I D C V E N D O R F O C U S
Can Security Be Managed from a Carrier Cloud?
May 2011
By Dustin Kehoe; Doc # AU634002T Sponsored by Optus
The Internet has transformed business and the use of technology is a competitive differentiator.
Enterprises need to be constantly 'connected' and most organisations are moving from a centralised
system which was easier for IT to secure and control to one that is decentralised and used to support
an increasingly distributed workforce which are using more types of devices (e.g., smart phones and
media tablets) and Enterprise 2.0 applications. With the rise of the distributed enterprise, IT
managers must walk a security tight rope. On the one hand, open systems are allowing users to
collaborate more than ever before and many companies are reporting productivity gains. On the
other, IT managers are struggling to keep endpoints as well as the underlying infrastructure secure
from external attacks.
Unlike any previous time, these security attacks have reached a new level of sophistication. Cybercriminals are making a very lucrative business stealing and trading sensitive information for financial gain. At the same time, DDOS
(Distributed Denial of Service) attacks continue to demonstrate ability to slow or crash networks. DDOS has traditionally aimed at bringing down high profile web sites, such as Australian government sites, retail banks (e.g., NAB), online web portals and credit card gateways. In the past year, DDOS attacks have become mainstream and starting to target small and medium businesses which often do not have their own internal IT departments. In February 2011, Arbor Networks reported DDOS attacks in excess of 100Gpbs and noted a 1000% increase from 2005. While security attacks are occurring on many fronts, enterprises have difficulty in recruiting and retaining skilled staff and staying up to date on the latest security gaps to improve defences. This is driving organisations to look at offloading network monitoring and management as well as mitigating DDOS attacks through a trusted provider.
This IDC Vendor Spotlight examines trends and developments for network-based cloud security which is regarded for its capabilities in securing endpoints and underlying network infrastructure. It also considers the case for moving security to the cloud and profiles what Optus's offers for cloud security through its Evolve Internet service offering.
Complexity in Managing Security Threats
Organisations are in a struggle to balance the requirements of the distributed enterprise against the constant need to manage and secure systems, applications and the underlying infrastructure. This is often equated to an arms race between hackers looking to exploit any vulnerability to break into a system (possibly to steal and pass on sensitive information) and IT managers who need to constantly review security threats (which are always changing) and amending security processes, policies and technologies. This game of 'cat and mouse' means managing security operations are now resource, knowledge and capital intensive. The volume and severity of threats such as malware, spam, denial of service attacks and data leakage are increasing and it can also be difficult integrating software and hardware solutions in time to respond to the latest threats, often driving the need for external IT expertise. A 2010 IDC Survey of 300 global enterprises found that 29% of enterprises highlighted the shortage of IT staff as one of the top security concerns. This was followed by the lack of integration of security solutions (27%). Most enterprises use a
number of premise-based appliances which are difficult to manage. The IDC survey also found that 17% highlighted 'complexity' as the biggest pain point in managing security operations.
Given the realities of managing security, enterprises spend considerable effort and money in managing their on-premise security systems, and this is often done in a reactive, 'fire fighting' fashion.
The Australian Security Market
Australia has the largest managed security service (MSS) market in the Asia-Pacific (AP) region holding 38.4% of the market. In 2011, the market is worth $246 million.
Definition of Managed Security Services
IDC's definition of the security operations services market includes managed security services, hosted security services and outsourcing security services. These are subscription-based models delivering standardised and custom security solutions. In more detail:
Not enough IT staff 29% Lack of integration between security solutions 24% Complexity of security solutions 17% Too many point solutions to manage
17%
Lack of IT expertise 13%
Managed security services (MSS). These services offer onsite and remote management of security with 24 x 7 real-time monitoring, protection, escalation, and response processes. Many of the managed services offered include firewalls, intrusion detection services/intrusion protection services (IDS/IPS), and content security. Hosted secure email services are not included in this category.
Hosted security services. These services are delivered to many customers in the same form, where there is little to no customisation. Examples include Web security and messaging security as well as periodic vulnerability testing. Hosted security services typically occur "in the cloud" (ITC), which means that the customer proxies or routes all of a particular application through an external third-party security operations centre (SOC). A customer typically does not have any on-premise equipment associated with this particular managed service. These services include managed email and managed Web content, managed endpoint security, and managed identity and access management. Outsourcing security services. These services are delivered to each customer on a customised basis. Examples include firewall, intrusion detection services (IDS)/intrusion prevention services (IPS), vulnerability assessment, threat management, and messaging security. Typical outsourcing engagements may include the acquisition of people, assets, and processes.
The Australia managed security service (MSS) landscape is made up of a wide range of providers, and includes:
• Pure-play security providers. These providers offer standalone security services only. They do not provide any other related IT services.
• System integrators and value added resellers. SIs and VARs offer consulting, integration and managed security services as part of a broader IT services portfolio.
• IT outsourcers. Outsourcers offer security services as part of a broader outsourcing contract.
• Telecommunications providers. Telecommunications providers offer a broad range of other IT network services in addition to IT security. They may or may not offer professional services in addition to their managed services offerings.
Benefits of Network-Based Cloud Security
Network-based cloud security is gaining acceptance in the market as specialised security appliances are moving from the premise to being embedded into the underlying infrastructure (e.g., switches and routers) with additional software enablement which can be provisioned by the customers and delivered as an end-to-end managed security service. DDoS mitigation, firewalls, intrusion detection and prevention, and spam and virus filtering of emails are good examples of security services that can effectively and efficiently be provided "in the cloud".
Transitioning from CAPEX to OPEX
From a cost perspective, moving security into the cloud environment is attractive for businesses as it essentially eliminates the need for on-premise equipment such as firewalls and other security appliances which have to be deployed and managed individually at each site location. This can become very costly with enterprises that are distributed. Cloud security removes associated costs of security software licensing which tend to have fixed contracts and are complicated to manage. Security software-as-a-service is a key component to cloud security and offers content filtering, and anti-malware which can be provisioned from a standard platform and priced at a per-user, per month rate. Since these platforms are also enabled through self-provisioning tools, IT managers will often find additional savings in labour costs. As illustrated below, a 2010 IDC survey of 300 enterprises found that cost savings, threat mitigation and ease of implementation were the most important drivers when moving to security software in the cloud model.
Q: Please rate the importance of the following as drivers in your organization's Security SaaS investments N=300
With premise-based solutions, security software is often managed separately in discrete product categories (e.g., messaging, anti-virus, anti-spam, etc). This often means using multiple vendors each with their own pricing, terms and conditions increases licensing costs and complexity in management. As a result, enterprises often pay for licenses that are they are not using (and sometimes without knowing it).
In many cases security software is bundled, shipped, and sold as one unit with premise-based hardware such as firewalls. This tends to have a much higher unit cost, requires ongoing maintenance and management on the client side and is less flexible with integrating with other appliances, (especially when using multiple vendors) to deliver a Unified Threat Management (UTM) capability. When using premise equipment, enterprise customers will also have to factor in 'hidden costs' of integrating security appliances into the LAN/WAN environment and additional costs for outside technical support, especially in setting the right security policies.
Public versus Private Networks
Since production level data and applications are fundamentally as a secure as the underlying infrastructure, enterprise customers need to ensure that the network is itself secure. In doing so enterprise customers tend to opt for private IP (over public Internet), given the immediate benefits in security, management and scalability. Unlike public infrastructure, private IP can separate traffic away from the public Internet which by default removes points of vulnerability. VPNs Virtual Private Networks) further allow organisations to extend secure connectivity across the network to remote offices and users, using encryption and authentication technologies. VPNs create a virtual "tunnel," which allows users to utilise applications on and exchange data with the corporate network. Most organisations will do this either through SSL (Secure Sockets Layer) which allows IT managers to securely connect to internal corporate applications via any Internet-enabled device using a standard Web browser or via IPSec which relies on client software installed on the user desktop to authenticate the user and establish a secure connection. Carrier grade network services give customers
0% 10% 20% 30% 40% 50%
Green IT initiative Lack of internal IT expertise Reduction of IT staff Shifting security budget from a capital expense to an
operational expense
Ease of use and implementation Threat environment Cost savings
advantages such as passing traffic between locations securely or creating secure zones within a data centre using a combination of technologies such as MPLS and Ethernet.
Business Continuity and Disaster Recovery
Business Continuity (BC) is the ability to maintain operations in the face of a disruptive event. The cost for unplanned downtime is enormous for most companies. Outages can cost a company millions in damage, loss of brand and reputation as well as customer churn. Some organisations, such as financial services, must also meet regulatory requirements and essentially guarantee continuity of operations as a result of an attack, natural disaster or other event. Given the significant financial implications of an outage, business continuity has executive level attention in most enterprises. In Australia companies must disclose any attack that could have a material impact on customers. Unlike in other countries, this can bring a lot of unwanted public scrutiny to security breaches which would often otherwise go unreported.
Even with the best security posture, attacks or unplanned outages do happen. Disaster Recovery (DR) is the coordinated response of bringing ICT back to an operational state after an event has taken place. Most organisations have a DR plan in place and work on two key metrics which they define: RTO (Recovery Time Objective) and RPO (Recovery Point Objective). RTO measures the time in which a service must be restored after an outage to avoid 'unacceptable consequences' and RPO measures the amount of data that can be lost between back-ups to determine 'acceptable loss.' While BC would tend to focus on issues such as automated remote failover in case of an event, DR would involve daily or hourly back-ups to achieve a rigorous RPO metric.
Cloud security helps to improve Business Continuity and Disaster Recovery through IDS/IPS (Intrusion Detection and Prevention Systems) alongside 24 x 7 network monitoring and reporting. When using a network-based approach cloud security can also detect and mitigate attacks before reaching the customer perimeter firewall, especially DDOS attacks. This means the customer will not suffer any degradation and will often times have extra visibility over the types of attacks that are targeting the company. Since network-based cloud providers have visibility over attacks for individual customers, they are in a better position to improve security for all customers, which can be updated and distributed to all endpoints much faster than premise-based solutions.
Profile of Optus's Cloud-Based Security Services
Security as a Service
Carriers across the globe are moving into cloud security, leveraging their network, data centre infrastructure and increased capabilities in security services. As a leading Australian-based operator, Optus provides a very competitive portfolio of network-based cloud security solutions for the enterprise. These solutions do not require the customer to purchase additional premise-based equipment (e.g., firewalls), but works in conjunction with the existing infrastructure. The immediate benefits are that it removes the costs and complexity of managing security operations in-house with no additional effort on the part of the end-customer. Security-as-a-service requires no capital expenditure and is charged as a monthly operating expense. This gives predictability and transparency in costs.
The Optus Security Software as a Service is based on the Optenet platform and includes:
• Web content filtering: blocks browsing by categories (e.g., online gaming) and prevents certain types of applications from being downloaded. It also sets up whitelists and blacklists, prevents access to certain sites as well as alerts to the administrator if several attempts to access a prohibited site have been made. Honeypots and other tools are also used to deliver much needed anti-spam capabilities.
• Anti-virus: scans all files downloaded for computer viruses, worms, spyware and other malware. Like many leading products, it can also quarantine infected data.
• Outgoing spam: prevents mail servers from being used for mass spamming in case networks are infected or have received a Botnet attack. In the Optus set up, IP addresses are invisible to spammers.
• IPS/IDS: offers network-based intrusion prevention and detection systems from state of the art events correlation capabilities and through the use of Deep Packet Inspection (DPI) to better understand the types of traffic that is in the network.
• Managed firewall: capabilities offering protection of up to Layer 7 application layer data. The Optus solution is supported with a roles-based security monitoring and management platform which is
customisable for up to four different types of roles in the organisation. It also offers bandwidth management and QoS capabilities to guarantee the continual performance of the network though its Optus Evolve platform.
Protection against DDOS Attacks
In order to respond to the frequency and maliciousness of DDOS attacks, Optus includes DDOS prevention, detection and mitigation based on Arbor Networks which are part of its Optus Evolve offer. As it is a solution embedded in the network, DDOS mitigation can be turned on as a standard feature (as an attack occurs). This solution prides itself on its ability to accurately identify and block malicious traffic while allowing legitimate traffic to pass through. It is delivered as an "in the cloud" service to guarantee business continuity.
The DDOS solution works in three steps:
• Detection: Optus builds a baseline of normal network traffic levels in the network, searches for anomalies in traffic patterns compared with the baseline. Any differences in traffic patterns (above a certain threshold) trigger an alarm. Based on the customers' IT policy, this will either alert IT staff or activate a DDOS response.
• Traffic diversion: If DDOS protection is triggered, an upstream router in Optus's core network diverts traffic to areas which have scrubbing systems for “dirty” traffic. After scrubbing off anomaly packets, the cleaned traffic is injected back to the normal data path to reach the destination in the network.
•
Mitigation: Mitigation is the process in which attack traffic is “scrubbed,” that is, checked via anti-spoofing, anomaly recognition and packet inspection tools, and cleaned to drop bad traffic and allow legitimate traffic to the same destination.The Optus approach to DDOS protection improves business continuity through constant detection, diversion and mitigation if an attack has occurred. DDOS is priced per Mbps as a monthly recurring charge when selected as a value-added service. Optus also offers advanced reporting capabilities and a single point of accountability.
As a telecommunications provider, Optus is in a strong position to differentiate from stand-alone security providers given its network resources and the sheer scale of its Evolve platform to deliver protection against DDOS attacks as well as other common attacks such as malware and spam through its security-as-a-service capability. The benefit of using a telecom provider such as Optus for cloud-based security is the ability to also have traffic managed and monitored 24 x 7 x 365 with round the clock customer care. Optus Evolve is based on a private network (over public infrastructure), giving it an inherent security and reliability advantage as traffic can be separated away from the public Internet as private networks provide the best platform for cloud-based security.
Challenges
Being a telecommunications provider gives Optus a number of unique selling points over pure-play MSSPs, especially when it comes to protecting against DDOS attacks. While products like Evolve work in conjunction with premise-based equipment, many companies still will cling to hardware-based solutions and have other reservations.
Organisations are reluctant to outsource any security functions to an external provider. Many enterprises have preferred to keep security as an in-house function as they have seen this as core to their business. However many providers, including carriers, have also drastically improved their security competencies and overall capabilities, some of which was achieved through acquisitions. Enterprises will have to balance the costs of maintaining security as an in-house operation against the potential benefits of putting this into the hands of a trusted provider. Some enterprises have found middle ground by concentrating in-house security resources on other areas such as regulatory compliance as opposed to day to day event monitoring. Service providers, such as Optus, have also designed the online portals to keep security rules and policy in the hands of customers.
Moving to a Cloud Security Environment Can Cost More. Enterprise customers do not want to give up existing investments in premise-based equipment and moving too hastily to an OPEX based model. Too much has already been invested and the preference for many companies is to 'sweat assets' as opposed to opting for a forklift upgrade. However these concerns can be mitigated through outsourcing. Some enterprises keen to move to a cloud model have set up arrangements for their provider to take over equipment assets and lease back services on a per user, per month basis. Over time the enterprise gradually moves from a premise-based to cloud security model.
Conclusion
Cloud security is becoming a mainstream requirement for Australian enterprises. It is offering customers the option to move premise-based equipment to a standard software-based platform that can be provisioned and managed from the network. Given that there are no capital expenses, the set up costs are very low. Cloud security integrates into any environment and requires no additional effort from the customer. The solution is clientless, device agnostic and enabled only through a corporate proxy.
IDC has previously predicted that telecom providers will play a significant role in providing security services in both the network, at the edge, and within the cloud as they broaden their service offerings to their customers. While delivering cloud services from the network is one approach for mitigating attacks, carriers are in a strong position given their network and data centre ownership. Because the network, for example, is often the conduit for attacks, carriers have unique capabilities in being able to detect and mitigate attacks such as DDOS and malicious virus attacks at this level through advanced events correlation techniques and deep packet inspection.
Future Outlook
Most enterprises are unlikely to rapidly shift from a premise-based solution to security in the cloud. However IDC expects vendors of security software or appliances to continue integrating offers with cloud-based services, such as anti-virus, anti-spam, and URL filtering. A robust network-based response will also be very important for countering DDOS attacks.
• Budget cuts are influencing new models for managing security. Most IT departments are facing budget cuts and are expected to do more for less. IT managers are under pressure to lower the cost of operations as well as protecting the enterprise from new types of threats such as DDOS which can best be protected from within the network. New cloud security which offers monthly OPEX based pricing is gaining acceptance from the enterprise.
• Increases in security threats will need to be matched with automated and flexible responses. With security threats increasing exponentially in terms of frequency and sophistication, organisations can no longer rely on an internal security team. Cloud security offers are appealing for their ability to offer software updates
from within the network which can be distributed faster than premise-based alternatives, as well as incorporating events correlation to deliver an automated response on multiple levels. Using network-based security from the cloud provides advantages placing the network perimeter to locations where it makes sense to the customer.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests contact the GMS information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC visit www.idc.com. For more information on IDC GMS visit www.idc.com/gms.
