The momentum behind outsourcing core IT services including security is, according to industry experts, growing at a faster rate than ever before. And there is little doubt that the option can appear compelling.
Handing over security functions to highly professional specialist hosting providers that have armies of trained staff and the very latest hardware and software is touted as a panacea that can enable enterprises to simultaneously save money and improve service levels, while concentrating on their core business.
However, no matter how attractive the hosted service model might be, no savvy enterprise should relinquish control of such a fundamentally important aspect of its business as IT security without fully assessing the pros and cons of such a move. Firms considering going down the hosted route must address a gamut of pressing and critical questions to determine if such a radical step will provide real, long-term business benefit. And the most important of these questions is not whether they can outsource IT security functions, but whether they should.
Chris Potter, a partner at PricewaterhouseCoopers, believes that the hosting of core IT services is on the rise. He cites the DTI's Information Security Breaches Survey 2006, released at this year's Infosecurity Europe 2006. The report reveals that 53 per cent of UK businesses outsource some of their IT operations.
He notes that two key barriers standing in the way of hosted, server-centric services in the past have now been overcome – the ability of users to connect to the server and the ability of their machine to run the service.
"The internet has changed everything," says Potter. "Broadband and wireless networks enable users to connect to services wherever they are in the world. And the web browser provides a standard interface with server-based applications. The DTI survey shows that 97 per cent of UK businesses now have an internet connection, 88 per cent of which are broadband. So it seems the traditional barriers are no longer an obstacle.
"There are many benefits of hosted, server-centric services over, say, an end-user computing model. Servers can scale up to meet the demand as the business use develops. Key data is held in one place, so that version control issues are minimised and backup and recovery are straightforward. Change control is easier to enforce in a server environment."
According to Paul Henry, vice-president of strategic accounts at security firm Secure Computing, this move towards decentralised, hosted services is quickly gaining momentum.
"We seem to have come full circle, moving from a centralised architecture in the mainframe days to a decentralised architecture as PCs have gained in both performance and popularity," says Henry.
"Application Service Providers (ASPs) were the pioneers of the business model, but had stalled in making progress in gaining significant market penetration. This might have been because of marketing missteps, but now the trend is clearly moving us back to a centralised services approach."
This view is echoed by Teresa Jones, senior research analyst at Butler Group: "Following the 'near-death' experience of the ASP model of providing software, the renewed vigour of 'software as a service', often abbreviated to SaaS, means that organisations now have a wider range of options for the deployment of their enterprise applications."
Nick Coleman, head of security services at IBM, agrees that enterprises are already embracing a utility computing model, through which most services – including security – can be effectively delivered by third-party hosting partners. "We're heading towards more grid-based computing, in effect making computing more like electricity – providing access to computing power whenever the user needs it. Or in other words, harnessing resources across a secure infrastructure. Whether the model is centralised or distributed computing, the key will be providing a secure infrastructure to run business services on," says Coleman.
"In terms of achieving this, a hosted environment can make it much easier to provide a secure infrastructure – with, for example, hosted email where security can be enabled as part of the services. Users no longer need to worry about evaluating every different product, just they just need to focus on specifying the service levels they need for their environment."
Coleman believes that this move to grid-based computing, which in some respects mirrors the mainframe/dumb terminal partnership that was prevalent before the rise of PCs, should therefore not be seen as a retrograde step. Instead, he asserts, it is more like harnessing the computing power companies have already deployed, while taking advantage of the secure infrastructure elements that hosted email and other applications can provide.
Clive Longbottom, service director at independent analysts Quocirca, explains that the concerns which have prevented firms adopting hosted security services in the past are steadily being assuaged, but that strong resistance remains.
"We are seeing a definite and growing trend towards outsourced security," he says. "In the past, companies just could not understand how managed security would work. But a growing number now realise that rerouting traffic through a managed security provider's environment can improve the security of their networks by blocking out problems such as hackers, viruses and spam.
"Many companies are realising they have neither the time nor the expertise to deal with security, and therefore it is easier to go to a specialist third party."
He adds that tighter corporate governance and auditing regulations are also playing a part in this trend towards hosted security, because in many cases they have created a situation where firms are legally obliged to store anything that arrives on their network.
"So if they have picked up a virus, for example, they would need to store it – which is not a good idea. But if it had already been filtered out by a hosting partner, this would not be an issue."
Secure Computing's Henry agrees that regulatory issues are becoming an important driver behind the adoption of hosted security offerings. "Cost savings have historically been the biggest motivator for an enterprise considering outsourcing security. Looking forward, cost savings will still be a major consideration, but perhaps in terms of shifting both regulatory and legislative liability from the enterprise to the outsourced security provider," he predicts.
He adds that there will be a movement to include liability for violations of regulations such as Sarbanes-Oxley and personal data breech legislation in the Service Level Agreement (SLA) terms and conditions of security providers.
Security providers will of course need to have deep pockets to withstand the liability of problems such as personal data disclosure in the US: "Hence, we will probably see some necessary consolidation within security providers as they recognise that size in terms of capital for the provider will be an important future consideration," adds Henry.
Malcolm Marshall, a partner in the IT Advisory section at KPMG, agrees that hosting is gaining in popularity, especially among smaller firms that have limited in-house resources. But he believes that adopting such a model would be inappropriate for many enterprises.
"We are certainly seeing a move towards centrally managed server-based services, many of which are hosted, but the decision to outsource is definitely not a no-brainer. Each organisation will have different reasons for choosing an internal or external route," he says.
"As web-services technology matures and bandwidth becomes cheaper, this trend will continue, but the extent of this will vary. Knowledge-workers will continue to need powerful, client-based capability, while process-based workers will continue to make the most use of server-based solutions."
But Marshall warns that the road to outsourced security is fraught with dangers: "Many companies face a security management nightmare when it comes to hosted services. It is common to find companies with strong internal security management using many different hosting service providers. This is usually because they have been selected on an ad hoc basis by areas of the business without any consultation with IT."
He cites one company that recently found that it was using more than 100 different hosting providers. "All these were providing variable standards of security, few of which complied with corporate security requirements."
PwC's Potter adds that firms using hosted security services must be careful to address security and data protection issues, particularly where the servers running a service are located offshore.
"Unfortunately, most users just don't consider the security issues associated with storing confidential information such as email addresses on a third party's servers, which could be located anywhere in the world. They just see the benefits to themselves in their day-to-day lives," he says.
"There is a downside to replacing software on the PC with a hosted solution. When your PC stops working, your neighbour's machine probably still works, so it's just an inconvenience. But when a hosted server goes down, though, it can be catastrophic. It's critical that businesses have thought through their availability requirements and have checked that any hosting provider can meet them."
"Hosted security is like anything in the security world; a trade-off between risk and cost," says Alfred Biehler, product manager at Microsoft UK.
"If an organisation is heavily dependent on an email infrastructure with unique requirements not offered by hosted offerings, such unique requirements mean that, say, the Pentagon might not like to outsource. But if you say that it might not be necessary to employ five people to keep email anti-virus and anti-spam up to date, then maybe you would outsource to Microsoft. It depends on your circumstances."
Placing the responsibility for your network security in the hands of a third party in today's litigious environment, brought about by the rapid changes in both regulations and legislation, can be a difficult decision, concedes Secure Computing's Henry.
"While outsourcing security can afford cost benefits to an enterprise, it does not necessarily relieve the burden of liability to the enterprise due to data disclosure," he says.
"Unfortunately, we are still in an environment where security is a secondary concern to cost in comparing outsourced security offerings. Organisations are still primarily looking at outsourced security offerings to boost their operating profits, not to improve their security posture."
Henry goes on to warn that application attacks are currently the most popular attack methodology across the internet. Yet he argues that many of the vendors offering outsourced security are only providing reactive solutions that can only address network and protocol-level attacks. The reluctance to implement proactive, application-layer defences is attributed to the desire to keep costs to a minimum in order to attract new clients.
"Until consumers demand better application-layer security from providers, perhaps within their service level agreements, we will not see dramatic improvements in the level of security provided by firms offering outsourced network security," says Henry.
Marshall goes on to advise firms that, if they go down the hosted services route, the biggest challenge is defining the requirements, because these can move quite rapidly in security: "The secret of success is defining a framework that allows the requirements to develop in step with the company's evolving needs."
Some companies now have detailed versions of their security requirements that have been designed to help service providers understand the customer's needs before they submit a proposal.
Without this, it can be difficult for the outsourcers to determine the level of security needed. After all, as Marshall points out, one person's best practice is another's minimum requirement.
