UNDERSTANDING THE CHALLENGES AND BENEFITS OF MOVING TO A MANAGED SECURITY SERVICES MODEL

UNDERSTANDING

THE CHALLENGES AND

BENEFITS OF MOVING TO

A MANAGED SECURITY

SERVICES MODEL

Organisations are struggling to

design, deploy and manage IT

security in an environment that

is becoming increasingly complex

and mobile. Managed security

services offer the potential to

simplify the process and quickly

strengthen defences to meet

emerging threats or changing

business practices.

ALVEA Services™ is experienced

in helping organisations reduce

the cost of protecting their IT,

without the need for major capital

investment or deep technical

knowledge. It understands the

crucial role of IT security and why

outsourcing is a big decision.

RISING THREATS AND

TIGHTER BUDGETS

REQUIRE A RETHINK

ON OPERATIONAL

DRIVERS AND

SECURITY SPENDING

INTRODUCTION

It is easy to understand why, even with tighter, recession-hit

budgets, spending on IT security has remained resilient.

The consequences of a security breach in terms of reputation damage, regulatory fines and lost business can be astronomical. Take for example the breach of Sony’s PlayStation network in 2011, in which hackers gained access to personal information such as names, birth dates, emails, passwords and usernames of 77 million customers.

The network was offline for two months following the massive hack and Sony executives estimate the loss of trade and reputation could cost the company around £110 million – although that figure does not take into account the damage to the Sony brand and longer term customer confidence.

It is not just big brands or global companies that offer a target for cyber criminals. Small businesses are often more vulnerable to cyber security attacks than their larger counterparts.

Criminals attempt to exploit weaknesses in the supply chain by targeting smaller companies to infiltrate larger partners and affiliate organisations. By addressing its own security, a small business is also protecting its commercial relationships.

THE RISING COST OF SECURITY

The vast majority of UK businesses are still struggling with IT security. According to the

2012 UK Information Security Breaches survey by PwC, over the last year 93% of large

organisations and 76% of small businesses have suffered some kind of security breach.

Meanwhile, firms have not been idle against the rising threat. Organisations continue to spend a significant amount on security defences, with PwC estimating an average current spend of around 8% of IT budgets. However, the threat is not receding, with around half of the survey respondents from large organisations expecting to spend even more on security next year. Even with significant spending, the survey, which questioned representatives from around 500 organisations, indicates that two thirds of large organisations expect an increase in security breaches next year. The experts at PwC suggest that most serious security breaches are due to multiple factors, which include human error, weak processes and poor technology.

Computer frauds, data losses and regulatory breaches, together with hacking attacks, were most likely to result in a very serious breach. The report also pointed out that a root cause is often a failure to invest in educating staff about security risks.

Nearly three-quarters of organisations that had a ‘poorly understood security policy’ had staff-related breaches. Worse still, just over half of all small businesses do not have programmes in place for educating employees about security risks.

A CASE FOR OUTSOURCING SECURITY

The data suggests that breaches are increasing while rising IT security spend is

failing to counter the threat. In response, should organisations start thinking about

shifting IT security into a managed service or outsourced model to reduce the risk?

Cost is usually the main argument for outsourcing. The financial burden of hiring, training and keeping security expertise and technology up to date is substantial. It is generally considered to be significantly less expensive to hire somebody else to do it on behalf of an organisation. To give an analogy, organisations do not run their own generators to provide electricity as the “outsourced” power station and national grid is much more cost-effective.

IT security monitoring needs to be constant as attacks can happen at any time of any day. Having 24 x 7 x 365 coverage, complete with a rapid response team on standby, is not cost-effective for anybody other than the largest of organisations.

IT security is a moving target that requires organisations to keep highly paid information security professionals sharp with constant training.

If the cost of people is already high, add in the expense of buying and maintaining the physical IT security hardware, software, and processes that help to protect organisations and it becomes hard to justify the bulk of IT security spending remaining in-house.

FADING FEARS

Although many organisations are increasingly outsourcing elements like email

and payment processing, IT security has still tended to remain an in-house activity.

Concern over allowing third parties access to sensitive data or systems is often

the primary issue.

The reality is that employees themselves pose a far greater risk than external organisations that are dedicated to information security. The influential annual Data Breach Investigation Report suggests that internal agents are responsible for 17% of breaches whilst externally managed security providers do not even register as a source for breaches across the entire report.

Other fears such as IT managers outsourcing themselves out of a job and cultural issues around loss of control, may initially play a part in resisting a move to managed IT security services. In reality the IT manager’s time is now freed up to concentrate on more business-critical elements rather than high-maintenance, time-consuming ‘housekeeping’ chores.

It is therefore important to note that initial fears of outsourcing are quickly outweighed by the benefits of cost reduction and service enhancements once they are fully understood. It is clear that there is a major shift towards acceptance of managed security services by organisations of all sizes, across a multitude of industry sectors. This is reinforced by Gartner, who predicts that the managed security service provider market will grow to accommodate the demand. It estimates it will almost double in size from $8 billion in 2011 to around $15 billion by 2015.

The changing landscape of in-house, managed services and mobile users, combined with emerging technologies, is making defining and maintaining a security stance increasingly complex, especially for companies that do not ‘live and breathe’ security.

The rise of mobile phones, instant messaging, social networking and software-as-a-service has clouded the boundary between the organisation, partners, customers and staff. Over the last decade, organisations have embraced staff using their own personal devices for work activities. However, the use of diverse devices in turn requires information security professionals to constantly evolve and update controls.

Capital and operational expenditure costs are always a significant issue. Upgrading even simple elements, like firewalls to next generation equivalents dealing with social networking traffic is a substantial but necessary overhead for many organisations. Even with provisions in the IT budget for security, all departments are facing cuts in the face of the recessionary environment and IT departments are being forced to do more with less. The result is that managed services are starting to become more attractive.

On the technology side, IT security vendors have spent the last few years developing tools that allow managed service providers to deliver services that mirror customer requirements. Any security concerns associated with using an external managed service provider have also been addressed as security measures such as secure networks, VPN, encryption and compliance are widely adopted by these third party providers.

SELECTING A MANAGED SECURITY SERVICES PROVIDER

Unfortunately, picking a managed security service provider is not like choosing

an electricity supplier; the selection criteria and evaluation process is far more

complex. Aside from cost and list of features, the most pertinent differentiator

for service providers is adherence to standards and audited ability.

Standards

Probably the most impressive is the ISO 27001, which is an Information Security Management System standard that evolved from the British Standard BS7799 for managing information security. ISO 27001 is used in conjunction with other standards from the ISO 27000 family, such as the ISO 27002 that contains additional audit guidelines. ISO 27001 is often seen as comparable to SAS 70, which is an auditing standard run by the American Institute of Certified Public Accountants.

SAS 70 is common in the US and starting to spread to Europe but it is not a general stamp of approval to guarantee that everything is secure and that all procedures are perfect. Even an audited SAS 70 provider can choose what they want audited, so it is good practice to ask for a verifiable testimonial from at least one current customer. Just relying on the logo of a well-known brand on a website is no indication that that customer is still in receipt of the service or satisfied with current service levels.

Another major standard is the Payment Card Industry Data Security Standard (PCI DSS), which was created by credit card companies, including VISA and MasterCard, to ensure that data is secured when handling credit cards. Even though it is the merchant payment service provider that needs to be PCI-certified, the standard also applies to physical facilities such as the datacentre. This includes access control, surveillance, procedures for visitors and a limit to who has access to the equipment that handles and stores transaction-related data.

If your business is going to be engaged in online sales, then PCI compliance is a good idea. Also, according to the latest Verizon Breach Report 2011, organisations that are PCI-compliant are much less likely to suffer an IT security breach.

It is also vital to ask questions about where your data is stored. Who owns the servers, racks and even the datacentre? How secure is the datacentre itself? What certifications does the datacentre hold for data and physical security? Some providers tend to be vague about these questions, especially if they are co-located or worse, located in a jurisdiction with different privacy laws to those of the customer.

Creating a shortlist

Before getting into the specifics of the technical infrastructure, just like any other supplier it is wise to understand the business as a whole, its pedigree and the people who you will be dealing with. Even creating a shortlist can be a daunting task. One starting point is industry groups. The Cloud Industry Forum (CIF) has created a Code of Practice for Cloud Service Providers that includes organisations that offer customers remotely-hosted IT services of any type. These services include, but are not limited to, multi-tenanted services accessed via the Internet.

Organisations claiming compliance with the CIF code need to conduct an annual self-certification and confirm the successful results of this to CIF to receive authorisation to use the CIF self-certification mark for the following year. These self-certification claims are listed on the CIF website (www.cloudindustryforum.org). Optionally, an organisation may choose an independent certification performed by a certification body approved by CIF, and will then receive authorisation to use the more robust ‘Independent Certification Mark’ for the following year. CIF also conducts spot checks and randomly audits self-certifications as well as investigating any formal complaint of non-compliance against an organisation claiming compliance with its code.

MANAGED FIREWALL – A TOE IN THE WATER

Every single organisation that has access to the Internet needs some form of firewall

protection, and somebody to set up, monitor and manage this critical gateway. In the

event of a security incident, organisations will need to analyse firewall logs to quickly

identify the cause of the issue. They should then interpret the results and undertake

remediation to minimise the possible damage and prevent further risk. This often

takes a whole team of experienced individuals to accomplish.

Managing firewalls is time-consuming ‘bread and butter’ work for information security professionals, which can often make the task a good test case for switching to managed security services.

Managed firewall services provide the equivalent of a dedicated in-house manager or department and typically offer the features of larger best-of-breed vendor products such as Check Point. The service provider delivers a centralised management function and VPN capabilities to allow manageable site-to-site and remote access. A typical service can scale from a single branch office to a global deployment that adheres to consistent corporate security policy. A managed service will include hosting the firewall hardware in a carrier class environment or placing it on the client site and managing it remotely. In either case, the service takes care of the replacement of faulty hardware, management of firmware revisions and applying the latest security patches.

In what is often called a ‘security-as-a-service’ offering, all hardware, software licences, configuration, policy creation, maintenance, support and on-going management is supplied as part of the service, with no need to purchase any of the products outright. This allows organisations to utilise just operational expenditure budget (OPEX) for security infrastructure, and benefit from the elasticity of service-based security.

The primary advantage of using the managed firewall service is that customers can implement a tailored perimeter security service, managed by security experts, with very little up-front cost or higher OPEX associated with maintaining additional in-house security expertise.

MANAGED SECURITY GATEWAY – THE NEXT STEP

Assuming that moving to a managed firewall has been a success, the next step

for many organisations is a fully managed security gateway. These services have

much in common with a managed firewall in terms of capital expenditure reduction

and expertise but offer additional granular options to protect against different

types of threats.

As a minimum, a managed security gateway service includes both firewall and VPN software, delivered on a hardware security appliance. The range of hardware available ensures that organisations can scale to meet traffic volume.

Added to the base services are additional security service modules which can be purchased at the start of the contract, or easily added as and when necessary any time during the term of the service, depending on individual security and business requirements.

• A firewall module will secure management of applications, protocols and services over a network. The service will typically combine access control, authentication and encryption to guarantee the security of network connections over the public Internet. • The next most common add-on within a managed gateway is the IPsec VPN module to secure connectivity to corporate networks for remote and mobile users, branch offices and business partners via sophisticated site-to-site VPN and flexible remote access.

• With the massive rise of mobile devices and teleworking, organisations often add secure mobile access modules. These provide enterprise-grade remote access via SSL VPN for simple, safe and secure mobile connectivity to email, calendars, contacts and corporate applications on smartphones, laptops or PCs.

• The majority of managed security gateways will also offer proactive security such as intrusion prevention and detection systems that aim to prevent attacks. These systems generate alerts prompting security response teams to investigate the event and take action. • Other security add-ons such as Anti-Virus protection, Data Loss Prevention and email and web content services are also available to offer complete gateway protection.

THE IMPORTANCE OF A SERVICE AGREEMENT

In order to identify key services and processes required to meet the needs

of the business, it is standard business practice for managed service providers

to offer a Service Level Agreement (SLA).

The quality of the SLA is often a deciding factor in winning and retaining customers. It is important not to confuse an SLA with a service contract however. An SLA is a list of quantifiable targets and goals while a service contract is a description of what you pay for and what minimum service you will receive, for how long and at what price. For example, the service contract will define how many devices are under management or the type of encryption technology that the service will use. Defining an SLA is a significant step that aims to align the technology and service platforms with the

business goals.

When setting up a managed service, a service account manager will invariably sit down with representatives from the customer’s organisation to discuss business requirements and service capabilities. These representatives may well span different areas of the business such as IT, finance, compliance or even operational groups that have specific requirements.

From this discussion, the provider will draw up an SLA that will include service descriptions, delivery points, service availability, support and escalation procedures. It is the responsibility of the managed service provider to ensure that the customer fully understands all of these aspects of the SLA.

Reports

Once an SLA has been accepted, it is critical to put mechanisms in place to capture service delivery data to validate that the service has been delivered as agreed. The reporting element provides peace of mind and also a basis for discussions between provider and customer on how services can evolve to meet business requirements. Reports typically include problem exception reports and systems availability stats and should be viewed at least on a monthly basis.

WHERE TO GO FOR HELP

Even though the majority of the emerging managed services are offered

by large single source providers, many small and medium businesses

prefer to outsource their IT processes to trusted third parties.

In many cases, these value-added resellers, independent IT consultants or even mid-sized managed IT service providers will have a much better understanding of the customer environment, as well as experience in implementing security and related business continuity solutions.

Before rushing into any managed service, it is always recommended that organisations talk to these trusted IT suppliers who can provide an impartial assessment of its strengths, weaknesses and overall value for money. In many cases, these same trusted advisors might well have complementary services, system deployment skills and management expertise.

ALVEA Services has a partner community of both large and small IT service providers across the UK. These are organisations that offer a wide range of solutions from multiple vendors and can provide a full consultancy and support service. ALVEA Services partners can also offer practical advice on how to protect critical business infrastructure based on a wide variety of budgets.

ALVEA Managed Services have been designed to be managed by these trusted third parties and as a business grows or its needs change, ALVEA Services can adapt with it. Flexible SLAs are supported by experts based at the ALVEA Network Operations Centre, which operates 24 x 7 x 365. ALVEA Services also comply with ISO 27001 to ensure they meet security best practice as well as complying with ISO 9001 to deliver quality management standards across its operations.

ALVEA Services has also been validated under the Cloud Industry Forum ‘Independent Certification Mark’ scheme.

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND.

© COMPUTERLINKS UK LTD

Contact ALVEA

w: www.alvea-services.com e: [email protected] t: +44 (0)1638 569 889

Contact Check Point

e: [email protected] t: +44 (0)1638 569606