Modernizing Authentication — What It Takes to Transform Secure Access
As global IT director at Ampacet Corp., a large chemical manufacturer in Tarrytown, N.Y., Woods has a staff of eight IT professionals who serve 800 employees worldwide. Normally these numbers work, but when MyDoom and other high-profile viruses took down his messaging system early last year, that delicate balance was destroyed.
Woods was forced to outtask the security of his messaging system rather than tax his own IT team to keep up with the threats. Outtasking allows him to offload one duty, instead of outsourcing his entire message system.
''We deem our messaging system to be mission-critical -- it's the prominent source of communication between our user community and our customers," Woods says. "[Virus outbreaks caused] not only a loss of productivity for users, but a lot of lost productivity for IT staff to react to situations. In some instances, we spent days trying to eradicate the worms.''
''Not only did we have to patch the server and scan for viruses, we had to go to the tape media to restore files, then go to each desktop, patch there and identify the corrupt data,'' explains Woods. ''We operate lean and efficiently. I didn't want to say to management that we needed resources to solve this issue.''
The Ampacet team looked for a suitable in-house solution. ''We searched the marketplace for add-on functionality, such as network appliances, but the investment was too great,'' he says. ''We would have to maintain them ourselves and the training and management were just too expensive.''
So Woods chose a different path -- outtasking. While the company maintains control of its Exchange 5.5 servers, it contracts with Equant, a service provider based in New York City, for spam blocking, anti-virus and content filtering. The cost is a flate rate of $2.05 per user/per month. Woods initially started with a pilot project of 100 users, but has since expanded the service to the entire company -- even remote workers.
Equant uses FrontBridge Technologies software to intercept inbound e-mail for customers and scans it for various threats. Alan Simpkins, practice head for IT services at Equant in New York, says off-loading messaging security lowers an enterprise's total risk profile.
''If you never get that e-mail in your network, then the likelihood of having problems elsewhere is lessened,'' he says. ''There's no 'click on this link' to worry about.''
Security experts agree that outtasking from companies like Equant, Postini and MessageLabs creates another level of complexity for IT workers in an already-complex network -- but sometimes it's a necessary evil.
''Filtering spam and viruses tends to be a game of one-upmanship,'' says Andreas Antonopoulos, senior vice president at Nemertes Research in New York. ''As soon as you have a slight advantage, a new generation of spam and viruses comes out. Your only other choice is to spend money on software and licenses and appliances to do this.''
He adds that message security requires constant attention from an IT staff, especially in this era of compliance and regulatory constraints.
''Its not like an e-mail server where you're simply adding and changing users,'' adds Antonopoulos. ''With security, you have to make sure that signatures are up to date and your anti-virus is up to date.''
The biggest problem for IT staff surrounding message security is handling false positives. ''Something may leak through occasionally -- an executive didn't get his e-mail because it's in the spam filter,'' says Antonopoulos. ''With the high volume of e-mail at most companies today, they don't have the resources to deal with these false positives.''
But some experts warn that outtasking could give companies a false sense of security.
''The drawback to these managed services is that if the mail has been delivered through to your server before a fix has been issued for a virus, you could find yourself vulnerable to attacks,'' says Paul Stamp, an analyst at Forrester Research in Cambridge, Mass. ''You still need your IT department at the ready when viruses hit.''
Woods agrees. He says even with the service, his team has been diligent about keeping on their toes and heightening user awareness about viruses.
Stamp says he sees an additional opportunity for message security outtasking.
''So far, these services have mostly been devoted to incoming mail but I can see them starting to look at outgoing, as well,'' he says. ''Companies in high-compliance areas like finance and health care could use these services for intelligent scanning of their mail to make sure that confidential information is not leaving the network.''