ISP Planet - Technology - What To Look For In A Managed Security Provider, page 2

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• ISP-Planet Blog
• Letters
• Site Map
• Technology Jobs

ISP Resources

ISP-Lists
ISP Glossary
ISP News
The List
ISPCON Events
Free Newsletters

internet.com

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

Managed Security Services

Managed Security Provider —continued

Service reach and flexibility
Look for an MSP who offers what you need today, but ask about migration for services you expect to need in the future. If you buy a managed firewall service today, will you need an additional or different platform to add secure remote access? Does the MSP offer integrated provisioning, monitoring, and billing that encompasses every service you've purchased? Make sure your MSP lets you leverage your investment in multiple services. You may not own the CPE, but you still want a cohesive solution that efficiently implements your security policy.

When managed security services are sold by network access providers, it is easy to overlook the obvious: are you purchasing a service that's ISP-dependent? If so, is that acceptable? Consider roaming users that require national or international access. Where are your MSP's points-of-presence? Has your MSP joined a roaming alliance like GRIC or IPass? Can your managed site-to-site VPN include international branch offices? What is the impact of doing so on cost and performance?

Drill down to uncover integration issues. What authentication methods are supported, and can they be integrated with your own user database or authentication server? What constraints are imposed on IP addressing, and will you be required to renumber? Ideally, you'd like a managed service that adapts to your business, not one that requires you to adapt to it.

Ease of deployment
Sure, the MSP will install your new CPE firewall or VPN device. But how does your MSP handle hardware and software upgrades? Is your configuration archived before update to enable rollback? What is your MSP's policy for hardware replacement and service restoration in the event of failure?

Will your MSP also supply, install, and support client software? If you can avoid client software, great. If you can't, find an MSP who provides a user-level help desk and takes steps to simplify client software deployment and configuration (e.g., PC "prep" tools, automated policy download). How are new users added to your security policy? Make sure your MSP's policy management system provides sufficient granularity, augmented by grouping to reduce churn and improve scalability.

Robustness and performance
It is critical that a managed service be sized to meet your company's performance requirements. Many MSPs offer tiered services. For example, some use different firewalls for small and midsize enterprises; others let you choose between NT or *NIX platforms. Larger enterprises should seek high availability services that employ redundant or clustered platforms, load balancing, route diversity, and fault-tolerant software. Look for MSPs with redundant NOCs, mirrored data, and diverse local and long-haul transmission facilities.

Some providers back up performance targets with service level agreements (SLAs). SLAs can identify aggregate throughput, latency, and availability characteristics, describe how these are measured, and define penalties for non-compliance. Many ISPs offer SLAs for core network performance; SLAs covering end-to-end managed security are less common. Money-back guarantees (usually in the form of service credit) may not offset lost revenue during a prolonged outage, but can signal whether your MSP actively works to meet performance expectations.

Security policy management
SLAs may also cover other aspects, such as response time and process for implementing security policy changes (e.g., add a new user, change filtering rules). Often, your MSP makes all policy updates. In some cases, your MSP delegates some control—for example, letting you add users to pre-defined groups. In either case, make sure your MSP tightly controls who can make policy changes (e.g., digitally-signed work orders, strong authentication for remote policy management). Does your MSP maintain an audit trail to spot unexpected behavior or policy violations? Does your MSP use an encrypted tunnel or private link when making policy changes?

MSPs provide monthly reports that let you see how your security policy is being enforced. Ask for a sample report: does it include incident logs, port scan results, network performance and usage stats, change request history? Look for real-time monitoring and on-going security advisories that keep your staff informed so they can pro-actively refine policies and safeguard assets.

Monitoring, policy enforcement, and escalation procedures
If an MSP doesn't provides 24x7x365 monitoring, find another MSP. NOC staff should be watching your managed service at all times, assessing real-time alarms, denied connections, and logged events. Make sure you understand the procedures your MSP will invoke when a security threat is detected. Identify incident response time, emergency contacts, escalation policy, and containment/recovery strategy in your service agreement. Many MSPs include some emergency response in your monthly tab: know how many hours and what type of expertise you're entitled to. Ask about specialized emergency services, purchased on an as-needed basis.Security-Readiness of Your Provider's Own Network

One can think of an MSP as a highly-specialized Application Service Provider (ASP). As such, you should expect an MSP to employ the same—or better—in-house security practices you'd expect from any ASP. Ian Poynter and Dianna Kelley offered excellent advice on this topic in their Insight column, "Ten Things To Ask Your ASP" (http://tisc.corecom.com/newsletters/29.html). Among the questions they recommend asking: Is your ASP's facility physically secure? Has the ASP's architecture and code been independently reviewed? What is the ASP's disaster recovery plan? How does the ASP safeguard your information from other customers and its own employees? Make sure that, while your MSP is guarding customer networks, it doesn't leave a NOC "back door" open to attack.

Conclusion
Fortune 500 companies who already outsource IT operations may look to these existing outsourcers for integrated network security services. Similarly, business-grade network service providers like Sprint and MCI/WorldCom may be the first place their subscribers will look to "add" outsourced security. But, as a Forrester Research brief suggests, companies should also consider MSPs like ISS eServices that specialize in security: "Look to suppliers that have a strong track record [and] live or die on the business." Finding the right MSP isn't simple, but knowing what questions to ask can help get you started.

Back to Page 1

—End

Related article:

[Dec. 9, 1999] Managed Security Services: A Primer