Owned, Managed, Or Cloud? Choosing A Security Strategy

Cloud saves money, managed provides expertise, and do-it-yourself security offers more control. The choice depends on priorities and financial realities
Pity the modern chief information security officer. Attacks are on the rise, budgets are being squeezed, and the person in charge of security -- frequently, in addition to other duties -- has to deal with an increasingly complex business network and scarcity of expertise.

Given the pressures against which information security professionals are pitted, options such as managed security service providers (MSSPs) and security-as-a-service (SaaS) are increasingly attractive, says Edward Ferrara, principal research analyst with Forrester Research. The research firm forecasts that the market for managed security services will grow by about a third every year.

"A lot of people are looking to them to solve the security problem, while at the same time their budgets are relatively flat," Ferrara says. "The CISOs need to do more with less, and that is a challenge."

While still used by only a minority of companies, managed security service providers have turned the configuration and administration of security software and appliances into an easily understandable operational cost. Companies looking at using an MSSP or SaaS provider are typically driven by three factors: reducing the costs of security, benefiting from a staff of security experts, and gaining threat intelligence from a vendor's community of clients. Usually, a managed security service provider can exceed the customer's capabilities in all three areas.

The reasons are clear: Because security is still considered a cost center -- holding, in many ways, a place similar to insurance -- companies aim to hold down the costs as much as possible, says Mark Wood, product manager of cloud security for Dell Secureworks, an MSSP. At the same time, knowledgeable security practitioners are in high demand, making it nearly impossible for small and midsize companies to staff a 24-by-7 security group at a reasonable price. Trying to hold down costs while securing a company is a nearly impossible job, Wood says.

"If you think about a gap between what security is asked to do and what they are staffed to do, [MSSPs] can come in and fill that gap in a cost-effective manner and what is left, the resources can be applied to things that are better handled internally," Wood says. "There is a resource optimization angle there."

[Dell jumped in the managed-security-services business in 2011 with its purchase of Secureworks. See Dell To Acquire SecureWorks.] 

Companies should consider adopting managed or cloud security for any or all of those reasons, says Vab Goel, founder of Virtela, a network and security management firm. More businesses are looking for an outside partner to help them improve their security to better protect their networks, data, and business.

"Outsourcing -- whether to a managed service provider or to the cloud -- is no longer part of the overall theme of cost-cutting: It is a competitive edge," Goel says. "You can roll out features faster, you can scale up and down as the business goes up and down, and you can get exposure to new technologies must faster."

Despite the benefits, however, partnering with a managed security service provider or subscribing to a SaaS offering is not for all companies. Some businesses may feel that their data is too sensitive or valuable to let another company access, even if it's only security metadata, Dell Secureworks' Wood acknowledges.

"One of the challenges that IT executives are having in moving applications to the cloud is that potential loss of control -- that some part of what they used to do is now in some else's hands," Wood says. "Organizations that really want to be in control of all of their data, every little detail of it, and want to customize their security strategy may prefer to do it in-house.

On the other hand, companies that are looking to fill a specific security need can look at SaaS offerings. Whether the need is clean e-mail, log management, or encryption key management, an increasing number of services are being introduced to fill corporate needs. While still mature, the success of security-as-a-service vendors has shaken up the managed security service market. While MSSPs have traditionally offered the client a limited amount of operational access, the example of cloud services has shaken up the status quo, says Andrew Jaquith, chief technology offer of Perimeter e-Security, a managed security service provider.

"What we have seen over time is that every MSSP gets more and more requests from their customers: They want to be able to mine data, that want to be able to drill down -- they don't want the canned interface that they had in 1995," Jaquith says. "The line is definitely blurry, but overall the trend is very clear: Customers want more control over their data, they want more exploratory data analysis, and they want much more control over their infrastructure, and that is what is driving the move to SaaS."

In the end, companies should expect not just competition, but cooperation between cloud services and managed security service providers. Perimeter e-Security, for example, is moving toward making its managed service more cloud-like, while Dell Secureworks plans to help its clients better navigate the host of cloud security services as a broker.

"We can route traffic through different SaaS providers, and roll it up in a single security view," Wood says.

Perimeter e-Security's Jaquith agrees that the future holds changes for managed service providers as cloud offerings mature.

"We are not in a world where every employee is a knowledge worker and is working on a MacBook and going to Starbucks to conduct business," Jaquith says. "They need people to manage them, and for that reason, I don't think the MSSP model is ever going away."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.