Managed Security Services for RealBy Pedro Pereira | Posted 2007-10-31 Email Print
Opinion: Some may remain skeptical about managed services overall, but managed security is no myth.
Discerning myth from reality in the IT space often is confounding. That explains why, despite the publicity enjoyed by the managed services model in recent years, some skepticism remains about its promise.
But it is waning. And some of that is in proportion to the rate at which reality is setting in about the model's challenges and obstacles to success.
Undeniably, however, the managed services business is growing, and one significant area of growth is security. According to research firm Gartner, the North American managed security services market hit $500 million in 2006 and is expected to expand this year by nearly $100 million, or19 percent.
MSSPs (managed security services providers) perform remote monitoring and management of such security tasks as virus and spam blocking, intrusion detection and prevention, virtual private network management and Web-content filtering. As part of the services, MSSPs also handle modifications, updates and upgrades.
Despite the psychological barriers one might expect a company would face in transferring the responsibility to secure its network, or parts of it, to a third party, an increasing number of organizations are doing just that.
Security is a top priority. Network security vendor Astaro, of Burlington, Mass., said 70 percent of respondents in a recent survey expressed concern with preventing unauthorized users from getting into corporate networks and viewing confidential data. Seventy-two percent said that keeping an overview of potential security weak points will be the biggest challenge for IT departments in the next five years.
The concern is understandable. A security breach earlier this year involving TJX Companies, owner of discount retailers such as TJ Maxx and Marshalls, compromised the confidential data of some 94 million credit cards. A group of banks has sued the company in federal court, accusing it of negligence. Plaintiffs claim the company had been warned of inadequate security.
Two years ago Visa and American Express dropped CardSystems Solutions as a credit card processor after a breach that compromised about 40 million cardholders' data. CardSystems no longer exists.
Securing networks and data is not an option, and the government has enacted stringent regulations to ensure it is taken seriously. As the pressure increases, though, more and more corporations have concluded they simply do not have the in-house skills to reliably protect data.
Security requires a specific set of skills to handle the equipment and applications employed in protecting data and securing access to it, and leaving the responsibility to IT staffers that can address it only on a part-time basis is too big a risk.
The technology itself also poses a challenge for many organizations. It gets expensive to implement and maintain the necessary hardware and applications. MSSPs present an alternative to budget-tight organizations by delivering the services over the Web from facilities known as SOCs (Security Operations Centers), built specifically to monitor and manage security technology.
Solution providers face challenges in delivering managed security similar to those affecting their clients or prospective clients. Providers struggle to find the requisite skills among job candidates, and building an SOC isn't cheap.
A viable option for providers is to partner with an MSSP such as Perimeter eSecurity, of Milford, Conn., one of the pioneers in this space, and British Telecom's Counterpane. Or they may opt to engage with vendors such as Symantec and Cisco Systems, which have managed services programs for their partners.
Just as the need for IT security is very real, so is the managed security services model. It is the best option for a growing number of corporations that need to secure their data, and as such, it presents the channel with a significant opportunity.
Pedro Pereira is editor of eWEEK Strategic Partner and a contributing editor for The Channel Insider. He can be reached at firstname.lastname@example.org.