This piece is excerpted from a larger FAC/Equities report on Managed Service Providers that includes coverage of providers outside the security field. Click here for a copy of the full report, in pdf format.

For a list of security MSPs compiled by FAC/Equities, click here.

The four management cornerstones of the new "eEconomy" - Connectivity, Security, Availability and Performance - are in place, but they are unsteady because they depend on users' successful implementation of licensed software. The outsourced management services that MSPs provide span a broad range of technology functions (see Figure 1). In FAC/Equities' judgment, the MSP plays a critical and previously unfilled role within the management solutions provider marketplace by taking responsibility for implementation and operations out of the hands of the user community.

MSP Services


IP, ATM, PSTN, Frame Relay, Wireless


Load Balancing, Cache, Bandwidth Management, Provisioning, Policy-based Management


Access Control, Encryption, Firewall, Authentication, IDS, Anti-virus, Content Protection


Application, Network, System, DBMS, Reporting, Analysis, Planning, Fault Management

Source: FAC/Equities

FAC/Equities expects the MSP community to include services firms focused on individual management functions as well as those supporting multiple functions with specialized services, ranging from low-level commodity services to highly differentiated and high-value strategic consulting on infrastructure architectures and design.

By 2001/2002, META Group expects some 35% of its Global 2000 customer base to deal with at least one MSP, and by 2002/2003, to have multiple MSP relationships, procuring services focused on specific infrastructure management activities. Many of those relationships will develop as a result of an interaction with a third party (e.g., with a member of a supply chain or other trading network).

Many small- to mid-sized companies will purchase the entire portfolio of enterprise infrastructure management services available from MSPs. Others will selectively outsource their infrastructure management efforts, procuring relevant services as needed to address a specific function or range of functions in their environment. As a result of those efforts, META Group estimates that the worldwide MSP market will be $10 billion by 2004.

Traditionally, to obtain the software to manage infrastructure, organizations purchased software based on a perpetual license: a company bought the software based on the number of users, servers or some other metric, then installed, and ran the software. In that context, the customer organization owned the software outright and had to upgrade and maintain the technology.

Extracting the value in the software in this manner has become problematic for many companies. Traditionally, corporate success depended on the ability to innovate constantly, execute at high speed and be adaptable to changing processes and services in the business. eBusiness changed the equation by adding the same innovation, execution and adaptability requirements to the underlying technologies.

Companies working with limited financial resources, limited ability to find, hire and keep experience employees, pressures to speed up innovation, and the need to maintain focus on their core businesses naturally have begun to turn to MSP organizations. The MSPs are more efficient and effective implementers of management solutions and minimize the initial costs associated with license acquisition and customization.

Second, buying, installing, owning and updating software is a headache that many organizations do not want. Organizations have begun to use outsourcers to enhance, supplement or take over critical parts of running and maintaining their networks.

The selective outsourcing of communication, systems, application and DBMS management infrastructure software has become a critical part of infrastructure management. Combined with a trend toward recentralization of networks and other technology assets (servers, applications, and storage) MSPs are finding a sharper focus for both internal and external service-based management initiatives.

Figure 2

Outsourcing Rights and Wrongs

META Group lists a number of factors that have been identified as being critical in driving users to implement outsourced services.

Outsourcing is right for the company when:

  • There are not enough qualified people to maintain critical business functions
  • The company wants to save on initial hardware and software expenses
  • There is an emphasis on the predictability of costs
  • It is difficult to ascertain scalability requirements
  • The company needs to evolve rapidly in order to meet demands of a changing market
  • The company needs to free internal staff from fire-fighting to concentrate on mission critical projects While there are many reasons companies will utilize outsourcing components, outsourcing is not for every organization.

Reasons a company may decide not to utilize outsourcing include:

  • The company wants to maintain hands-on control
  • The company has an appropriate number of IT staff
  • Customization is a key element of the future growth of the network
  • Control of the network provides a competitive advantage

Source: META Group & FAC/Equities

Figure 2 identifies some of the qualifying criteria customers use to determine which applications/projects and people will be "outsourced."

Security Services Providers: Solving the "Confidence" Problem
Security is a critical element of the eEconomy. It provides ebusiness participants with the confidence that:

  • their internal networks are safe
  • transactions will be completed in a confidential manner
  • they are conducting the transactions with known counterparties, not impostors
  • the entire transaction environment will be reliable and free from disruption or attack.

In a mature e-business market, all networks must work together to form a secure and cohesive network. There is an increased awareness that the enterprise's network must be protected from outside attackers, but also limit its internal vulnerability. Additionally, trust becomes of the utmost importance as companies execute transactions on intertwined networks with suppliers, partners, customers and employees. As a result, authenticating who can get into the network, where someone can go once they are in the network, and allowing different levels of connectivity and services are all essential elements of competing in the ebusiness environment.

FAC/Equities expects organizations will become liable for security breaches that occur if they compromise any part of the security of the overall process. Ignorance will be treated the same as negligence, and an insecure network that compromises another network will be held responsible. All these factors create an environment where companies would like to outsource the management of security capabilities and hand off their responsibility to expert outsiders.

We see security service providers focusing both on services and consulting. Consultants offer services consisting of:

  • Creation of security policy and security plan
  • Security assessment and audits
  • Network security architecture consulting
  • Implementation of secure networks

To create a pure secure network, a company must establish a policy framework that includes the risk, policies and enforcement criteria that will be enforced within and around the organization. To maintain this there must be a day-to-day security administration process, enforcement of the implementation process, and audit procedures including intrusion detection, attack simulation and internal and external policy reviews.

While this sounds reasonable, the ability to set up, monitor and enforce security policies is a major burden for organizations. In order to alleviate the daunting task, numerous companies are providing consulting services, and finding that the demand for offering continuing management security for part or all of the network is increasing.

According to the META Group, the major reasons users cite for using security service providers are:

  • Provide more effective security
  • Eliminate the need to construct a secure facility
  • Eliminate the need to maintain large dedicated security staff
  • Free internal staff to perform other business critical functions
  • Leverage the collective knowledge and experience of the security service provider
  • Ensure technology is updated and maintained regularly

Currently, one of the fastest-growing segments of the MSP security segment is the management of the firewall thoughout an organization. A firewall service provider maintains an organization's firewall architecture, including updating and configuration with other firewalls. It also monitors security on a 24X7 basis and stays on top of new security threats., among others, provides this type of service.

An adjunct activity is the management of VPN (virtual private network) services. VPNs offer significant cost savings for organizations implementing widespread remote access capabilities. For these savings to be realized, however, effective management of these complex networks is an absolute requirement. Not only does the VPN firewall need to be maintained, but all remote users need updated client software and access to local numbers to access the network.

We also see the demand for managing secure authentication services becoming increasingly important. The growing popularity of PKI (public key infrastructure) is driving many companies to implement this new authentication tool. However, PKI involves the issuance, cancellation, revocation, authorization and validation of potentially thousands of digital certificates while maintaining a certificate authority to run the process. Access control also falls into this area as outsource services will monitor and control access to specific services throughout the network. These are other crucial areas where help is needed and we see managing PKI services, other authentication services and access control becoming increasingly attractive to ebusiness operators.

Another invaluable part of maintaining the security of a network is the process of continuing to audit and assess the security of a network through intrusion detection technology and virus control. However, this process consists of a never-ending battle with new hackers and viruses. Organizations are looking for service providers focused specifically on this area to keep up with the security risks that are present.

Pricing of Security Services
Pricing in each area varies greatly based on the service, level of support and process to be monitored. VPN services start at about $1000 per month based on the number of dedicated sites, amount of bandwidth usage and the number of dial-up users covered.

The pricing of authentication and access services is based on number of users, but it can also be based on number of transactions. Charges for virus control, intrusion detection and audit are also based on the number of devices, number of users and the level and frequency of monitoring needed. We also see the growing trend of combining services into a full package for total security that can be priced at $100,000 per month or more.

Within the managed security services there is an opportunity for the traditional outsourcing vendors to take a share of the market, but we think there is also a significant opportunity for vendors that are specifically focused on this space.

In addition to managing the security aspects of a network, there will also be strong demand for the whole eBusiness transaction process to be secure. This service is relevant from the time someone is signed up as a user to enact a transaction on line through the authentication, bill recording, notarizing and posting of the transaction to a database application. The whole process defines the "life cycle" of a transaction.

The lifecycle of an etransaction performed over a secure transport includes

  • Enrollment - automatically letting people into the infrastructure
  • Sign-On - single sign-on to all applications, with roaming capability through a number of different authentication devices
  • Transaction selection - getting to the right application and gaining access
  • Transaction Confirmation - eliminating the risk of repudiation
  • Transaction Payment - billing and collecting for service
  • Transaction Submission - data are protected and privacy is maintained
  • Transaction Receipt - time stamp allows permanent receipt, of value to all parties involved, used as a permanent record.

To successfully implement eBusiness transactions they must be easily deployed and transparent to the end user and be rapidly deployed at a low cost. Currently there are several companies providing technology and/or services addressing specific parts of the etransaction process. However, there is a growing demand for the entire process to be taken over and delivered as a bundled service. There are only a few companies addressing the etransaction process and offering a complete solution. We think e-transaction services will be a major area of growth and identify Verisign and Valicert as leaders in defining this new area.

Potential Barriers and Obstacles
According to META Group, there are several potential barriers to MSP adoption. From a customer standpoint, the issue of data ownership may be critical. In many cases the data generated by the tools the MSP uses are owned by the MSP, forcing a customer to pay additional fees to access data generated from its own systems in an ad hoc manner. FAC/Equities and META Group expect customers and MSPs to negotiate their way through this issue, however.

While many MSPs are startup vendors today, META Group and FAC/Equities expect many "established" product and services vendors to launch MSP initiatives - some by acquisition (e.g., BMC Software/Evity) or by spinning out MSP business units (e.g., Computer Associates' iCan ASP, Inc.). All market entrants have to prove themselves, however. FAC/Equities notes that the recurring revenue streams generated by MSP operations will provide good visibility, but for an established software supplier, the stream of revenues without initial license fees will have a negative impact on license revenue growth rates.

Customer companies will not have direct access to the management technologies and pro-cesses and, lacking internal expertise, will be putting themselves in the hands of the MSPs. FAC/Equities and META Group both think that while those factors may limit early adoption, the trade-off between time-to-value and up-front cost/expertise, will ultimately drive MSP success.

Matt Barzowskas and Damian V. Rinaldi are vice presidents with FAC/Equities. Barzowskas can be reached at or (617) 228-3512. Rinaldi can be reached at or (203) 428-4027.

Registered users: For a full copy of the FAC/Equities MSP report in PDF format, click here.

For a list of security MSPs compiled by FAC/Equities, click here.

More information is available on request. First Albany Corporation and/or an affiliate may make a market in any or all of the above securities, may have been an underwriter and/or placement agent of these companies' securities within the past three years, may hold a position, long or short, or in aggregate over 5% of the outstanding shares, and may have an employee who is on the board of directors of any of these companies. In addition, the analysts covering these companies may have investment positions in them and options may also be available. The material herein, while not guaranteed, is based on information believed reliable and accurate. It is not to be deemed an offer or solicitation on our part with respect to the sale or purchase of any securities. Our corporation or its officers, directors, or stockholders, or members of their families, may at times have a position in the securities mentioned and may make purchases or sales of these securities while this report is in circulation. Should you have any specific investment questions, please contact your First Albany Investment Executive. Our corporate office is located in Albany, NY - Phone (518) 447-8500. ©2000 First Albany Corporation, Member New York Stock Exchange, Inc. and other principal exchanges