Choosing a Managed Security Services Provider
Dealing with network and system security is an important topic, and managed security services—as delivered by managed security services providers (MSSPs)—are important to cover. Because so many organizations of every size are choosing to outsource security services, this phenomenon is simply too important to overlook, not to mention highly likely to be among the options for establishing appropriate security measures and coverage that most organizations are already considering. Though this article may not address specific tools to implement security directly, it will explain important service that can stand in good stead.
What Is an MSSP?
Simply put, an MSSP is a third party that works with clients to assess and define security needs, evaluates any security policies, practices and procedures in place, and then implements and maintains a security infrastructure on its clients’ behalf. Numerous definitions of the term, like those at whatis.com and in Cisco’s technical glossary, make the point that an MSSP is a kind of Internet Service Provider (ISP). But an examination of leading companies that ply their trade as MSSPs reveals that the overwhelming focus is on security and that not all outfits that identify themselves as MSSPs also identify themselves as ISPs.
Be that as it may, you’ll find that many large telecommunications companies (which now routinely provide Internet services as part of a wide array of offerings) also have staked out a presence as MSSPs. Thus, it should come as no great shock that companies like Sprint and SBC/AT&T run large-scale MSSP operations. Likewise, many ISPs also offer managed security services, and some even specialize exclusively in this area, such as MegaPath Networks (formerly known as TManage).
In addition, there are many security-focused companies that also offer or specialize in managed security services, including well-known names like Symantec Corp., Verisign and Red Siren, and services-oriented companies like Network Guardian, beTrusted and Big City Networks, among a host of other such players. Other companies in this space include IT services companies that have branched out into security services, such as McKesson Information Solutions, and computing services and consulting firms like Computer Sciences Corp. (CSC). Even the consulting arms of former “Big Six” accounting companies, such as Accenture or BearingPoint, operate security services practices.
Whoever the players in the managed security services business might be, the keys to their operations are:
- A profound understanding of available information security tools, technologies and best practices.
- A strong technical ability to inspect, evaluate, audit and test an organization’s current security posture.
- A wealth of experience helping client organizations assess and measure potential sources of risk and loss, and formulating security policy to mitigate such risks and offset or insure against such losses.
- The ability to design, implement and manage security infrastructures that meet security policy requirements.
- The ability to maintain secure network and system operations, adapt to emerging threats and vulnerabilities, and keep pace with current incidents and events that could pose security threats in real time.
The MSSP phenomenon fits into numerous other highly technical specialties where organizations (especially small to medium-sized ones) may not have the resources or the bandwidth to buy or develop the right expertise and experience to address the needs in-house.
Business Benefits Compel Consideration
Of course, there are many reasons why doing business with an MSSP makes good economic sense, especially for small to medium-sized organizations. Chief among these is cost. As already mentioned, it’s very often more cost-effective for such organizations to hire competent security services from without, rather than to absorb the time, cost and effort of developing equivalent capability in-house.
But there’s more to it than that. For one thing, finding competent, security-savvy staff isn’t always easy, and security organizations like TruSecure and the Information Systems Security Association (ISSA) still report a strong imbalance between the number of information security jobs available and the number of competent, qualified people able to fill them. Also, developing the necessary skills takes time and broad exposure before an IT professional is ready to deal with the range of security threats, vulnerabilities and exposures that most modern organizations face nowadays. In short, serious security competence is sometimes easier to import than to cultivate.
Beyond the human resources involved, MSSPs bring other assets to customer engagements. These include round-the-clock staffed security operations centers, careful application of well-defined standards (like BS 7799 or ISO 17799) for establishing organizational security and broad experience with best security practices, procedures and principles. Then, too, most MSSPs maintain a close watch on security news, events and incidents, and are prepared to formulate necessary prophylactic and preventive measures as needed—something few organizations in other lines of work can afford to match. Even more important, arrangements between MSSPs and their customers are usually governed by service-level agreements that not only specify levels of coverage and protection for client organizations, but also often shift liability to service providers. (This shift is a great benefit in spreading the risks associated with potential compromise, denial of service, theft of data or intellectual property and other losses that security breaches can pose.)
Perhaps the most telling argument for hiring an MSSP is such organizations’ familiarity with the practice and enforcement of security. These outfits know what kinds of boundary protection to use (from screening routers and data management zones to firewalls, intrusion detection and prevention systems, authentication systems and more) and how to provide safe connections between sites for teleworkers and for remote access. Application of the proper tools and technologies can make the difference between safety and compromise or loss.
Choosing an MSSP
The most important aspect of choosing an MSSP lies in understanding the kinds of services they offer and how to make best use of those services. From this standpoint, it’s reasonable to expect a substantial subset of these abilities:
- Content filtering, anti-virus and spyware/adware protection or filtering.
- Data archiving or backup and restoration as needed.
- Incident management, including emergency response (as incidents occur) and post-incident analysis.
- Network boundary protection, including firewalls, intrusion detection or prevention, and virtual private networks for secure remote access.
- On-site consulting, installation and maintenance services as needed.
- Overall security monitoring and reporting services.
- Penetration testing and vulnerability assessment.
- Assessments of security risks or threats.
Other factors that will weigh heavily on up-front and ongoing costs have to do with whether or not a security policy has been formulated (and implemented) and how long it’s been since it’s been reviewed and updated. But first and foremost, any MSSP’s ability to deliver most, if not all, of the foregoing services should be a key ingredient in the selection process.
Other key ingredients must include an objective and thorough evaluation of the MSSP’s fiscal health and longevity. (It’s incredibly painful to change providers, so it’s best to look for a strong, long-term relationship.) It’s usually best to manage the MSSP search through some kind of formal RFB/