Managed Security: Big Business, Big RiskBy Pedro Pereira | Posted 2005-06-28 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Customers are demanding managed security services, and VARs are leaping to respond. The service represents a rich, continuing revenue stream, but also potential liability a lot more serious than most VARs are used to accepting.
Security has become one of the biggest ongoing business opportunities in the channel, one that becomes even bigger every time the confidential data of some large company is breached from outside.
A mid-June breach break-in to the computer network of credit-card processor CardSystems Solutions, for example, set off a week of worry and discussion among end users and security specialists.
VARs are ideally positioned to satisfy the need for tighter security by delivering security architecture, setting strong data protection policies, and installing the necessary equipment and software.
But data protection is a constant, dynamic opportunity that does not stop after the initial implementation. It's not enough for a VAR to build a security architecture and turn a customer loose, according to channel security experts.
Managed security services are the surest way to add the all-important element of prevention to a data-protection policy that covers all the bases, say security providers. But it also puts the service company on the firing line, requiring both constant upgrades in service, and the careful setting of expectations and phrasing in contracts to avoid excessive liability.
"To minimize risk, a company must truly deliver a proactive service deliverable," said Scott Goemmel, executive vice president at PMV Technologies, of Troy, Mich.
An increasing number of VARs, integrators and service providers are delivering security solutions as a managed service, allowing them to consistently monitor customer security networks and make recommendations as needed. Through managed services, channel companies take over remotely some or all of a customer's IT functions.
"It's much like changing the oil in your car every 3,000 miles and addressing preventive maintenance in advance of automotive failure," Goemmel said. "If you do it, there is a much better chance that the car will perform well."
In providing managed security, it is important that providers cover themselves from any potential liability, which means having the appropriate liability insurance policies, say IT security experts.
The best protection is to stay current on all the new threats and the technology advances to combat those threats. But security service providers must also set realistic expectations with customers and avoid issuing guarantees that they cannot uphold.
"Do your due diligence before you do the contract," said Rob Bisset, product manager at N-able Technologies Inc., in Ottawa, a maker of remote networking monitoring software used by managed services providers.
Security providers should have a lawyer review all contracts, and they should never tell the customer that security is 100 percent guaranteed, Bisset said. Any contracts and service-level agreements with customers should take into account that a firewall or a server could fail, or intruders could gain access via viruses, social engineering or other techniques. Unless the provider has been negligent, it should not be penalized for its inability to quash every possible threat, he added.
Peter Sandiford, CEO of N-able rival LPI Level Platforms Inc., also based in Ottawa, said he has heard of some VARs giving customers 100 percent guarantees, a practice he discourages.
The security provider's role, he said, is about analysis, advice and prevention. Prevention is possible through the alert mechanisms for intrusion detection and other breaches built into Level Platforms' monitoring software, Sandiford added.
Ultimately, he said, security providers must keep in mind what they are delivering is a service in a complex, ever-changing environment. As such, 100 percent guarantees are unrealistic.
Step carefully on security
Synergy Global Solutions Inc., of Amherst, N.Y., has been delivering managed services for a while through its Network Operations Center in the Buffalo area. The company has started exploring managed security, but is treading carefully, said Jose Rivero, Synergy's vice president of service operations.
"We're stepping in carefully because this has really tough implications," he said. "The liability is pretty high."
Regardless, Rivero said, the ultimate decision of what customers do to protect their data and networks cannot be outsourced. The customer makes that decision, and the best a service provider can do is stay alert and give advice.
Vigilance is imperative when it comes to security, said Mont Phelps, a pioneer in managed services who is CEO of Netivity Solutions in Waltham, Mass.
Netivity does 24-hour monitoring from its network operations center for intrusion prevention and detection. "Security is a big part of what we do," Phelps said.
The company never touches the customer data it is securing, wrapping it instead in several layers of protection. If an intruder manages to get through one layer, the next layer should stop him, said Phelps. For example, intrusion detection systems, internal firewalls or strong encryption could continue to make life difficult for an intruder who has gotten past the firewalls guarding the network edge.
"It's a battle out there," he said. "What was good enough yesterday isn't good enough today. Tomorrow there's going to be another attack, and it isn't going to stop."
To ensure Netivity is delivering the appropriate level of protection to customers, Phelps said the company has its systems constantly checked by outside auditors. In addition, Netivity engineers have to stay current on new threats and technology advances, he said.
Brian Wiser, senior vice president of sales, North America, at distributor Ingram Micro Inc., said managed security and managed services in general present a great opportunity for VARs seeking a recurring revenue stream.
"These services could easily represent $3,000 a month or even up to $30,000 per month," he said. "Managed services is about selling a perceived value of uptime or a worry-free environment. VARs simply need to find out what it's worth to their customers to take the load off them."
Not having to worry about network downtime, viruses, troubleshooting mishaps and general maintenance is a valuable service customers know they need, Wiser said.
And with every high-profile security breach, such as the recent MasterCard incident, more and more customers understand the seriousness of the need for security.
The threats never go away, and even the biggest Fortune 1,000 companies can be brought down, said Level Platforms' Sandiford.