Can’t someone else do IT?

At present, the IT security market may be divided into three core segments: data security, network security and content security. The first of these relates to products and services designed to protect the integrity of data – wherever it’s stored and however it may be transported between computer systems. Encryption technologies fall into this area.

Network security, on the other hand, is concerned with the protection of entire networks and attached devices from numerous forms of attack. Firewalls and Virtual Private Network technologies are in this segment.

Then there’s content security, which is fairly self-explanatory. This covers the threats and risks related to the content of information which, in this day and age, is typically delivered over the Internet or a local network.

However, the challenges posed by the sheer variety of current threats from the Internet are altering this market division as organisations come to recognise that a much more blended approach to securing the network is required if any headway is to be made against the plethora of malware assaulting the company perimeter.

It’s also worth emphasising that Internet-based threats were privy to a watershed change last year. Virus creation is no longer the domain of University-based students hacking for sport. Rather, it’s the latest and most damaging tool deployed by organised criminal gangs who are keen to use malware for fraudulent purposes and with a view to extortion.

A recent example of that has been seen in the phishing craze (‘It’s money for old rope!’, SMT, December 2004, p45), whereby bogus e-mails prompt users to yield sensitive data that can be used at a later date to access private and/or company accounts.

The overriding problem faced by most companies is that they’re struggling to develop the internal expertise to provide a wide enough range of threat protection capabilities and, critically, to be able to respond quickly enough to these threats as they emerge at an almost daily rate.

As more and more IT capability is outsourced to third party providers, it would be an opportune time to reassess the threats to the organisation originating from the Internet and ask whether or not now is the right time to outsource IT security.

What should a content security service provide? Most important of all, who should companies be seeking as their security partner?

Outsourcing comes of age

Faced with the ever-growing trend for Internet-originated attacks, whether malicious or criminal, it becomes clear that there exists a solid set of arguments as to why you would want to outsource your IT security. If companies are to consider this, then they should really be looking to complement or enhance their existing protection.

Lending credence to the argument for partnering with a third party security provider is the immediate availability of experts in the security field – an area that most companies still struggle to address themselves. Another goal that’s difficult to achieve – but is a basic service offering of the outsourcer – is to deploy scaleability to the security infrastructure. This is key if a business is to grow naturally.

The tangible value of using an outsourced IT security service is its inherent ability to provide additional strength through deploying to a number of different companies. If one company residing with a service is under attack then the knowledge of that attack can be used to protect all of the companies on the same service. The service provider can also deploy statistical techniques to look for unusual traffic patterns across client companies, enabling them to respond to attacks as they occur.

The value of that statement becomes clear if we look back to the outbreak of the Sasser worm. This piece of malware code took just ten minutes after its release to affect 80% of all vulnerable machines on the Internet. This is clearly much faster than traditional anti-virus companies can update their virus signatures and distribute to their customers around the world. Traffic monitoring would have provided a valuable line of defence to many of the blue chips who fell victim to the worm.

So, if we’re to agree that outsourcing is the way forward for securing an organisation’s network against Internet-borne threats then an obvious question arises... To whom should the end user outsource the service?

Which providers can be trusted?

In deciding this, it’s worth noting the growing trend towards more integrated content security products, not to mention the fact that the location where these products are deployed has also evolved.

Five years ago the focus was very much on providing protection at the desktop. Today, most corporates will deploy protection at multiple points within their infrastructure: at the desktop, in network servers and at the Internet gateway. The mantra in today’s Internet security industry is very much “the more, the better”. In other words, the more equipment and software deployed, the better the protection.

However, in direct opposition to this theory is the obvious fact that the best place to stop threats emanating from the Internet is in the Internet itself, long before any malware reaches the company network. It follows that the logical place to seek outsourced security is to visit those companies providing the Internet access in the first place.

160 years ago, when water was first delivered directly to homes, people were concerned about its quality and boiled it before use. Today, water companies automatically clean their water before delivery, so it’s safe to drink straight out of the pipe. Likewise, the Internet is assumed to be ‘dirty’ and has to be cleansed (ie virus scanned, content checked and spam removed) before use so that traffic is safe and ready for use straight out of the pipe.

It’s far more logical to ensure that a company Internet feed is treated and cleaned to tackle security problems, and it’s going to be more cost-effective.

As part of an organisation’s Internet Service Provider (ISP) selection process, the security and IT managers should be looking for partners able to furnish them with a ‘clean Internet feed’. The basal provision of anti-virus and anti-spam on e-mail as protection is no longer sufficient. What companies need to be looking for are ISPs who can supply protection not only against e-mail threats, but also the latest blended threats (‘Don’t ignore blended threats’, SMT, August 2004, p49) and the major types of attack.

In other words, everything from virus embedded web pages and viruses distributed by downloads through to providing protection against inappropriate content entering the organisation from a variety of sources.

Looking to retain control

A further key consideration when it comes to selecting an outsourcing partner is the level of management retained by a given organisation. To this end, there are really three distinctly different models available.

First, the company in question does everything itself. Though management is completely retained, the argument against the model is that comprehensive IT security is increasingly difficult to achieve due to the lack of on-site expertise. Staff simply don’t have the necessary skills set, and cannot respond rapidly enough to emerging threats.

At the other extreme is the decision to outsource the entire security system to a third party so that the organisation doesn’t become involved at all with the provision of the security service. The problem here is that, realistically, this isn’t going to be acceptable to most companies. Outsourcing all IT security functions and maintaining a company’s intellectual property can never be entirely balanced. It’s too critical to the business.

The optimum middle ground, then, is where a third party provides a security service which the organisation has the ability to monitor, manage and optimise for its own particular requirements. Hence, when selecting a provider for this type of security service it’s critical that the client investigates the management features of the service. If, for example, blocking access to inappropriate web sites was outsourced, then while there will be protection provision, you’ll not be able to allow employees access to nominated web sites of potential value to specific business projects.

From a staff management standpoint such a service would prevent the ability to manage the identification and tracking of the activity patterns of staff attempting to access blocked sites. The ability to customise service management to a company’s own requirements is therefore critical, particularly when establishing audit trails when questions of company liability are raised.

Total protection is the issue

What is of key importance for IT security managers right now is the realisation that there’s a broader threat to the IT infrastructure than that from e-mail. The hot issue is one of total protection. This demands the deployment of an holistic approach to threat management. Such blended security solutions can only come from a third party partner. On that note, there’s a clear argument for approaching the ISP to obtain this level of protection.

While that level of protection is important, it’s critical to ensure that some aspects of management are retained by the organisation, particularly when it comes to tailoring the service to the company’s exact requirements.

Just as those 19th Century water companies cleaned and filtered the supplies, thus confining cholera to the history books, so too with protection capabilities becoming an integral function of the Internet, ISPs can surmount the problems associated with securing IT infrastructures against attack.

At last, IT and security managers will be able to see the light.