Too late, many companies are finding that there’s more to Internet security than slapping a firewall on their T1 line. Protecting your corporate knowledge is critically important, but it also requires expertise and time that you might not have. Can your IT staff provide an effective security program to prevent unauthorized access to your corporate data? Or should you outsource your Internet security to an ISP that is set up to provide the monitoring that you can’t? Here are some answers.
When should you consider outsourcing?
“If your business has had the luxury of the time to put a good security capacity in place, and if you have the technical expertise, obviously it’s more cost effective to run it internally,” said SRA International’s security guru, Tony Valletta, vice president and director of control, communications, and intelligence. “Or are you like the majority of companies that are now realizing you have all this great information technology and, by god, you’d better start thinking about how to protect your assets, or you’re going to be subjected to a whole bunch of naughty things?”
Mike Martucci, vice president of marketing for WatchGuard, a security outsourcing vendor for small and midsize businesses, says that a lot of small companies and telecommuters have simple security policies, but as their complexity grows, so does the need for outsourcing. “I always come back to the security policy.” Martucci said. “If it’s not a complex policy, you probably can do it yourself. But as the complexity increases, you dedicate a person or more than one person to this, and your costs rise. It begins to look more attractive to spend $800 a month or whatever [to an ISP] to say, ‘take over control of this box, create a policy for me, update and monitor it, and give me the reports.’”
What are your Internet security options?
Valletta suggests you might want to start out by outsourcing, then build up a capability and bring it back in-house. “At least do something,” he urges, “whether you do it internally or externally.” There are three options for IT Managers to consider:
Do-it-yourself security. Can your staff assemble all the right components of a security system and put them into place? This assumes you have the in-house expertise and the number of staff to ensure around-the-clock surveillance. A big assumption for some companies, Valletta suggests. Also, according to Martucci, “If you think you have a somewhat savvy person on staff, take a close look because we would bet [he or she’s] a network manager and not a security expert. Network mangers spend a lot of time configuring Ethernet cables and that kind of thing, but you ask them questions like how do you set up your security policy, should your HTTP proxy be on or off, or what kind of VPN do you want, and they give you blank stares. Now you have to make an educational investment. But does he have the time to be a security guy?”
Subscription service. With this option, you buy a package that includes a dedicated network security appliance to implement a security policy, and an integrated suite of security software. This enables you to have sophisticated security products to protect your network while managing your own Internet security. Then, through the vendor’s Internet-based subscription service, you can get advice and ongoing information to keep you updated. Martucci said, “We send you software updates and threat responses. Like when the Melissa virus came out, we had a team of experts whose sole job was to look at new security threats and urgently send you an update to your firebox to protect you. We’re sending it to you, but you have to read it and update the firebox yourself. It’s a service, but at a minimal level.”
Total outsourced security. If you decide you don’t have the security expertise on staff, you might want to go with a comprehensive, fully outsourced Internet security service from your ISP, assuming your ISP has the data center, network, back-office systems, and the expertise to support your security needs. Your ISP may provide several services, including:
- Installation of software with security and management features
- Support for customized security appliances at your site
- Software updates and threat responses
- Monthly reporting
IT staff expertise and availability
“You have to decide if you have the security expertise on staff and whether or not you want it,” according to Martucci. “It becomes a financial analysis. The PSInet service is something like $795 a month; you’re not going to hire someone for that,” he said. Another issue is that security is around the clock, seven days a week. So it’s not one person you’re looking for, it’s two or three because you’re going to need some shifts.”
“Some systems or network administrators feel like their turf is being invaded when someone else manages a piece of their infrastructure, said David Bovee, product manager of managed security service at WatchGuard. “I’ve encountered systems administrators who manage the telephone systems, and all of the servers and clients. They dictate the acceptable use policy for the company. They manage the antivirus, the business database, and all the other things. Well, one person managing all of this is an equation that equals trouble. It means something is going to get missed somewhere. When you’re talking about security, things get missed.”
“Once I did a firewall installation for a network administrator,” Bovee said, “and he was one of these people who didn’t want to relinquish control of any part of his network. So, he tried to retain that control and, in doing so, he missed a critical piece of his perimeter infrastructure. He ended up being hacked at one of his peripheral sites, which—because of his lapsed security policy, which he had no experience writing—resulted in a hack of his entire company. He had to rebuild 40 client systems in addition to his server.”
Integration of technologies
Another issue to consider is how you integrate new technologies into the platform. “You need to ask potential security vendors, ‘Does outsourcing affect my ability to implement new systems I’ve written or purchased? What are you going to do when I add applications, homegrown or off-the-shelf? If I have to add or change applications, will I be able to do it, or will I get charged an arm and a leg for you to do it?’” said Tim Landgrave, president of eAdvantage.net.
Integration certainly should be a concern, but you should be able to find solutions with your outsourcing partner. According to Martucci, “An ISP will work with us to design the right system for your needs. So putting together the right security package is a big time-saver. We make sure everything you add to the package works with the rest of it. That’s all out of your hands now.”
Design of a security policy
“Boy, is it a headache to make a security policy, manage it, and keep it current. Big, big job, and it takes a lot of experts to do it,” according to Martucci. “One of the advantages you get by outsourcing security is that the ISPs will design your security policy for you. They’ll interview you about your business practices, and then they’ll fit that into the policies and technology they’re going to apply for you to make it happen.
“A security policy is all the rules about how the people in your company will behave while on the Net. Who is allowed to come in (by name, department, branch office, or by IP address), where they’re allowed to go, what services they can get, what files they can get to, what time of day they might be able to come in, who’s on a VPN and who’s not? All these rules have to be designed and need to be written down. They should reflect your business practice,” Martucci said.
Policy changes: How often do you need to update?
“Most security experts recommend you update your security policy, at a minimum, two times a year. And really big e-commerce companies do it more often than that,” Martucci said. “When policy changes are required, the outsourced service provider can affect the change for the company, thus minimizing the risk that a mistake is made,” said David Bovee, product manager of managed security service at WatchGuard. “When you’re talking about using a firewall to access the Internet, a mistake will also affect other servers that the business has, so it could interrupt service to the customer.” Most companies, if they make a change on their firewall and it happens to be a mistake, may not recognize right away that they’ve affected access to business customers.” He says that “an inexperienced IT staffer may make a change to the company’s firewall policy on Friday, go home at 5:00 P.M. and be out of range of his pager, and all this time the Web site is inaccessible to the customer.”
Keep your security system on guard with regular reports
“The only way you know your security system is working for you is when you actually create a report and evaluate it for inconsistencies, errors, or anomalies,“ Bovee said. Most service providers typically produce a report at the end of the month which can be customized for the customer’s requirements.” However, Landgrave cautions, “Be sure they will distill all that information and provide a report that’s intelligible for you, the customer, not just one that contains IP addresses and numbers.”
Proactive notification is critical, according to Landgrave. “I don’t want a report that tells me someone stole my data last week. I want to know if and when an attempt is detected, and I want to be notified that someone attempted to get in using this set of credentials, and they tried these 15 passwords. And I want to know they were shut down.” Landgrave used an example from a few years ago when a small ISP in southern Indiana had two Russian hackers attempting to break into the system for two days. “Because there was no proactive notification, the hackers eventually shut down the entire business. It took them days to get back up and running,” he said.
If you want to read more on the topic of security, you’ll find more by doing a search on TechRepublic. If you have a comment, please post it below. And if you want to share a story idea with us, please send us a note.