A Guide to Managed Security

Cloudsourcing, or management and security as a service via a third party, can help aleviate the headaches that acompany platform-agnostic BYOD policies
Cloudsourcing, or management and security as a service via a third party, can help aleviate the headaches that acompany platform-agnostic BYOD policies

Network security and asset management have been fundamental concerns for businesses of all types and sizes, and though keeping those in-house might seem like the best recourse, current trends seem to indicate that security-as-a-service (SaaS) is the way to go in the future.

Companies of all stripes have been caught in an inadvertent pincer’s movement that reflects the rapid evolution of corporate network security. On the one side, daring and sophisticated hackers look for vulnerabilities at every turn, while on the other, tough regulatory compliance is designed to ensure that data isn’t compromised to those very same hackers. But compliance also demands a certain level of transparency, and managing that sometimes requires a finger on the pulse at all times – something that seems a little more difficult for in-house IT staff to do these days.

In real terms, outsourcing security – or certain IT fixtures – isn’t altogether uncommon today, nor has it been in the past, in some respects. Email has long been managed through servers that aren’t necessarily based on company premises, while malware protection has also typically been popular as a contracted need.

The list is growing, even though relinquishing control of such a sensitive part of a business might seem anathema to its operations.

“Outsourcing business IT security is no more or less of a risk than doing security internally”, says Etienne Greeff, professional services director at SecureData in Europe. “The risk is defined by the risk management framework employed by a company. Outsourcing simply uses another party to implement and run the security controls required by an organization’s risk function.”

Greeff points out that the biggest misconception about managed security is that it creates more vulnerabilities, when in fact it doesn’t. “The level of security is increased due to the fact that there are service level agreements (SLAs) in place, and a SaaS firm will often use a scalable and secure platform to deliver the service”, he adds.

Money Matters

If not for the recession, it’s possible that the trend toward outsourced security may never have accelerated as it has. A sluggish economy tends to see businesses reassess cost centers, of which IT is usually the most pronounced, so reducing operational costs without sacrificing security protocols and compliance has been an attractive option.

The numbers seem to hammer the point home as well. A 2011 global report by Global Industry Analysts projected that managed security services would reach US$8.4 billion by 2015. In a separate report, Global Industry forecast cybersecurity as a whole reaching US$80 billion annually by 2017, meaning more than 10% of this sector will be outsourced by that time. These are projections based on a variety of data, but the complexity and unpredictability of cyberattacks makes it possible that those could be conservative estimates.

To avoid being part of the most glaring statistic – that being the $1 trillion both McAfee and the US Senate said the country has lost to cyberattackers worldwide – the migration toward managed security could move faster if the perceptions change says Phil Evans, VP EMEA at Datacastle in London. He suggests that companies may believe they can do it better in-house, but may not factor in the costs and productivity setbacks that might go with it.

"Reliance on in-house IT teams to carry out all the admin functions…also increases the risk of human error leading to damaging data loss or potential breaches"

Phil Evans, Datacastle

“When you try to manage endpoint security yourself – for remote desktops, laptops, smartphones and tablets, for example – you are often implementing policies that have significant dependencies on employee behavior”, Evans says. “Reliance on in-house IT teams to carry out all the admin functions, including daily backups, data encryption and looking after data tapes, also increases the risk of human error leading to damaging data loss or potential breaches. With SaaS security providers, many of these admin functions are fully automated, eliminating the risks and cutting the costs.”

The Ponemon Institute has published multiple reports on the cost of data breaches from lost or stolen laptops, with the most recent study indicating the average data breach costs UK-based organizations almost $3 million. Of 160,000 laptops lost in Europe in 2010, 34% were encrypted, but only 26% were regularly backed up and many had no capacity for remote deletion. Just 3% of lost devices are ever traced, and many businesses no longer control which employees access sensitive data.

“With cloud-based managed security, all this company data would have been automatically restored when the laptops went missing, and the lost data remotely deleted or automatically encrypted”, Greeff says.

Cloudsourcing

The influx of mobile devices, and moreover, the increasing demands employees place on their employers to allow their personal phones or tablets to be integrated into the corporate network, raise questions about best practices.

Bring your own device, or BYOD as it’s better known in IT circles, will continue as a popular trend in 2012 says Michelle Warren, president of MW Research and Consulting in Toronto.

“How will devices running different platforms, whether it be iOS, Android, BlackBerry, Windows or whatever it is, play nice with the corporate network so that they’re all speaking the same language?”, Warren rhetorically asks. “Outsourcing that to a third-party vendor can alleviate a lot of headaches, but they also have to make a strong case for cloudsourcing – management and security in the cloud.”

"Outsourcing business IT security is no more or less of a risk than doing security internally"

Etienne Greeff, SecureData

A significant challenge for businesses with BYOD policies is meeting data governance requirements without implementing draconian measures like forbidding company data on an employee’s tablet. Not to mention the legal uncertainties of accidentally accessing or deleting personal information on employee-owned devices.

“If the solution causes too much friction for mobile end users, they will find a way around the security solution or not use it at all, which defeats the goals of the security solution in the first place”, Evans says. “Flexible cloud-based software enables corporate security policies to be quickly and easily tailored to different tiers of employees or varying regulatory requirements across international company divisions, from a remote location.”

All Security is Local

Both Evans and Greeff agree that outsourcing security cuts the cost of saving and protecting data without the need to invest in new hardware or software. The level of data protection and storage space purchased is also scalable, and vendors and resellers are likely to be on the cusp of how to best integrate mobile devices and telecommuters into the fold.

Except there are some key factors that any large enterprise or medium to small business must take into account, Warren says. Location is one. If the enterprise is based in the UK, but the SaaS operates out of the US, then federal and state laws may apply to the data being stored on American soil, particularly as it relates to the Patriot Act. This is on top of regulatory compliance for the home country as well.

Part of the SaaS’s mandate is to ensure compliance, as this is part of the service level agreement with the company that hired them. Except some CIOs and IT managers loathe handing over that much control to another entity, Warren points out.

"Some CIOs and IT managers loathe handing over that much control to another entity"

Michelle Warren, MW Research & Consulting

“It’s the lack of internal control and having a ‘partner’ of sorts that adds a layer of complexity to their internal IT management, so it’s worth asking a lot of questions”, she says. “Will the info be available 24/7? What if the server goes down, what’s the fallback position? What’s the cost certainty per user over a contract term? How easy is it to migrate the data from one provider to another?”

Greeff suggests that risk and planning stay inside the company because risk can’t be outsourced. Risk management, by definition, is integral to a company’s survival, while planning is about aligning IT with the business’ strategic function. Neither should be outsourced.

“The rest can be, and often should be, outsourced as it makes sense for an experienced provider with economies of scale to perform the menial tasks”, he says. “With an outsourcer, a defined level of service is delivered at a predictable cost. There has also been a trend in companies that have had redundancies. With redundancies, very often specialist skills leave, with companies choosing to keep generalists that can perform a broader range of services. Security is a specialist skill, hence the requirement for a specialist provider.”

The consumerization of IT will continue and the numbers reflect that, Evans says. A report by Gartner indicates that 73% of the enterprise workforce will be mobile, and about 20% of companies won’t own any IT assets. It’s expected that 80% of all businesses will support a workforce using tablets. By 2014, almost all businesses will use smartphone applications to run corporate data.

“This has resulted in many IT departments understanding that they no longer possess control of all aspects of the IT environment and need to rely on external elements and vendors to be successful”, Evans says. “Hybrid cloud solutions enable companies to get the performance and control they are looking for by having part of the solution on their private cloud while leveraging the public cloud for its strengths.”

What’s Hot on Infosecurity Magazine?