Carrier security outsourcing making connections

Large telecom carriers such as AT&T and Verizon are able to take over customers' IT security operations -- and enterprises are happy to embrace the notion

Massive telecommunications carriers, including AT&T, BT, and Verizon, are promoting their ability to take over a significant portion of customers' IT security operations, and some enterprises are already buying into the model.

Over the last several years, the sprawling carriers have acquired and introduced a range of technologies and services that promise to help protect customers from the growing wave of IT-based threats, including denial-of-service attacks and Web-borne malware programs.

And while the carriers all concede that delivering safe telecommunications and Internet access to their customers' doorsteps is a fundamental requirement of their core business, the companies also maintain that they are uniquely positioned to become broader security outsourcing partners for their clients.

Florida-based First Advantage is already outsourcing a significant portion of its IT security operations to its carrier partner, Verizon Business.

The publicly held risk management services company had previously seen a payoff from outsourcing elements of its call center and software development operations, and the increasing complexity of its security and compliance concerns made it a natural to enlist Verizon to take over more of the work, executives said.

"Compared to the cost of internal operation, price was obviously a major consideration, but it was also the idea that these are specialists in security who we would be turning to," said Isabelle Theisen, chief security officer at First Advantage.

"They can provide a level of monitoring and correlation that would not have been possible for us to achieve internally," she said. "And we wanted to take a more leading-edge approach to matching potential threats to specific assets, something that alone would demand a full-time team for us otherwise."

Theisen estimates that First Advantage, which specializes in employee background screening and insurance fraud investigation, has already ceded approximately 70 percent of its IT security operations to Verizon.

Among the services it consumes from the carrier, which include everything from AV (anti-virus) and IPS (intrusion prevention systems) to Web applications firewalls and operation of compliance-mandated server farms, many came to Verizon via its July 2007 acquisition of CyberTrust.

However, the seeds that have grown into the company's portfolio of security outsourcing skills were taking root years before the deal for the MSS (managed security services) company came to pass, Verizon Business officials said.

"We saw tremendous growth in demand for additional security services starting in 2005 and knew we needed to scale up; adding CyberTrust has helped us expand rapidly, and we're seeing even greater demand today, especially among multinational customers," said Cindy Bellefeuille, director of solution and product marketing at Verizon Business.

Some industry watchers have said that customers will increasingly expect carriers to eliminate many security threats as part of their core connectivity services just as they require the companies to guarantee network performance speeds in their SLAs (service level agreements).

However, Bellefeuille said that companies such as Verizon can meet those demands while creating new opportunities for additional services aimed at thwarting targeted threats or providing automation services, such as the Sarbanes-Oxley compliance server operation the company oversees for First Advantage.

"There will always be opportunities from an attack perspective for us to take action and protect customers on the backbone, and we'll do that," she said. "We've also driven a lot of internal innovation in last three years for fighting issues such as targeted attacks; we're building out the honeynets and doing more correlation of data. Now we're in the phase of launching services as both stand-alones and value-adds."

Verizon marketers foresee a future wherein the company could become a provider of end-to-end security outsourcing services.

While a majority of the services it has offered thus far have centered on external issues such as helping its customers ward off DoS threats and malware, the company is already getting its hooks into more internal security operations, such as identity management, filtering data pulled in by IDSes (intrusion detection systems), and providing protection for various types of databases and software applications.

BT beefs up its security offerings
BT is another carrier that has turned heads in the security community in recent years with its acquisitions and stated business strategies.

The company's security aspirations were perhaps illustrated best by its October 2006 acquisition of Counterpane, another MSS specialist.

As with Verizon, officials with BT said that the carrier is preparing to launch a far broader set of security services than merely those that it added through the Counterpane buyout.

Along with anti-DoS services -- and Counterpane's array of network monitoring, vulnerability scanning, and e-mail filtering skills -- BT officials contend that the company will soon be able to provide customers with security offerings such as antimalware filtering, embedded firewalls, UTM (unified threat management), and intrusion prevention.

Enterprise customers will become particularly amenable to such carrier security services as they continue to upgrade to next-generation networking infrastructure, said Mick Creane, head of managed security strategy at BT.

While the company has been providing anti-DoS services for years -- using technology sourced from vendor Arbor Networks, which targets its products directly at service providers -- there is a far broader opportunity for carriers to realize in security, he said.

"When everything has gone IP, we will be able to offer even more services and flexibility," he said. "Organizations are recognizing that the threats are changing so quickly that it's a huge challenge to keep pace, but that within the large carrier service providers, we have the necessary economies of scale and expertise to deal with this problem."

Over time, Creane contends that by pulling together more managed security and carrier services, companies such as BT will be able to provide an integrated set of network defenses that customers won't be able to rival with their own internal systems defense technologies.

In addition to those defensive opportunities, the carrier also plans to offer more proactive security services, such as filtering out inappropriate or unauthorized Web sites and blocking access to those URLs for its business customers.

"Customers are beginning to get it, and in the short term, we can use it as a business differentiator, but in the long term, I think they will begin to expect a certain amount of security expertise," Creane said. "BT and other carriers are in a very powerful position because by embedding security into the network at a higher level, we will be able to do security cheaper than CPU-based products and services."

For now, most enterprises are just beginning to familiarize themselves with the carriers' expanding security services, but proponents maintain that the transition from companies doing more in-house to outsourcing more of their security responsibilities over to their existing bandwidth providers, will evolve quickly.

For some customers, the carriers' security vision has clearly already been embraced with enthusiasm.

"I believe that they can help us correlate high-risk incidents and threats with information about our IT assets that will allow us to focus on the most high-priority items at any given time, from a security perspective," said First Advantage's CTO Theisen. "We can then move into adoption of a more risk-based system for our information assets. Right now it's all about just getting the necessary framework in place."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform