5 Tips for Buying Managed Security Services

 Executive Summary:

Managed security services have never been more popular, especially among small-to-midsized businesses (SMBs). Many SMBs faced with Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) Act, or Sarbanes-Oxley (SOX) Act compliance have turned to outsourced security services. But managed security services can be difficult to implement if you're not adequately informed or prepared.

Here are five essential tips that can help SMBs determine whether and how to add managed services to their IT portfolios. I tell you about five managed security services that provide the greatest value for the majority of SMBs and identify a couple services that might not make the best sense for the typical SMB. I also give you specific questions about each service to ask potential service providers.

Tip 1: Choose the Right Managed Security Services
Choosing services that line up with your stated business objectives and available resources is key. For example, yours might be a small company with a limited IT staff facing HIPAA, GLB, SOX, or other compliance requirements. In this situation, you might be better off outsourcing the compliance scans than trying to buy the equipment and hire the staff to perform the scans yourself.

I've identified five managed security services that might make the most sense for the majority of SMBs and two that might not be such a good idea. Keep in mind that while certain services might be a great fit for a midsized-to-large firm, they might not be applicable or useful for the SMB.

Malware protection. Viruses and spyware have the potential to affect almost every computer, especially those connected to the Internet. Most SMBs have some form of anti-malware application installed. Yet, many SMBs still wrestle with viruses and have a difficult time keeping virus software updated and, worse yet, eradicating infections within their networks. Managed malware protection ensures that your anti-malware software from Symantec, McAfee, or other vendor is always up-to-date.

Some practical questions to ask potential service providers include: How often do you update your software, and do you update virus definitions automatically? How often are systems scanned? Might those scans affect my company's unique applications? Compatibility testing might be necessary.

You should also ask what happens if you do get a virus. Does the provider notify you, and will it eradicate the malware for you? What happens if the provider can't remove the virus? In some cases, you might have to rebuild systems yourself if the service provider can't resolve the problem, although some providers might offer to do this for you. You should take a careful look at how the service fits with your recovery plans.

Spam protection. Spam can be overwhelming, especially to the SMB. Many network appliances are available to mitigate the effects of spam but often require constant tuning and management. Outsourcing spam protection to a service provider can be a valuable exercise. For example, Google's Postini offers a completely offsite solution with no hardware footprint. All your email is routed through its servers and processed before being delivered to your email server.

Some things to keep in mind when looking at outsourcing spam control are: How much control will you have over the email filtering process? Will you be able to enact a policy change fairly quickly?

False positives (i.e., emails that are legit but are flagged as spam) are a concern with antispam solutions. Antispam software and service providers aren't likely to provide you good data on their false positive rates. And even if they did provide data, each company's users have different mail patterns and characteristics, so a provider's average false-positive rates might not hold true for your company anyway. Thus, you might ask a service provider if it can set up a test during which your incoming email continues to be sent to your normal email server while also being copied to a second stream that flows through the service; such a test will let you review the service's performance before cutting over to it.

Whether a provider can perform such a test or not, find out what kind of reporting is available to you. You'll want to see what types of emails are being flagged as junk to help minimize false positives yet maximize junk mail identification as the company continues to tune the service for you. You might also want a service that lets users review their individual junk mail for false positives and customize their own white lists and/or black lists.

The service provider will be processing all your email, so you might want to ask about its availability record and what happens if the service does go down. Also, you might want to know about the measures the provider has in place to secure your data and what the company does with it once it's been processed for spam.

OS patch management. The ubiquity of Microsoft OSs has created a target for those that wish to exploit software vulnerabilities for maximum effect. Staying up-to-date on Microsoft patches and the vulnerability status of systems across your network can be challenging. Managed patch deployment services such as those offered by Lumension Security's PatchLink remotely install patches for you and identify unpatched systems.

Important questions to ask include: How are patches deployed? Is the deployment automatic? Is it seamless and hidden from the users, or do they have to perform some action (e.g., click Yes)? What sort of testing can or should be done on my systems to ensure compatibility before a patch is rolled out? What happens if a patch breaks my system? What’s the rollback process? How do you handle reboots—can they be scheduled or are they automatic?

Remote backup and disaster recovery. If you work in a doctor’s office or legal firm, you have lots of sensitive and critical data that you need to have long-term access to. Managed offsite storage services provide an effective means to automatically back up critical data to secure remote locations. This allows you access to that data during a disaster scenario (large or small).

Some important questions for the provider to answer are: How secure is my data? Is it stored on servers in racks and cages separate from other companies' data? Is it backed up from your site? How easy is it to retrieve my data during a recovery—can I restore it remotely, do I have to call someone to get approval? What are the recovery times? Are they guaranteed? Are you involved in the restoration, or are you nothing more than a remote repository? What sort of reporting mechanism is available to see how my backups are progressing? Can I test the backup and recovery processes?

Compliance scans. Many security service providers offer compliance scans that can be one-time or recurring events in which your network is scanned for vulnerabilities. This activity can help you comply with HIPAA or GLB requirements. What is most important about these scans is what you plan to do about the vulnerabilities detected. Can the provider help you mitigate the risks identified? Hopefully, yes.

Although many managed security services are available these days, not all make sense for the typical SMB. A discerning SMB should select only those services that are consistent with its business goals and IT objectives. A couple of services that might not be a good fit for many SMBs are firewall maintenance and monitoring, and intrusion detection system (IDS) or intrusion prevention system (IPS) log management. Every SMB should have a firewall to protect its Internet connections. However, as an SMB, your firewall is probably relatively unsophisticated and doesn't require much maintenance or monitoring, so you likely don't require a management service for it. IDS/IPS, particularly at the host level, adds a layer of complexity not appropriate for most small businesses. Without an IDS or IPS, you obviously have no need for a service that manages its log.

Tip 2: Choose the Right Provider
Make sure the security service provider knows your industry. If you have HIPAA compliance requirements, ensure the provider is HIPAA qualified. The same goes for GLB, SOX, and so on. Look at how focused the provider is on managed security services—is its solution just one of many products or is it integral to the provider's core business? What’s the provider's growth potential? Is it a forward-looking firm that stays on top of the trends?

Find out about the provider's security practices and what it will do to protect your data. One good question to ask is whether the company can show you a Statement on Auditing Standard 70 (SAS 70) report. An SAS 70 review conducted by an independent auditor shows that the provider has been found to have satisfactory controls and safeguards in place for handling its customers' data.

You'll want to make sure that working with the service and the provider is simple and efficient. Try to determine how difficult it is to implement the service and how much of your time it will take. Does the implementation involve a lot of downtime? What sort of rollback plan does the provider have if the service proves to be unworkable for you? Ask for references, and talk to a few current customers to see what their experience has been with the vendor. Check with the Better Business Bureau. Find out how the provider invoices—yearly, monthly? You don't want a paperwork nightmare. Finally, try to stick with just one or two providers for simplicity's sake.

Tip 3: Pay Attention to the Contract
The devil is always in the details, and the contract is your opportunity to flesh out all those details that could make the difference during a stressful security breach or restoration.

With an anti-malware service, it's important for the contract to stipulate how often the provider will update its software and perform system scans. The contract should also outline the provider's response plan in the event of a security breach such as a virus outbreak or a successful hacking attempt. Know what your role will be and whether the provider will have onsite support available if needed.

A spam protection service contract needs to spell out the message log storage size limit, quarantine storage size limit, number of users, and so on. That way, if you suddenly grow your business, you know you need to upgrade your service to accommodate the additional email.

The contract for a patching service should tell you when patches will be installed. You might wish to have a test phase of some sort before patches are deployed en masse; the contract should spell out how this will happen. The contract should also address how reboots will be handled. You might want to notify users before a reboot is necessary, or you might prefer automatic reboots. How will you be notified about folks who haven’t rebooted?

In the case of a backup and restore service, the contract should address the roles and responsibilities of both parties. It should spell out how quickly the provider will respond when you initiate a restore and what will happen if a restore doesn't work. Does the provider have an escalation path for you to follow? Also, does the vendor need your permission to perform certain tasks (such as a restore)? Make sure you get these details in writing, and make sure you know what the provider can't or won't do.

For a compliance service, the contract should specify how often a scan is performed (monthly? daily?) and what the provider will do when it identifies a vulnerability.

From an overall perspective, is the service level agreement (SLA) flexible for your specific needs or is it a canned contract that leaves you no ability to customize it to your requirements? Are all requirements (for both parties) clearly documented, and do you understand your own responsibilities? How easy is it to get out of the contract if you don’t like the provider's service? Are you locked in immediately, or is there a trial period? For example, if you pay a year in advance, do you get any of your money back if you quit the service?

Tip 4: Examine the Reports
Reporting is a crucial aspect of managed security services. Trusting someone else to handle aspects of your business is a big step. Ensuring that they're doing what they say they will is important, and robust reporting on a regular basis is necessary to ensure accountability. Can the provider show you what it's doing? How often do you get reports, and are they meaningful?

Tip 5: Do the Math
Before you sign a contract, be sure that a managed service makes monetary sense. Does the quoted price seem fair, and does it work for your budget? Does it compare favorably with what you'd pay to buy the equipment and hire someone to perform the task?

The responsibility and liability for securing your business can never be outsourced. When you contract for a managed security service, you're outsourcing certain tasks related to securing your organization, but you're still ultimately responsible for your organization's security. Managed security services are simply tools to assist in meeting that goal.

Managed security services’ popularity has never been higher. Yet implementing these services should never be done off the cuff. Careful consideration as to how a provider fits into your business plans is crucial. Use the tips outlined above to make an informed decision, and choose only those services that are consistent with your business strategy.