Managed Security Services (MSS) based on Provisioned Security Services (PSS)

The paper discusses the reality of Managed Security Services today and their drawbacks. It then moves on to propose a solution to the most burning problems. The solution, Provisioned Security Services, is based on the premise that providing a strong provisioning platform, which automates processes and integrates into providers’ networks, will allow large providers to become key players in the area of managed security services. Architecture of an actual PSS solution is provided and briefly discussed. 1 Managed Security Services Data security is a complex issue, becoming more complex as the number of attacks and their sophistication grow. Good security experts are hard to come by, and most small to medium enterprises cannot afford to keep a security team in-house. As a result we see that more and more enterprises move to outsource the security functions (often as part of outsourcing the entire IT functions or major parts of it). As with other specialized areas, a major benefit for companies that outsource security, if high-level professional companies are used, is receiving best practices security at a relatively low cost. This trend has led to a growing new market. In Europe, in the US and elsewhere many Managed Security Services companies have sprung up, helping companies keep their data secure. Among the managed security services providers are new dedicated companies as well as older companies from different areas: security product vendors, consultants, ISPs and Telephone companies. These companies usually provide: – Managed Firewall and VPN services – providing network perimeter security as well as secure connectivity for mobile users and among sites. – Content filtering – IDS management – Managed anti-virus (typically using gateway products) – Network Monitoring (using the above products and management tools) and incident response – Some companies also provide periodic vulnerability testing, patching and escalation 126 Eyal Adar und Dan Sarel Already starting to show up and expected to significantly grow in the future are the following services: – Authentication services management – PKI management – Integrated security logging – drawing, synchronizing and analyzing logs from different enforcement products) – Company-wide security policy management – And many other services 2 Managed Security Services Limitations Most products that the managed security services providers rely on were not designed to interface with other products. In large enterprises we see a lot of home-grown solutions that help integrate the security products. Managed security services are weary of providing such solutions since they require a different solution for each customer, making it highly uneconomical. Some of the new managed security services companies, usually set up by bold innovative highly professional personnel, tackle the problem using innovative techniques such as planting their own agents within the software and hardware provided by vendors. Others rely more on the vendors’ initiatives and partnerships that help integrate at least some of the security products. This limitation becomes more severe for the larger providers, whose businesses rely on quickly integrating custom-made services and products, rather than spending time and effort tailoring different solutions for different customers. There is another reason that large providers find it very difficult to provide MSS. Most designers of security products had the enterprise security personnel in mind. Answering providers’ needs, or integrating the products in providers’ systems were not originally seen as top priority. As a result of this ”bias”, most products have no means of integration with back office services and components (CRM, HR, billing, etc.) and no automation of tasks. The products often suffer scalability limitations. The end result is that most work is done manually, services are not automated and integrated and it is still painful, expensive and requires lengthy processes to add new services. These are all problems that are familiar to anybody who has been thinking about Operation Support Systems (OSS) in general. However, security products add their own limitations. Security products are relatively young. Their relative complexity (having to deal with standards that are still in development and change all the time, dealing with complex technologies such as encryption, PKI, etc.), have led to major delays in adding the basic features that providers need (such as integration into back office systems) to the products. Another major obstacle is the fact that there is no industry-wide adoption of standards for management and communication with security products. Most vendors are still trying to Managed Security Services based on Provisioned Security Services 127 win as much market share as they can, which often translates to lack of cooperation among vendors. Some of the more serious attempts to standardize management and communication among products are still bound to specific vendors or vendor consortia, making life extremely difficult for providers that need to cope with a multi-vendor environment and with situations where the products used by their customers are not necessarily of their own choice. In summary, MSS used to be provided by small companies (even if the main contractor was a big player). The Big players (typically, xSPs) are entering the market, and finding that the products were not designed to answer their particular needs. New solutions are needed for the service providers in order to bridge these gaps. 3 A Word about the Business Needs The providers have, of course, a good reason to enter the market. It is a well-known fact that competition between the providers has dramatically reduced the prices of basic services, and in order to survive they must identify new sources of revenues Security has been singled out as a major player since it is relatively immune to changing financial climates (companies do not see security as a luxury they can do without when times get rough). And as we said before, companies are willing to pay a premium in order to outsource security. Roll-out of many new services is the key growth driver for all service providers (fixed-line, mobile, hosting, corporate), but so far rolling out security services, for the reasons we have quoted before, has been difficult to do. 4 PSS Closes the Gap Theoretically, if all products could come of age quickly, and standards quickly put into place and adopted by all vendors, providing MSS would have been as easy as providing a new phone line or access to the Internet. However, this will not be the case for quite some time. A new infrastructure for the security services is therefore needed in order to complement the existing products. It must address: – Integration into the provider’s workflow – Automation of as much of the processes as possible – Integration into the provider’s services We call the new infrastructure ”PSS,” or Provisioned Security Services. The vision is quite simple. We imagine service providers being able to deliver to thousands of enterprises a pre-integrated service bundle consisting of access control services, virus protection, encryption services, authentication services, etc. all just by the click of a button with immediate availability to the customer and with total transparency. PSS will enable service providers to generate new revenue streams and cut costs through automated delivery of a wide range of security services 128 Eyal Adar und Dan Sarel