Middle Eastern companies adopt outsourced security

03.05.2005
Von Nilay Syam

As security management patterns shift to meet industry trends, several Middle Eastern organizations have outsourced security to managed security service providers (MSSPs), with the goals of cutting costs and gaining access to skilled security staff.

According to Gartner, managed security services is one of the security marketplace"s fastest growing market segments. Garnter"s research and IT consulting group reported that by the end of 2005, 60 percent of enterprises will outsource the monitoring of at least one network boundary security technology. An IDC survey reaffirmed the view by predicting that security services is expected to become a US$16.5 billion industry with an annual compound growth rate of 35 percent.

Companies are realizing that using reliable MSSPs eases security management.

?Enterprises and governments face the daunting task of battling hackers, worms and viruses while extending their networks and deal with new data privacy and protection laws,? said Rashed Alabbar, product manager, security services, for eCompany.

Sherif Shaltout, a senior information security analyst at ISS, cites several reasons for the increased demand on managed security services. IT resources that provide information security cannot always provide the required level of protection, he said. Managed security services can offer constant monitoring and protection, something that many organizations cannot afford. Managed security services" return on investment, according to Shaltout, comes from savings made by not having to build security management facilities and hiring security analysts and engineers.

?The growing threat of Internet attacks has placed increased pressure on managed security service providers to provide actual analysis of data produced by security devices in real-time so as to detect and respond to malicious activity,? said Kevin Isaac regional director for Symantec in the Middle East and Africa.

While this model has been popular in developed regions, the Middle East is currently still in the nascent stages and beginning to show interest. For instance, the KSA-based Al-Suwaidi group, which offers managed services, found that the market was slow to pick up when it first set up operations, but now says there are visible signs of growing interest. ?We found that the Saudi Arabian market was slow to grasp the concept of outsourcing their security management to third party companies. But now the interest levels are certainly rising,? said Fred Vyver, senior security consultant at Al-Suwaidi Group.

?The perception of ?how can I trust you with my information? is still very prevalent but recently we were approached by some of the bigger enterprise service providers to discuss MSS with them, as they are being pressurized to consider outsourcing due to the complexity and frequently changing information security market. Therefore we see a change in the market to the benefit of MSSPs,? Vyver said.

Similarly, ISS, which has been a global player in the MSS space, is now set to offer this service in the Middle East. While the company declined to offer plan details, customer announcements will be made soon, ISS said.

Condoning the view that the region is still in the process of emerging as an upcoming market, Justin Doo of Trend Micro said, ?The Middle East faces a variety of challenges, at this time, not least bandwidth availability and cost of same; there is a strong message that?s needs to be delivered to the customer base too, they need to understand the benefits.? He stressed the fact that the organization providing the services should also have a recognizable presence.

?Information security needs a prescriptive guidance in making it deal with critical issues and threats," said Ahmed Baig, a security consultant at eHosting DataFort. "Some of the key benefits for most organizations availing MSS are service performance, costs, staffing, facilities and emergency response.?

MSSPs" exclusive security focus is proving attractive to companies considering security outsourcing. ?They are up-to-date on the knowledge and practice of this very sophisticated field of IT, where critical knowledge develops in underground communities, and spreads not through universities or training centers, but in the form of destructive means like viruses, worms, and denial of service,? said Alabbar.

Security outsourcing is also proving cheaper than running the service in-house, said Baig.

?The cost of MSS is typically much lesser than hiring full-time experts in house and setting up a security operations center," he Baig. "For instance, a company with around 250 users with leased lines and four security assets would spend at least AED400,000 (US$108,912) annually as against MSSPs that are managing the same for only 30 percent of this,? said Baig.

Regulatory compliance is another factor that draws businesses to MSS, said Osamah Hussameddin, data center solutions business manager at Hewlett-Packard Middle East. He cited proactive security management, ease of growth for online commerce and collaboration as other benefits.

Symantec, for example, runs an operations center that tracks threats worldwide and alerts customers about potentially damaging threats. ?The key is in monitoring the solution, which is where the depth of data and specialist skills of the analysts bring real value to the customer,? said Isaac.

?Benefits are particular to the individual in most cases,? said Doo. ?There are huge gains to be made by focusing on your core competencies and outsourcing those that may be vital to business,? he added.

Some organizations may be hesitant about outsourcing all of their security operations and opt to retain certain applications while delegating the others to MSSPs. ?In many cases, customers would like to maintain some sort of control over their network security management,? said Shaltout.

According to Baig, organizations are opting for MSS at the perimeter security level and keeping core security services like access controls and applications security managed in house. Some of the key applications usually outsourced include service security management, availability management and proactive security management. ?The onus lies on the customer to plan and mange the governance of the evolving security policy,? said HP"s Hussameddin.

?Enterprises should always be investing in the training and education of its staff with the latest security information and should have the appropriate level of security knowledge,? said Alabbar.

The services offered by MSSPs vary in their ability to meet an organization"s security requirements. ?It will be foolhardy to adopt a one size fits all approach," said Doo. "Typical products that would support outsourcing are firewall management, networking monitoring, intrusion protection and some levels malware."

Though the Middle East is yet to jump onto the MSSP bandwagon some organizations, like eCompany, are finalizing their managed services portfolio. ECompany will offer services like managed firewalls/IDS, managed VPN, incident handling, DOS prevention and managed vulnerability assessment.

?We have two data centers in Dubai and Abu Dhabi that would host the MSS infrastructure, but it is not required to host the customer assets in our facilities in order for us to manage them with MSS,? said Alabbar.

Several security vendors currently offer their services in the region. EHDF operates service desks with Arabic- and English-speaking support teams. The company provides hosting services, security services, data center services, disaster recovery and professional IT services.

?ISS offerings in the managed security space include Managed Firewall & IDS/IPS services as well as vulnerability management services. In addition we can manage other technologies on a case by case basis,? said Shaltout.

ISS also offers bundled value-add assessment, emergency response and strategic planning services, and pre-emptive protection from Internet threats including executive and technical reporting options

HP has showcased its services that are available in the region including security event correlation, incident management, managed security, active scanning / remediation and service improvement.

The Symantec Global Operations Center runs multi-vendor environments, across Symantec, CheckPoint, Cisco, ISS, NetScreen amongst others. One firewall can generate 1000 MB of data/hour, which is 23.4 GB/day, or164 GB/week. An IDS can generate 1,500 alerts/hour 36,000 alerts/day or 252,000 alerts/week said Doo.

IMT is offering managed security services to the Al-Suwaidi Group, which is made up of 10 companies in one enterprise, with over 6,000 employees. This includes solutions like antivirus and firewall protection, gateway security, intrusion detection, vulnerability testing, antispam and enterprise security management.

Trend Micro offers services through its partners, implementing the company?s core technology.

Apprehensions remain about a security breach on the provider"s end that could compromise several enterprises simultaneously.

ISS operates Security Operation Centers (SOCs) in Atlanta, Detroit, Tokyo and Brussels. ?The main SOC in Atlanta is built as an under ground facility that utilizes redundant network circuits, redundant HVAC, uninterrupted power supply, diesel back up power generation, contingency mobile power supply and fuel and a 24/7/365 on-site fire response team,? said Shaltout.

Rashed Alabbar from eCompany said, ?The core of the MSS is the Security Operations Center. This 24x7 center is a multi-layered secure facility. In addition to the protection of the Security Operations Center, the accesses to the customer management networks are secured through multi-factor authentication/authorization systems.?

Symantec?s Doo described a similar facility. ?Each of the four global SOCs can take over activity from any other should a natural disaster occur, with no customer impact, which is the fail-safe capability. The facilities have redundant monitoring links ensuring back up links that can be provided to the customers in case of the primary link failing.?

Trend Micro claims to build redundancy in the service in terms of multiple service providers, fail-over/fault tolerant hardware and storage architecture.

?The fact that 100 percent security cannot be achieved is equally true for us?, said Baig from EHDF. ?However, MSSPs on a global basis operate and design their services in such a way that any system compromises doesn?t affect clients? information; as they are further protected even from the MSSPs" systems and personnel,? he said.

MSSPs can potentially provide security that exceeds what an organization can achieve on its own, according to some experts. In addition, the growing number of small and medium-sized enterprises tackling online strategies is providing a rapidly growing market for MSSPs. The service"s popularity in the Middle East remains the question.