By Stephen J. Bigelow, Features Writer
In the first installment of this Hot Spot Tutorial on how to provide managed security services, you learned some of the essential concepts of managed security and the role of managed security service providers (MSSPs), but offering managed security isn't a simple move for value-added resellers (VARs). It requires a sophisticated and expensive IT infrastructure to accommodate simultaneous remote subscribers, along with a variety of highly integrated software tools. The second installment of the tutorial takes a closer look at technological issues, discussing VAR and client infrastructures, service reselling, consulting and the implications of service disruptions.
Service infrastructure requirements for managed security service providers
It's impossible to identify a single ubiquitous set of hardware and software for a managed security service provider -- there are simply too many potential services, client types/verticals, compliance rules and other issues to consider. However, multi-tenancy is a core element of any MSSP infrastructure. That is, you can't protect one client at a time. MSSP systems must be able to communicate with every client simultaneously, process every client's details and store data related to that client in real time. So your servers and systems must ensure enough connectivity and storage to support the entire client base simultaneously.
"Even the largest enterprise doesn't have the multi-tenancy, the data storage and the bandwidth requirements that an MSSP does," said Jason Hilling, manager of platform solutions for IBM's Global Technology Solutions in Atlanta. "It's a big expensive infrastructure -- it is not cheap to get into the MSS business."
Some smaller providers choose to outsource their data center facilities to a third party, but major players feel strongly about owning and operating their own data center.
The expense and complexity of your infrastructure is further compounded by redundancy. A redundant data center housed at a distant location may receive backups from the main data center for everyday MSSP operations. Redundancy also plays a key role in preventing downtime and service interruptions that might compromise the service agreement. Not every provider makes an investment in redundant facilities.
MSSP staffing levels are equally diverse, and can vary dramatically depending on your size, services offered, client base and other services. But staffing normally includes an IT staff to handle the internal infrastructure and operations, an outside technical staff (including security experts) to consult with and manage clients, and a sales staff to generate new revenue.
"Our sales force represents about one-third of our total employees," said Steve Lubahn, senior technical sales representative for LockNET Inc. of La Crosse, Wisc. Lubahn added that LockNET also has a compliance consulting staff, which other providers may or may not have.
Software tools are another challenge for managed security service providers. Security reporting is a core task. You need to take raw information from the clients' various security technologies, parse it, analyze it, and then summarize and present it to the client. Reporting should include graphical representations, as well as provide details on events and issues that you acted upon. This is how you justify your monthly fee as a service provider.
Beyond the actual reporting, it's important to include a trouble ticketing system that provides tracking and workflow visibility, usually provided through a client portal. A billing system tracks services, generates the bill and follows receivables. Also include a configuration and change management system that can help set up new clients and adapt to the changing needs of existing clients.
In each example, tools leverage the use of automation and allow you to streamline management, reduce excess staffing, stay responsive to the client and increase your profitability as an MSSP. Unfortunately, most of the tools used by MSSPs are not available commercially.
"MSS providers have been forced to do a lot of development of their own tools in order to service the customer base cost-effectively … and these are things that you just can't simply buy off the shelf today," Hilling said. "I would say that that's probably the single largest barrier to entry into this business right now."
While Savage and Hilling both emphasize the importance of custom tool development, prefabricated platforms are available for managed service providers. MSP platforms are used to deliver services and applications to clients as well as remotely monitor servers, firewalls, Exchange servers, Active Directory Servers, routers or switches from a central location. Commercial offerings are available from vendors including Kaseya, SilverBack Technologies and N-Able Technologies. Open source platforms include Nagios.
Infrastructure requirements for clients
In an ideal situation, your clients won't need additional equipment or staffing in order to use your services. As a managed security service provider, you're basically managing security equipment that's already on the client's site, or the client is using infrastructure that's deployed at your site. In actual practice, however, your client may need to provide some amount of equipment or staffing to facilitate your services. In every case, a provider tries to minimize the impact of services on its clients.
A client may need to add security equipment if they currently have no manageable equipment on-site. For example, the client may need to buy a firewall that you can manage for them, or they may need a log or event management system that can collect and aggregate event information before sending it to you. A savvy provider can use these opportunities for additional revenue through equipment sales or leasing. "Sometimes customers buy those devices, and then they put a managed services contract on top of them," Hilling said. "Other times, customers might lease those devices from their provider."
Client staffing is often the trickiest part of managed services. Ideally, clients should not need additional IT staff. In fact, IT staffing demands should decrease. "In most cases, managed service providers are going to be able to provide customers a cost savings ranging from 20% to 50% savings over applying the appropriate staff in house to do the comparable work," Hilling said.
Still, a service provider is not present at the client's site, and some security tasks may require intervention by IT personnel on the client's side. For example, you might perform a vulnerability test and discover one or more vulnerabilities across your client's infrastructure. In those cases, you report the findings to the client, who is then responsible for validating the tests and performing the actual operating system or application patching. Such tasks do not require highly skilled security experts, and the client can usually leverage their own staff for those issues.
The biggest potential impact on client staffing occurs with intrusion response. You can typically block an intrusion or take countermeasures to stop the attack, but only your client may be able to perform certain mitigating actions on site. Some clients assign dedicated staff to be available 24/7 or on an on-call basis to work with an MSSP when serious events arise.
Service outsourcing (or 'two-tier' service distribution)
Smaller VARs eager to explore the MSSP business, but hesitant to invest in the personnel and infrastructure, might consider MSSP outsourcing. You might resell the managed security services provided by others or take the "white label" or "private label" approach, whereby you sell the services of a major MSSP under your own banner. Such outsourced services are generally stable, mature offerings with rapid time to market.
"There are quite a few options today for getting that 'two-tier' distribution of services," said Drew Savage, MSSP manager of the U.S. service provider group at Fortinet Inc. Savage said that Fortinet has a lot of partners that resell FortiGuard security subscription services. "That's a huge piece of their revenue," he said.
The biggest drawback to service outsourcing is margin, and Savage cited at least 20% lower margins for VARs that resell the managed services of an outsourcing partner. However, lower margins are often more than acceptable if you're reselling services to complement your existing service or product offerings. "If you have a value-added service out there, margin isn't necessarily the No. 1 driver," Savage said, citing other drivers like client retention or keeping pace with service offerings from competitors.
Standardizing your managed security services
Whether you're building your own managed service business or reselling the security services of other MSSPs, you won't be developing or tailoring services for each individual client. MSSPs offer well-structured and well-defined services, grouping services into a variety of levels to meet the broadest cross-section of client needs.
"Those providers that tried to deliver 'one-offs' and a different solution to every customer quickly found that they couldn't make money in the business," Hilling said.
Consequently, clients should not expect extensive up-front consulting prior to signing a contract. Major issues, such as infrastructure analysis and deployment of security equipment at the client site, may require a professional service engagement. It really depends on how much you're willing to offer the client in order to get their business.
Service offerings may be fairly standardized, but Lubahn points to a relationship between consulting and sales, noting that client procurement trends upward as they rely on the MSSP for more IT services and engagements.
"We made a pretty dramatic shift a few years ago away from equipment. I would say our business today is probably 25% to 30% equipment -- and that's actually gone up," Lubahn said, noting that the remainder of the company's revenue comes from security services and consulting.
MSSP infrastructure changes and the client
You will inevitably experience downtime at your main data center. Most downtime events will be routine, dealing with issues such as hardware maintenance, installing firmware updates or applying software patches. Other events will be more unique, such as installing additional systems or upgrading aging infrastructure. Security attacks (such as denial-of-service attacks) may result in some temporary disruptions until their source can be isolated and any effects mitigated. Natural disasters like fires or floods can also cause serious business disruptions. Regardless of the cause, your downtime can leave clients exposed to security threats. Your contract with the client should include a reasonable maintenance window, and the client must understand that such outages are allowable without compensation. Scheduled outages should also be preceded by at least 90 days' notice to the clients, followed by periodic reminders right up to the actual downtime.
Many service providers are mitigating the impact of downtime with redundant data center facilities. A fully redundant data center can potentially support the business with little (if any) impact to service levels. In most cases, redundant facilities do not fully match the main data center and may not offer identical service levels, so the client may see degraded service until the primary data center comes back online. Still, redundancy offers some coverage, so your client is not left completely unprotected for critical services like intrusion detection/prevention, firewall hosting and so on. The need for redundancy reflects the extreme pressure to maintain services 24/7/365.
"I think the idea of maintenance windows -- those periods of outage -- are going away," Savage said. "There's too much competition, and people are intolerant of a service provider going down even once a year for four hours."