by Lisa Phifer VP Core Competence, Inc. [July 11, 2001]

Today, dozens of providers offer security-related professional services, ranging from initial penetration testing and vulnerability assessment to incident response and network forensics. In between lie a multitude of managed security services, including managed firewall, VPN, anti-virus, intrusion detection, and content filtering services. The common thread? In each offering, the entire security solution—from hardware and software to provisioning and monitoring—is owned and operated by the service provider.

In mid-2000, ISP-Planet surveyed commercially-available managed security services, posting our results here. Since then, many readers have contacted us, asking about new providers and services. As a result, we decided to repeat our survey. We invited 50 providers to complete a brief questionnaire about their managed security services; half responded in time to be included in these results. Our intent was not to build an exhaustive list, but rather to sample today's managed security services. If your favorite provider didn't participate in this year's survey, let us know—we'll be sure to invite them next year.

Participating providers
Managed security service providers are a diverse lot. Some are traditional ISPs, adding premium security features to network access services. Others are professional services organizations, morphing into service providers. Some are security vendors that have spawned or acquired a managed care business unit. Still others are brand new ASPs, created expressly to capitalize on the security services market. But you can see if all for yourself on the Participating Providers Chart.

There's been a good bit of change since our initial survey in late 1999. Noteworthy players like PilotNet and the Salinas Group have gone under. According to Jason Wright, author of Frost & Sullivan's report on U.S. Managed Security Services, "MSS is not as easy as was once thought." Nonetheless, Wright expects the market to expand from $165M in 2000 to over $2B by 2007.

What motivates an enterprise to outsource security? According to Steve Hunt, Giga Information Group, "Companies may avoid the capital expenses by letting outside providers own some of the equipment. Good security staffs are difficult to find, and most companies have not elected to train, develop and retain security expertise in-house. For those reasons, leveraging the skills and personnel of an outsourcing vendor is very appealing." Wright also cites increasing network complexity and use, economies of scale and scope, and highly publicized security failures as market drivers.

Of course, outsourcing security involves risk. Jim Reavis, Chief Marketing Officer at Vigilante, warns "Don't look at managed security service providers as a panacea. Evaluate them very carefully, stay involved and active, and watch what they're doing." Reavis suggests that customers examine a provider's business model, funding, experience, and references. Restraints to market cited by Wright include customer unwillingness to relinquish control and disbelief in provider competence. Clearly, this is a business where building a reputation matters—big time.

As an increasing number of companies enter the managed security services market, we expect to see consolidation. Many of the providers we surveyed offer a broad spectrum of security services, often through partnership. Others have expanded their reach by acquisition—for example, Guardent recently purchased DefendNet. "I think this is going to be an oligopoly market," said Mark Hangen, ISS. "A small number of large-scale managed security service providers will remain in the end."

On the flip side, we also see the emergence of narrowly focused security specialists like Counterpane Managed Security Monitoring and Foundstone FoundScan. Reavis predicts that independent niche players may ultimately be more successful than those offering broad services. These providers don't claim to do everything—they aim to do one or two things very well, without the product bias one expects from resellers.

We chose to focus our survey on providers that secure enterprise networks. Thus, we did not include management service providers like LoudCloud, SilverBack, eManage.com, and CenterBeam that provide secure hosting and infrastructure only at colo facilities.

Managed firewall services
There are many ways that one can slice the managed security service "pie." Frost & Sullivan segmented the market into real-time monitoring (firewall, IDS, VPN) and assessment (vulnerability assessment, penetration testing). Giga defined six categories: on-site consulting, remote perimeter management, product resale, managed security monitoring, penetration and vulnerability testing, and compliance monitoring. We decided to organize our survey by commonly branded service offerings and features. We began with the grand daddy of this market: the Managed Firewall Service Chart.

Managed Firewall Services establish a network perimeter to secure Internet and Intranet connections. In nearly every service available today, the provider deploys a firewall at the customer premises, assuming on-going responsibility for provisioning and 24/7 monitoring. Verio and Exodus provide monitor-only options; see our IDS list for additional providers that monitor customer-operated firewalls.

Our survey asked if the provider was responsible for 24/7 monitoring because we expected everyone to claim this and hoped some would offer details. ISS did so, reminding us "Firewall Monitoring is a very generic term. Each supplier can and will define this differently, creating inaccurate comparisons." Point well taken. Customers should look beyond this staple to understand exactly who monitors what, and—most importantly—what action will be taken when problems are detected.

We also asked about automated incident response and event escalation. When problems occur, they must be neutralized in "Internet time". Most of those we surveyed offer some type of defined response; the level of automation and customization varied. Customers should look for providers that back their incident response policy with a service level agreement (SLA). Another important consideration is the ability to scale.

We asked each provider to explain how service reports and firewall logs were provided, and how policy updates were requested. Facilitating routine communication is a sweet spot for innovation. When outsourcing, enterprises lose a degree of visibility and control. Good providers keep customers informed without overwhelming them or putting sensitive information at risk.

Most providers claimed their managed firewall to be network-independent. Of those surveyed, only AT&T and XO explicitly tied their firewalls to network access offerings. However, bundled services are undoubtedly available from many of these providers; combos often make good business sense. In fact, managed firewalls typically serve as platforms for additional security services.

Managed VPN
The most prevalent firewall add-on is Managed Virtual Private Networking (VPN). VPNs can reduce the cost of site-to-site (S2S) connectivity and remote access (RA) for corporate travelers and teleworkers. Less often, VPNs are used for secure Extranet (EXT) communication between businesses. Surveyed providers offering one or more of these Managed VPN Services are listed on the Managed Virtual Private Networking Chart.

Nearly all of these services tunnel to CPE. A few services, including eTunnels VPN-On-Demand, Imperito InstantVPN, and WorldCom IP VPN Customer Directed, use tunnels created by a central server, hosted by the provider.

In our previous survey, Check Point appeared frequently—and it still does. But today, nearly every provider offers Managed VPN on more than one platform. Most of the platforms cited here are also popular firewalls: Check Point (often on Nokia), Cisco PIX, NetScreen, Symantec Enterprise (formerly AXENT Raptor), and WatchGuard. VPN-centric platforms like Cisco 3000, Nokia CryptoCluster, Nortel Contivity and VPNet were mentioned less frequently.

Many of these Managed VPN Services inherit 24/7 monitoring, SLAs, policy update procedures, and report/log delivery methods from the Managed Firewall Services on which they are based. But policy updates can be a bigger issue for Managed VPNs—particularly when it comes to remote access VPNs. A few providers allow customers to manage their own user accounts; most require customers to submit change requests to be implemented by the provider. Secure web interfaces are increasing in popularity; VPN tunnels are often used to secure changes implemented remotely.

We asked providers to list supported tunneling protocols; the vast majority cited IPsec/IKE. PPTP was rarely mentioned, although many of these platforms can support it. A handful of providers mentioned L2TP for Windows-based remote access. We asked providers whether they supported PKI (digital certificates) and legacy authentication (e.g., RADIUS, SecurID). Support for both was broader than we expected, although Interland's answer (supported on case-by-case basis) may be the most truthful. Noteworthy complementary offerings: Telenisus Managed Authentication Service and Genuity Managed CA Service.

Go to page 2:
Managed Intrusion Detection and Security Monitoring >