Last week, I discussed the Computer Security Institute (CSI) survey results and a recent warning from the National Infrastructure Protection Center (NIPC). I pointed out that 27 percent of the people that CSI surveyed said they had no idea whether they had suffered intrusion, which is reflected clearly in the NIPC warning that discusses dozens of e-commerce site break-ins and subsequent extortion attempts against those sites. The bottom line is that many companies simply don't have the skill sets in house that they need to keep their systems reasonably secure.
This security-skills lack is both typical and understandable—and in most cases, comes down to money. Top-notch security administrators don't come cheap. Security professionals spend a lot of time and effort honing their skills—far beyond the efforts of an average network administrator—and they deserve to be paid well for the expertise. Obviously, many companies can't afford full-time security professionals, and often, their businesses suffer the consequences. But there's a reasonable alternative to this dilemma: managed security services (MSS).
MSS provides an excellent solution for businesses that either can't afford in-house security professionals or simply don't want the overhead of managing their own security infrastructure. In addition, MSS providers can add a lot of value that you might not be able to afford otherwise, such as 24x7 network monitoring.
Most MSS providers offer three basic services: firewall and intrusion-detection systems, VPNs, and periodic risk assessments. Typically, these providers assess your risks and needs, help you learn how to tighten your internal and external security, install and configure any required security-related hardware and software, routinely assess your ongoing risks, and administer any custom security-related configuration needs as they arise. In a nutshell, an MSS provider serves as the security arm of your existing staff.
Two years ago, MSS providers were difficult to find. Today, they're crawling out of the woodwork. I did a quick search for "managed security" at Google.com and found more than a dozen MSS offerings on just the first three pages of search results. I noticed in the search results that most major network carriers offer their own MSS solutions, so if you're already using a major carrier, such as PSINet, you might want to check their offerings; they might offer existing customers a discount.
Other notable companies offering MSS solutions are
I briefly inspected each company's offerings and found that Ubizen (based in Belgium, with offices in the United States) has quite a package to offer. For example, Ubizen offers a secure payment service, a Web-based notary service, and something I found really interesting in light of the NIPC warning: Web application security. Be sure to check it out.
One of the greatest benefits of using MSS is the MSS provider's collective knowledge; a provider can use the knowledge gained protecting one customer to protect all customers. If you think your company can't afford reasonable security solutions, I suggest you look at MSS. FastNet offers MSS starting at only $295 per month, which is probably less than you spend on lunch during a given month.
MSS offerings are becoming more popular as time wears on. I expect this trend to continue to grow into a red-hot market segment. Take a look at MSS providers—they might be your security solution. Even if you already have in-house security administrators, consider the added value of using an MSS provider to supplement your existing infrastructure. However, as with any security-related issue, don't take things at face value. Be sure to research an MSS provider before placing any trust in its hands. Until next time, have a great week.