With the growing demand for security services and the high costs associated with hiring a local security staff, many organizations look for alternate methods of managing security. This has opened the market for managed security services wherein clients can pay an external organization to monitor and react to various security issues. Managed services are a great way to provide certain types of services, such as off-hour monitoring of local security devices and running continual penetration scans and attack simulations. Hackers usually attack at odd hours of the night, when security staff are not present. With managed services, however, a staff shared among many clients can be utilized 24x7, rather than hiring a local staff to perform the same functions. Limitations of Managed ServicesAt first glance, bringing in a managed services company may seem like the solution to all security problems. Indeed, managed security services can remove much of the work involved in maintaining security. However, remember that a managed service provider (MSP) can only offload certain aspects of security. There are far too many pieces of security to consider any external organization to have "ownership." Security as a whole must be managed from within an organization and seen in all aspects of its operations. Paying an MSP to monitor Internet connections or manage intrusion detection may be helpful, but it does not relieve us of security issues. Beware of Free Managed SecurityAs the demand for managed services began to grow, many Internet service providers (ISPs) realized they could attract more customers by managing the security of their customers' Internet connections. Most ISPs offer firewall filtering, intrusion detection, and incident reporting at a minimal fee to their clients. This has led many organizations to forgo implementing their own local perimeter defenses and rely on their ISPs. I highly discourage organizations with more than a few computers from accepting this as their only security solution. Looking back to the discussion on trust, we must fully trust the ISP's equipment, staff, and policies to protect our organization. An ISP's primary focus, however, is not on the firewall or its management, but rather on the networking aspects of the business. As such, it is rare to find an ISP that will give adequate attention to protecting a company of any size. Heavy caution is recommended for any organization outsourcing its perimeter defenses.
Properly Using Managed Security ServicesManaged security services are a great resource, when used properly. The best use for managed services is when an organization requires 24x7 monitoring for security events and does not have the staff to handle it. Another good use for such services is to enhance security maintenance, since the staff can spend a lot of time searching for new vulnerabilities, new exploits, and new patches on behalf of their clients. This is a great service if an organization is unable to have a security expert on staff. Before any MSP is used, the following issues should be considered:
|