According to IDC data, the ANZ security solutions market reached over $US1 billion in 2007 and the market is set to continue to grow at a compounded annual growth rate (CAGR) of 11.8% to reach over $US2 billion by 2012.
A recent report by analyst firm Frost and Sullivan claimed the Australian market for managed security services would grow at a CAGR of 21.6% between 2006 and 2012 reaching $843.1 million.
The same report quoted current market penetration of managed security as a little less than half of Australian businesses. Market drivers for this service range from access to specialist skills to lower costs and ease of management.
According to Gartner’s “MarketScope for Managed Security Services (MSS) in the Asia Pacific Region” report, the managed security services market is maturing rapidly in the more prosperous Asia-Pacific countries. Coupled with users’ heightened awareness of security risk management and regulatory concerns, the region is seeing steady growth in demand. Gartner has forecast a 12% CAGR for Asia-Pacific managed security services from 2006 to 2011, with the market forecast for 2008 at $ US219 million.
John Karabin, VP, security solutions, Asia-Pacific, Verizon Business said, “The extended enterprise environment brings with it unprecedented security challenges that continues to evolve in sophistication and potential impact. Securing the extended enterprise, and the flow of data within and outside of its perimeter, is probably today’s most critical business challenge. How well businesses manage to achieve this goal will determine their future success.”
Drivers of managed security
According to Carlo Minassin, managing director of Earthware, an MSS provider, the following are main reasons enterprises take on managed security.
Cost optimisation which means cost predictability.
Compliance with many companies having to meet some kind of compliance which can be global standards or state and federal government standards such as ISO27001, ACSI-33, DSD Gateway Certification, PCI, SOX, HIPAA, Sarbanes-Oxley, FISMA, SB 1386.
Also, as a provider, the MSS operations should meet ISO 27001, ASIO-T4, ITIL and DSD Highly Protected Certified Security Operations and Secure Internet Gateway standards.
Availability of service: As the numbers of threats increase, there is more and more pressure on the network which impacts on the system and the service the customer can deliver to its end users and their customers. If, for example, online broking or online banking was not available, millions of dollars could be lost.
Visibility: Security management processes have to be in place because there are business-to-business apps and other complex apps making it a very complex environment to run.
Eric Hibbard, chair of the Security Technical Working Group within SNIA and currently the vice chair of IEEE P1619 Security in Storage Work Group (SISWG), said, “When it comes to information security, almost all attention is focused on protecting against internet or ‘external’ security threats. Yet it has become a cliché that the most damage is not done through attacks from outside an organisation via the internet, but from within.
“Service providers will walk a fine line in terms of implementing just enough security to avoid being embarrassed by data indiscretions while not incurring the responsibility or liability for securing/protecting the hosted data. Most of the security will be implemented at the application level and under the control of the consumer of the service,” Hibbard said.
Canning Spam in the cloud
Dean O’Byrne, CIO of the District Council Grant in South Australia, uses Websense’s web filtering and spam and virus filter managed services.
He investigated a number of options including Barracuda and other hardware-based solutions before deciding on the Websense in-the-cloud solution.
The hardware-based solutions would have been too costly as the district council would have had to provide hardware at each of its six sites.
“I manage the Websense service from a management console and it enables me to control bandwidth usage by restricting inappropriate file downloads, creating policy on the fly for different users at different sites.”
The implementation and policy work occurred between 2 and 4 weeks with policies being further refined after discussion with the users. One of the benefits is that administrative overheads are now low. The council gets next to no spam whereas before the service it would get between 700-800 spam emails a day at headquarters.
“We estimated before using the managed Websense solutions spam-email was costing us on average 30 cents for each email. We haven’t done an ROI but we know this is a very cost-effective solution.
“Another plus is that when we were upgrading the network and planned outages, for example over the weekend, Websense stored our emails up to seven days and then let them trickle through.”
This service provides a safer working environment for staff and library users.
Growth in the demand for services
Minassin says because of the advent of ADSL and cheap internet, businesses whether big or small depend on internet connectivity.
“Today, there are gigabits of traffic and hundreds of different applications running in businesses. We have one client who has 80 plus applications. From a policy perspective there are hundreds of different entities that need to be taken into consideration such as wireless connections, which means the network perimeter is almost becoming part of the internet.
“This means it is very complex for companies to deal with this as policies have gone from the very basic to the very complex. Finally, security is evolving from a hardware box and presenting quite unique challenges and that in a nutshell is why companies need managed security service providers.”
Earthware has doubled in size every year now for the past four years. Prior to this there was a lot of customer education necessary for customers to understand what managed security could provide.
“It was not a mature market and there was not sufficient demand for managed security services for companies in this market. A lot of providers merged with others or were acquired and about half went bankrupt because they could not sustain their business,” said Minassin. The companies that survived had a sustainable business model and put the effort into educating the market.
“Once the market caught up we flourished. Earthware offers both managed security services which means we manage customers’ security on their premises remotely and in the cloud.”
John Martens, IronPort’s general manager for Australia, notes that whereas his Australian customer base included only one managed email service provider a short time ago (and it was servicing just six clients with an average of about 80 endpoints), he now has six service provider customers. “Moreover,” he says, “each of them is growing very nicely indeed.”
James Wilson, managed services specialist, Juniper Networks, says, “The proliferation of mobile devices, the increase in flexible and mobile working and the sheer sophistication of services running over next-generation networks means it is becoming increasingly difficult for enterprises to effectively secure their networks to the level demanded.
“At the same time, the complexity of networks and IT environments is increasing all the time. Next-generation networks carrying rich content and functionality might be driving business success, but they are causing enormous pain for the CIO. As an example, blackberries open up a TCP session each time they access the network, which is relatively easy to secure. iPhones on the other hand open up 500 sessions each time <0x2014> neatly illustrating the growth in complexity that these new technologies are bringing.”
Providers
CA has a number of MSPs that use its security products. Allan Smith, VP channels, Pacific at CA, said, “Challenges for MSPs are that there are a lot more granular requests from clients: different things for different segments of clients’ businesses.
“It is more challenging for MSPs than enterprise customers because MSPs have multiple clients who they need to provide different levels of security to, as well as stopping external threats to their infrastructure. They also need to keep each client’s security segregated. Access is very important too, de-provisioning and provisioning, the granularity and robustness of the systems is important and when employees leave <0x2014> the compliance issue comes to the fore as sometimes disgruntled employees can wreak havoc.”
Managed email security is growing just as software as a service (SaaS) is growing. “It used to be a ‘nice’ to have service but as resources become more constrained more companies are using the email security service and are using the web security service as well,” said Jonathon Wilkinson, Sydney-based director of business development, hosted security, APAC.
Wilkinson said, “90% of emails are complete and utter rubbish and the burden of managing this load is becoming too much.
“Websense supplies four layers of antivirus protection for both inbound and outbound email. To manage these AV licences within an organisation would be very resource intensive so it makes sense to employ a hosted email security service.
“It is, however, not a verticalised market but size does matter as SMBs such as legal practices cannot be expected to have the operational expertise to manage email security so they leverage our expertise,” said Wilkinson.
Paul Ducklin, head of technology, Asia-Pacific, Sophos, looks at the pros and cons when it comes to managed security versus doing it all in house.
There is no single approach to security which will please, or be best for, everyone (which is not necessarily the same thing as pleasing them, since security is usually in a trade-off with functionality). This is reflected in the way that non-niche security companies offer products and services.
Note that you can pick and choose from a number of options such as endpoint protection, software-based network edge protection, in-the-cloud protection and appliance-based network edge protection, and larger organisations which are serious about security will often use all of them.
For example, they might use a basic in-the-cloud filtering service to dispose of obviously unwanted content (such as email from blocklisted computers) up front. They might have a filtering appliance at the network edge to cut out as much as possible of the remaining unwanted content, but in a way that satisfies their privacy and security concerns. They will probably also have software-based filtering software on their internal servers to restrict the movement of malicious and unwanted objects inside their own network. And they will almost certainly have a suite of endpoint protection software - such as anti-malware, endpoint access control and an application firewall - as their final line of defence.
More than 15% of the Fortune/Global 500 companies are Symantec MSS customers. Symantec gathers data from more than 2 million decoy email addresses, 150 million desktop antivirus sensors, and 40,000 intrusion-detection and firewall sensors worldwide. This combination of insight, research and expertise allows the vendor to relieve organisations of the burden of analysing and correlating critical security intelligence, all while providing greater insight into key business information.
Benefits
The Advantages of a Hosted Security Model from the 2008 Osterman Research report sponsored by Websense investigates how organisations today are responding to the new amount and the new types of email threats. The purpose of the survey was to assess actual costs of deploying a messaging security infrastructure on premise vs using a hosted deployment model.
Most organisations have not yet considered migrating to a hosted email security solution. Many organisations often underestimate the cost of managing their on-premise infrastructure, and so assume that it is always less expensive to manage messaging security in house; or they do not understand the high level of security provided by hosted providers relative to in-house management.
That said, Osterman Research found that the decision makers are increasingly open to the idea of hosting critical applications like messaging security and other critical applications. Most decision makers do believe that hosted messaging security offerings can provide a number of advantages, including reduced costs for IT labour and upgrades, improvements in the capture rates for spam, viruses and other threats, and greater organisational flexibility.
And because most hosted providers maintain very robust data centres, they can typically offer very high levels of reliability and service level agreements that would be difficult for internally managed systems to match.
“In today’s era of complex network environments and limited resources, it can be difficult and costly for organisations to evaluate and deploy security controls capable of keeping up with a continually changing threat landscape. And even then, competitive pressures make it hard to find, train and retain knowledgeable security personnel. MSS enables organisations to maximise the value of its investments in information security technologies and the skill development of personnel. MSS enables organisations to focus on core business issues and enhance their security posture, while reducing the volatility associated with security management staffing,” said Peter Sparkes, senior manager, Symantec Security Response.
Martens said, “No capital outlay for an in-house system; no necessity to employ in-house IT skills; no footprint and ongoing maintenance requirements; no additional energy costs; and any glitches are someone else’s problem, are all benefits.”
And the last word goes to Ducklin: “In short, if you can afford it, go for defence in depth - giving yourself more than one chance of heading off each attack or compromise - and you will significantly reduce risk. Light-heartedly speaking, there are two approaches to this: start with nothing and add layers of security until you can’t afford to buy any more; or start with everything and remove layers of security until you can’t afford to have any less.”
“It is more challenging for MSPs than enterprise customers because MSPs have multiple clients who they need to provide different levels of security to, as well as stopping external threats to their infrastructure.”
“Light-heartedly speaking, there are two approaches to this: start with nothing, and add layers of security until you can’t afford to buy any more; or start with everything and remove layers of security until you can’t afford to have any less.”