PNB aims to hike its capital base by several hundred crore. Observes Menon, “As a sector, the adoption of Basel II reduces the sector’s capital adequacy by 1.6 percentage points. You can well imagine the amount of money that will be freed up. Banks that comply with Basel II can free up money for doing more business.”

BS 7799 defines the blueprint for implementing an information security management system. It consists of 127 best practices in security that Indian companies can adopt to build their security infrastructure. This helps companies maintain IT security through the ongoing integrated management of policies and procedures, training, selection and implementation of effective controls, review of their efficacy, and improvement of the same. In the same vein, implementing ISO/IEC 27001:2005 will reassure customers and suppliers that information security is taken seriously within a certified organisation.

• Log retention.

The Basel II Accord requires all internationally active banks to adopt similar or consistent risk-management practices. Affected banks need to implement a comprehensive programme of risk prevention, detection, analysis and management, and mitigate operational risks associated with their IT systems by 2007. The accord recommends ‘retaining activity logs for three to seven years.’ Explains Menon, “Log data can aid in the segregation of duties and documentation because it can provide a complete independent record of access, activity and configuration changes for applications, servers and network devices. Ideally, the policy validation function of activity monitoring and change control audits will be performed in real-time and will include a complete audit trail of successful and unsuccessful log-ons, as well as successful and unsuccessful attempts to access files and directories.”

Netcore provides log retention services to banks to comply with Basel II and VISA Cardholder Information Security Program using LogLogic.

Comments Capt Raghu Raman, the CEO of Mahindra Special Services Group, “Outsourcing security to an MSSP is fine, but it should be followed by an independent security audit to see that all security practices, policies, SLAs and standards are being met by the MSSP.”

Rationale for security outsourcing

Paul Stamp, Senior Analyst, Forrester Research, summarises the three main reasons why organisations are going in for MSS.

• Cost savings on repetitive tasks.

In some cases, like firewall or anti-virus monitoring, the task can be laborious and time-consuming, and an MSSP can do the job for less than it would cost the customer to do it in-house.

• Better ability to execute.

Organisations often benefit from an MSSP’s investment in shared infrastructure. For example, MSSPs often invest in complex technology that can identify patterns and behaviour better than humans, but that would prove too expensive for most organisations to invest in. Moreover, MSSPs can use the knowledge and experience they gather from one client to identify and mitigate prevailing threats for another.

• Better use of highly sought-after skills.

In specialised areas such as digital investigations, the expertise to perform a task properly often simply doesn’t exist in-house. Retaining a full-time employee to perform this service would be prohibitively expensive, but firms in the throes of an incident can’t afford to waste time negotiating a contract with a new, external expert.

Considering the trends outlined above—network openness, advancing security threats, and the penalties for inadequate security—we believe that the time is right for enterprises to seriously consider partial to complete outsourcing of their IT security. In making this transition, Express Computer believes enterprises will benefit from an economical and effective approach to protecting their network infrastructure and the resources hosted on it.