Securing what is sacred to a business takes more than just a new program -- it can be a full-time job, which at times is better left to the experts.
Handing over control
Weighing it up
Nintendo plays the security game
Queensland company saves with security
But managing security can be a big headache, and it can be easy to get wrong, especially when basic perimeter security is not enough. Attacks from inside the business are growing and the complexity of the business environment is changing with globalisation. The ability to work remotely, and new technology being designed to link aspects of operation, raise new issues for what was once deemed a simple procedure.
An unprotected firewall can open up thousands of doors for hackers wanting access to your business operations, and spam is constantly being slammed for the thousands of employee hours it can cost each year. Add to this the growing issue of lost business due to down-time, and the ethical issue of keeping your clients safe, and it becomes easy to see why security is no light topic.
Frost & Sullivan analyst James Turner says one of the main reasons the nature of security has had to change is that hackers are becoming much more money-hungry, and extortion and identity theft are becoming a lot more common.
"As capitalism consumes the world, the hackers are coming around to the market's way of thinking and they are looking for their own piece of the action," Turner says.
"As a result, we are going to see an increase of law enforcement on the Internet. Companies are not only going to have to be secure for their own sake, but secure so they can adhere to the new ways of doing business."
So in an effort to erase anxiety, the high cost of security training for IT staff, and company liability, more and more companies are looking to managed security service providers (MSSPs) to manage all or part of their security processes for them. Analyst firm The Yankee Group estimates that by 2010, 90 percent of security operations would be outsourced -- in the US at least.
Services can range from patch management for a particular product, to management of your network's entire security architecture. The companies that we spoke to for this article offered services in the following areas: network intrusion detection and prevention, host intrusion prevention, vulnerability assessments, patch management, firewall and VPN management, and e-mail monitoring for protection from viruses and spam.
Lorenzo Modesto, general manager of MSSP Bulletproof Networks, says a complete outsourced security solution will start with the infrastructure. "You will generally hand this out depending on the skills set and infrastructure you will, or won't, already have in-house," he says. "Managed network security is about prevention -- locking things down so that the managed security provider is not having to chase holes in your system all the time. This is why you start with what is physically there, then determine what requires outsourcing."
The service itself, he says, is all about managing this infrastructure: putting out alerts at times when weaknesses can be found, monitoring how well the infrastructure is working, tuning false positives, and preparing an incident response when a security breach is made.