Computerworld

Safe and sound

Securing access, networks, documents, PCs, from internal and external malcontents, hackers and ignorant or stupid users, challenges even the calmest IT exec and while everyone wants to know the whole system is safe, few want the day-to-day responsibility. Enter managed security services: hand over the problem to a third-party to manage the technology and take care of the problem. But no, wait, says the board, it's too critical to give to strangers!

And it appears that this belief may hold sway, depending on whether you ask an analyst or a provider. Hydrasight analyst Michael Warrilow says uptake of managed security services (MSS) is slow not only in Australia, but globally as well.

Additionally, he says the definition of a managed security service can vary considerably and this adds to the confusion.

"Examples of successful MSS, in the purist sense, are managed e-mail services such as MessageLabs and managed gateway security for federal government departments (such as DSD-certified gateway services like Macquarie Telecom, CSC and CyberTrust).

"If the definition is expanded, examples of MSS might include IT outsourcers and ISPs."

However, talk to James Scollay, MessagLabs Asia/Pacific vice president, and he'll tell you the adoption rate in Australia is increasing rapidly. "In the last quarter alone there was a 47 percent increase in the number of local companies adopting MessageLabs' services over the previous quarter." And the trend of adoptees is changing, he says, from the legal and finance sector frontrunners - where nine out of the top 10 law firms used the provider's service - to SMBs.

"Today, adoption is broadbased across different sized companies and industries; small IT teams choose to selectively outsource security.

"In most cases MSS can give them enterprise-level solutions at a small business price," Scollay said.

For SMBs particularly, using MSS can take the pressure off a small IT staff. Warrilow says MSS allows separation of duties and gives operational security with economies of scale. "It frees up IT staff to focus on other issues and also provides an increased level of governance because IT administrators do not hold all the power."

With technology changing at a spine-chilling speed, knowledge and infrastructure upgrades solely for security purposes can be out of reach of many companies' budgets, not just SMBs, and this is where MSS vendors can provide extra benefits.

Scollay says this means that customers can access infrastructure and a knowledgebase that can not be generated internally.

"For example, MessageLabs focuses on messaging security in e-mail, IM and Web and offers SLAs that guarantee 100 percent virus protection, 95 percent spam and 100 percent service availability."

It also delivers a lower, total cost of ownership, as e-mail use increases, costs remain the same and reduces the need for internal staff, because e-mail is kept outside the organization, he said.

However, to get the most out of using MSS providers, companies need to do their homework and use service level agreements. Without a clear definition of roles, excellent reporting and proper contract and relationship management, customers can feel as though they are paying for a service they need to manage themselves, Warrilow says.

Scollay backs this up, saying that companies needs to look for maturity in service offerings, scalability, strong SLAs, referencability and proven outcomes.

Page Break

But it's individual services, rather than comprehensive solutions, Warrilow says, that form a large part of the uptake.

A changing threat landscape with more and more multi-vector attacks, and companies looking for solutions with a single point of control and visibility will drive this even further, Scollay says.

"MessageLabs is seeing a distinct trend towards organizations wanting a broad multi-protocol based solution rather than multiple point solutions."

Scollay says changes to the threat landscape will also drive further development in MSS as will other emerging technologies, like instant messaging.

Web-borne threats are an increasing source of concern and Scollay said MessageLabs has recently expanded its managed security services to protect organizations.

"[Our] analysis has recently seen more evidence of spammers employing spyware to make their campaigns more effective, as well as 'link following' to automate download of malware or spyware and by offering Web security to clients we can keep emerging threats away from our customers' networks."

The fragmentation of the market makes provider comparisons difficult, according to Warrilow, who says CyberTrust and MessageLabs are the most viable providers at this time.

But whether the market will show any surge in the immediate future again depends on who you ask. Scollay says the market is growing rapidly, due to the increasingly complex threats that demand specialized solutions and because MSS providers have a proven track record that customers can trust.

Warrilow says there is no single standout provider of MSS at this stage and sees the market as immature so far and says it will remain so unless IT organizations choose to adopt MSS, the surge in e-scams of all sorts may be beckoning more players with Symantec and Telstra subsidiary Kaz teaming up last month to offer managed security services.

David Sykes, managing director of Symantec Australia, said the changing security landscape, combined with hard-to-find security experts, is leading to a rise in managed services. The partnership will offer managed desktop antivirus, e-mail gateway security and secure Web content filtering, 24-hour incident response and fixed-price agreements based on three-, four- and five-year contracts.

In Southeast Asia where broadband uptake is gaining heat Cindy Sim, an analyst at Singapore-based AMI-Partners, says wider adoption of broadband Internet connections creates an opportunity for local Internet service providers to offer hosted services, particularly managed security services. This has already happened in some Southeast Asian markets, such as Singapore and Malaysia. "If the ISPs don't offer it now, they will offer it pretty soon," Sim said.