Outsourcing: Something lost, something gained

Outsourcing security can ease IT burdens, just be sure to read the fine print

Configuring and maintaining firewalls, IDSes, and anti-spam filters can challenge even the best security administrators. How can anyone realistically review every message in every event log? A tightly managed security framework frequently requires more time than available resources allow.

That's why hiring MSS (managed security services) providers is a popular alternative to internally managing off-the-shelf solutions or customized programs. MSS providers promise the expertise and staff resources to maximize security. Take for example e-mail content filtering. Service providers MessageLabs and Postini are leaders in providing anti-spam, anti-virus, and anti-pornography filtering for SMTP e-mail. Both companies scan billions of e-mails each week for thousands of customers, and their accuracy is extremely high. They can also save on maintenance costs, customers say.

Tom Hyman, director of IT at Gold Key/PHR Hotels and Resorts, has been using MessageLabs for three years and plans to renew the company's annual contract. "It's cost-effective and catches 18,000 spams out of the 26,000 e-mails we get each week," he says. "We went from one domain being covered to seven this year."

Counterpane Internet Security is another popular MSS vendor. Started by noted cryptography author Bruce Schneier, the company offers network security, vulnerability assessments, device management, and attack-response teams. Its staff has some of the world's most highly trained security experts, who will monitor your network around the clock. They can manage your entire network security infrastructure or just a piece of it.

The expense of outsourcing can be prohibitive for smaller enterprises. And there are drawbacks beyond cost, including privacy issues. Most MSS vendors will sign NDAs (nondisclosure agreements), but a third party will still have access to your data and communications. "It does take a leap of faith," Hyman says. "An NDA is standard with MessageLabs, but we use PGP to protect the contents of sensitive e-mail."

Furthermore, when you turn over security to an external company, you also hand over customization and routine management. Internal staff can no longer implement changes on the fly; even simple tasks such as changing a security setting typically require a call to technical support.

"Security is always a cost/benefit trade-off," notes Rick VanLuvender, director at InfoSec Academy. VanLuvender recommends negotiating an acceptable SLA, employing a testing period, incorporating an unconditional early-out clause, and reading the fine print.