Hand over the keys to security?

Even seemingly simple features associated with firewall management are becoming complex and troublesome, prompting some companies to off-load security responsibility onto the shoulders of MSSPs (managed security service providers), vendors that provide configuration and management expertise, and even around-the-clock monitoring, along with their security solutions.

Of course, MSSPs, which include the likes of AT&T, Guardent, IBM, Internet Security Systems (ISS), Symantec, and TruSecure, want to manage more than your firewall. Their services run the gamut, from vulnerability assessment and remediation, to managing anti-virus gateways and VPNs, to complete security-policy management and intrusion detection. Vendors at the high end, such as Guardent, even offer incident-response and forensics services.

But it’s often the complexities of firewall configuration, and the challenges involved in securing the network edge, that lead network managers to turn to MSSPs. For example, Jeff Nigriny, chief security officer for ExoStar in Herndon, Va., just didn’t feel comfortable operating Check Point’s firewall. He wanted no part of the constant upkeep, monitoring, and managing of firewalls to combat the bombardment of attacks pounding ExoStar’s network and sought outside expertise to plug the security holes.

“We’re in a situation now, it’s like coming up on a car accident two weeks after it happened and somebody inflated the air bag. It’s really a bit too late,” Nigriny said. “The firewall was the catalyst for us looking at managed security in the first place.”

ExoStar, an online exchange for the aerospace and defense industry founded by Boeing, Lockheed Martin, Raytheon, British Aerospace, and Rolls Royce, employs TruSecure, an MSSP based in Herndon, Va., to protect its corporate network against intruders.

To offset his CIO’s concerns about relinquishing control over network security to an outside entity, Nigriny showed his boss the network areas being hammered by attacks, together with average length of time his staff took to successfully counteract the threats. Ultimately, TruSecure was able to help solve problem by taking over monitoring and analysis of ExoStar’s firewall full time.

Outsourcing makes sense for an environment in need of a central source to control firewall policy as well as a business unit’s security devices, said Kelly Kavanagh, principle analyst at Stamford, Conn.-based Gartner. “There’s lots of stories that float around in the security community of folks that inadvertently shut off all firewalls and open everything up if they’re debugging an application or trying to get to the root of a problem,” he said. An MSSP provides an extra layer of protection.

Offering around-the-clock security expertise focused squarely on the client’s needs, MSSPs are an interesting option or IT staffs having a difficult time coming up with the time and expertise internally. But there are caveats. In addition to sharing sensitive security information with an MSSP, customers must be prepared to overcome hurdles involved in incorporating a third party into internal processes. An MSSP actually becomes part of an enterprise’s day-to-day operations, and customers can become irate when requested changes are not implemented in a timely way or misdelivery headaches occur, Kavanagh said.