Managed Services: A Security Problem and Solution
Almost any IT function can be purchased as a service, even security. We look at security issues posed by managed services, and the shortcut to comprehensive IT security that managed security services providers offer.
Managed services offer companies of all sizes a way to remain current on technology without the need for a huge upfront investment. For IT security pros, they can also present a security challenge – and solution.
A managed service is when a company outsources the on-going management of some function to a managed services firm. It differs from outsourcing, consulting and SaaS in that it uses a subscription model in which the end user company pays an upfront cost as well as an ongoing subscription fee in exchange for regular maintenance and management. Managed services can address any business function, such as HR, payroll and supply chain functions.
Security concerns with managed services
One of the chief issues companies cite with managed services is security and the potential for data leaks. CIOs and IT managers can mitigate that risk by auditing an MSP’s security practices and protocols, just as you would when outsourcing any critical function. IT should establish a “protection methodology” that outlines what security measures are necessary at each level, including the perimeter, data storage, UIs and APIs.
In particular, IT leaders should evaluate how MSPs manage:
• The software update schedule
• Identity and access management
• Monitoring and audit requirements
• Regular testing and vulnerability analysis
An MSP will have access to critical business data, so evaluate them just as you would a business partner or other insider security risk.
Managed security services: A quick path to comprehensive IT security
Security itself can also be offered as a managed service. It's an approach that's growing in popularity, as it offers a quicker way to get to a more comprehensive security solution without taking on the complexity and upfront costs of doing it yourself. Managed security services providers offer everything from firewall management, intrusion prevention and detection and vulnerability scanning to patch management and incident response.
Gartner considers managed security services a mature market with a core set of services found in most solutions. While the industry is mature, it’s hardly stagnant, evolving with the rest of the security field. The industry is rolling out managed services for advanced threat protection and targeted attacks, among other efforts to keep up with cyber criminals.
Just like other managed services, managed security services offer fixed costs and service level agreements to protect you. There are also additional benefits to using a managed security service, including:
1. 24/7 monitoring and response time
2. Eliminating the ongoing hassle of updating and monitoring security so IT staff can focus on more business-critical issues
3. Addressing any on-staff security skill gaps.
Managed security services providers
MSPs that specialize in IT security are called MSSPs, or management security services providers. An MSSP will typically audit a client’s existing security infrastructure and procedures, then conduct a gap analysis before the engagement. The MSSP should also spend some time learning your business processes before discussing how managed security services could fit into your security landscape.
What is Security-as-a-Service?
Occasionally, the term security-as-a-service refers to a managed security services solution. An example would be an Infrastructure as a Service solution that incorporates full network security into its solution or a managed firewall solution.
More frequently, however, security-as-a-service refers to the solution’s cloud-based delivery method. While the software or hardware functions are delivered via a cloud service, the configuration, management and maintenance still fall on the internal IT department. For instance, many virus protection services are delivered as a service, but require someone on-premises to run updates. Increasingly, next-generation endpoint security solutions are blurring the lines by automating or eliminating some parts of the maintenance.
The bottom line: If you manage or maintain any aspect of the software or function, it’s not a managed service. If the product or solution is completely managed by the vendor, then it’s a managed service.
Examples of managed security services
Managed security services providers offer a wide range of security solutions. Here are a few options that are available as managed security services:
• Compliance monitoring
• Detection and response services
• Endpoint security, including monitoring for attacks
• Intrusion detection and reporting
• Log management and analysis
• Managing advanced threat defense technologies
• Penetration testing
• Virtual private networks, or VPNs
• Web and email security, such as anti-viral service and spam protection
Managed IT security services vendors
Companies in the managed security services space include:
• AT&T Network Security
• NTT Security