Security ASPs: Are the promises real?

Application service providers (ASPs) have been touted as the answer to future corporate computication. Broadly speaking, ASPs are organizations that remotely host software applications and enable access to those applications on a "pay per play" basis.

Many of the benefits of using an ASP are easy to identify: rent vs. buy; installation and update savings; and a level of application-specific knowledge that most corporations would be hard-pressed to maintain or support internally. This industry has potential -- even if not fully realized, as Fortune reports.

New to this market are ASPs that focus specifically on security. Security ASPs can offer some real advantages over the hit and miss protection currently maintained in most corporations and government agencies. The hitch is -- not yet.

The good news & bad news

Lets talk about e-security and the ASP model. The good news is that large corporations are taking e-security out of the back room and funding security support as a front line imperative. Industry projections emphasize this trend. Market researcher International Data Corporation (IDC) projects the market for managed security services to grow to $2.24 billion by 2003 and also expects the market for content security to grow from $66 million in 1999 to $952 million by 2004. Frost & Sullivan, another research firm, values the 1999 European Internet security marketplace at $489.9 million and predicts it will reach $2.74 billion by 2006.

The bad news is that the ASP model and e-security don't equate. Accessing security applications offsite (with the possible exception of PKI due to third party support) for transmission, confidentiality, information, or intrusion security doesn't match today's infrastructure requirements. Instead, security software, appliances, hardware, and telecommunications infrastructure are an inside out affair; not visa versa. Unfortunately, ASPs themselves are currently in the same reactive security mode as are other industry sectors. That is, they're reactive, subject to intrusions, DOS attacks, virus infections, malicious code violation, and other destruction brought on by an ever-growing cracker community.

So even as money becomes available to promote a fledgling security ASP industry, a transformation in the ASP model is needed... and it's coming.

New security ASP: The MSP

Welcome to a new version of the pure "apps-on-tap" ASP model particularly suited for security services -- managed services providers (MSPs). These vendors provide services from another direction. By installing and maintaining an integrated portfolio of security software and hardware that's pre-selected and integrated, MSPs help firms avoid difficult point installation and security system integration. Add to this the MSP's charter to maintain and update this integrated protection matrix and the MSP model makes a lot of sense. Since funds are more available for these services, a whole new security market is budding.

A few caveats are in order when considering an MSP for security services in what is now a brand new security marketplace. Since online and internal e-security is now such a critical component to organizations' survival, these perspectives are a must.

1. Check for brand name; it's important for security software components, hardware appliances, and MSP vendors.
2. Check MSPs' backgrounds in terms of longevity, security industry reputation, and track record. This is imperative if relationships are to last into the long term.
3. Be sure to introduce security services incrementally. That's far better than an "all or nothing" acquisition process.
4. Be sure to fully clarify contractual requirements and responsibilities prior to signing onto a service. These "R&R's" must be reviewed by both senior IT security management and senior corporate executives. In-house IT security personnel must understand the how and when of an MSP relationship in order to effectively oversee corporate security.

MSP outsourcing features

Although an evolving model, MSP security services currently comprise 1) gathering information about, auditing, and performing vulnerability analysis on the security infrastructures currently operational within an organization, 2) making recommendations or installations to enhance or upgrade current capabilities and to close vulnerabilities, and 3) installing monitoring software that returns vital data (e.g., log files) to MSP security operations centers. Rather than outsourcing applications, MSPs enable outsourced security monitoring, management, and expertise for applications executing within networks.

Unfortunately, MSP outsourcing capabilities are just developing and amount to component-based offerings at this stage. While early entrants are beginning to claim end-to-end security outsourcing, that wide service range refers primarily to the small- to medium-sized corporate market.

MSP early entrants

Early players in the security MSP industry include subsidiaries of well-known organizations as well as some players without pedigree but that offer best-of-breed products.

MyCIO.com, a wholly owned subsidiary of Network Associates, Inc., markets a wide range of security services including audits, policy development, intrusion detection, PKI, vulnerability assessment, SOC operations, monitoring, virus detection -- all integrated with Network Associates, McAfee, PGP, and Sniffer credentials. As a January, 2000 startup with 130+ employees, the company reports over 1,000 business subscribers but admits the majority are small to mid-sized firms.

JAWS Technologies Inc. was an early MSP security entrant in 1999, and reports a full range of managed services including firewall and virus management, authentication, security product integration, PKI, secure transactions, professional services including assessments, attack and penetration protection, and incident response. This Canadian company's website reflects the newness of their security services: a full list of managed services has yet to be posted, according to Roger Davies, JAWS' North American Western Region Director.

Ernst & Young started their MSP e-security venture, eSecurityOnline.com LLC, in June 2000 to initially focus on corporate infrastructure vulnerability analysis. While this service is just one MSP security component, Ernst & Young's 1,200+ IT and security consultants touting of eSecurityOnline's developing services to clients worldwide should underwrite further service rollouts.

A new market -- but here to stay

Plan on seeing several best-of-name, best-of-breed, and best-of-services security MSPs starting up in the immediate future. Since this market is so new, most entrants will depend on best-of-name parent relations or integrated best-of-breed products to promote their services. Due to the complexity of security technology and technique as well as the escalating security threat, value add for large to enterprise-level firms will be integration, expertise, and 24x7 oversight.

Don't plan to subscribe for end-to-end security MSP services immediately. Do plan for many security service options and pricing alternatives within the next 12 months.

Dr. Martin Goslar is principal analyst of E-PHD.COM, an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.