Understanding managed security services: An intro for VARs

Security is a critical business function that can strain the resources of even dedicated security staff. Corporations are meeting these challenges by outsourcing security tasks to managed security service providers (MSSPs) that specialize in delivering a suite of security services. This overview can help value-added resellers (VARs) understand the essential elements of the MSSP business, assuage clients' fear of risk and get a basic overview of MSSP cost structures.

An increasing number of value-added resellers (VARs) are adding managed security services to their portfolio for sources of incidental and recurring income. Leveraging today's network technologies and the availability of sophisticated new security products, managed security service providers (MSSPs) can supply a mix of security consulting engagements, product sales and maintenance, as well as an array of ongoing monthly services, to their client base. The need for managed security services is particularly acute among small and medium-sized businesses (SMBs) where IT staffing is minimal, yet data security and regulatory compliance needs remain integral to the clients' business. This overview of managed security services is designed to help VARs understand the essential elements of the MSSP business, assuage clients' fear of risk and get a basic overview of MSSP cost structures.

What is an MSSP?

In the simplest sense, a managed security services provider is responsible for managing existing or newly installed security products located at their clients' sites. The MSSP takes the time to understand the security needs and capabilities of the client, maps services and products to the client's infrastructure, and then deploys those services and products as required -- much as a VAR does. But an MSSP goes further to provide proactive security support to the client over time, usually on a subscription basis. "It's full lifecycle management and maintenance of that [security] technology," said Drew Savage, MSSP manager of the U.S. service provider group at Fortinet Inc. in Sunnyvale, Calif.

Such management and maintenance may include break/fix operations of security technologies deployed at the client's site, configuration changes to security appliances, hardware or software, subscription updates and so on. In each case, the MSSP acts on behalf of the client, and provides full reporting of all incidents and actions performed for the client. "There was a bad IPS event, and the signatures were updated to mitigate that risk," Savage said. "The end user needs to be notified of that event."

In addition to detailed tracking and reporting, MSSPs must also accommodate changes to the client's site as they occur. For example, if a new Web server or intranet site is added within the infrastructure, the MSSP needs to change the configuration of deployed security technologies accordingly -- making coordinated change management particularly important.

There are numerous services you can offer as a managed security services provider. General offerings include virus protection, spam blocking, firewall management, intrusion detection and prevention, log management and Web content filtering. This makes up the bulk of basic services, although the actual services offered can vary depending on your areas of expertise and vertical. Many MSSPs also provide an even richer suite of security services, such as VPNs, user authentication or central identity management, data forensics analysis, vulnerability assessment, penetration testing and evaluation, and data leakage detection and prevention. You might also consider offering services to help clients meet regulatory compliance obligations.

MSSPs can operate in any vertical market that is sensitive to security issues. This constitutes just about every industry sector today, so the vertical you're targeting as a VAR is likely to also need your managed security service offerings. The financial industry is certainly a large consumer of managed security services, followed in no particular order by education, retail, healthcare, utilities, insurance, manufacturing and government.

The MSSP opportunity and client needs

MSSPs have traditionally catered to the enterprise, but opportunities also exist for channel partners who service SMBs. Over the last five years, continued developments in technology and a greater acceptance of "outsourced IT security" have allowed MSSPs to push their services down market, targeting more midsized businesses and even embracing the SMB. There's no doubt that large corporate clients are still the biggest revenue source for MSSPs, but the move down market is clearly underway.

"The small to medium[-sized] business market is the biggest growth area," Savage said, noting that large MSSP partners currently derive 75% to 80% of their revenue from midmarket and enterprise clients today. "I fully expect that to flip over to be SMB focused, but that's going to take another 24 months," or sometime in early 2010, he said.

Some MSSPs are actively catering to SMBs today. "We tend to serve organizations of about 250 to 300 users and down," said Steve Lubahn, senior technical sales representative for LockNET Inc., based in La Crosse, Wisc. Lubahn observes that the role of MSSPs appears to change depending on the client's size, noting that smaller clients tend to rely on the MSSP as a full-featured IT resource, while large organizations with more internal IT resources will leverage the MSSP in more of a consulting role -- interacting with the organization's current IT staff.

The move to managed security services by corporations is driven by a convergence of IT expertise limitations, resource allocation and business needs. The simple fact is that most corporations are not in the business of providing IT security. Yet the legal and financial implications of security oversights cannot be ignored. This puts pressure on other IT staff (who are not necessarily security experts) to install, configure and manage security products that the corporation is invariably forced to buy. Rather than facing the added strain and potential liabilities of internal security management, companies opt to outsource security tasks, mitigating staff growth and freeing the limited number of existing IT staff to handle more productive IT projects, such as a new VoIP rollout.

Since data security is often tied to business needs like regulatory compliance, companies consider outsourcing security tasks to expert MSSPs that can provide a path toward (or even meet) the client's compliance requirements. Providers offering focused regulatory compliance solutions in addition to security services find a strong demand from clients.

"We've become very well-versed in the financial vertical; we also do compliance consulting," Lubahn said, echoing an emphasis on compliance support and intimate knowledge of the corresponding vertical that is repeated by others in the managed security services business.

However, the actual amount of compliance support you offer will depend on your staff's expertise and the amount of support required by the client. The onus is on you, as the managed security services provider, to understand the relevant regulations and apply best practices and reporting to meet the client's needs. You might consider staffing compliance experts and command a premium for your service.

MSSP risks and risk mitigation

Even the most capable Unix administrator, backup administrator or other IT professional within a client's organization may not have the appropriate skills, training, certifications and capabilities to secure the corporate environment in a manner consistent with governance frameworks or regulatory requirements. In many cases, outsourcing is "a means for the organization to offload some of the risk associated with security," according to Jason Hilling, manager of platform solutions for IBM's Global Technology Services unit in Atlanta.

While this presents a substantial opportunity for MSSPs, it also entails risk -- it's absolutely critical for a service provider to understand the regulatory requirements that their clients are operating under. Clients will look to you for sound and reliable guidance, especially smaller organizations that lack internal IT and corporate governance expertise. Proactive monitoring and rapid response are crucial to mitigate security incidents like virus detection or intrusion for both yourself (the MSSP) and the client -- don't ignore your own back door while guarding your client.

But there are some ways to minimize risk -- starting with the actual service contract itself. MSSPs must clarify their service offerings, delineating what the client is entitled to, their avenues of resource (such as binding arbitration to resolve disputes arising from service), the path of service/support escalation and other details. A service contract should also include provisions for both expected and unexpected service outages; including how and when the client will be notified of outages. Service contracts must also address the resolution path for potential security incidents, detailing the ways in which you will notify the client and respond, outlining any support needed or expected from your client, and incorporating protections or mitigations for security incidents that you may miss -- be sure to limit your liability. You may also need to disclose security incidents and resolutions as they occur within your own infrastructure, so the service contract should detail any obligations on your part.

Other due diligence tactics can help. You might provide clients with a comprehensive list of current references or discuss common procedures such as employee screening, regular password rotation and other security best practices used within your organization.

Visibility is another tool that MSSPs use to assuage their client's fear of risk. Most providers provide a Web portal that allows the client to see into the provider's environment, follow the provider's news, notices and updates, check configuration of the client's own devices, receive current reporting and billing data, submit/track action tickets or even access support through forums, chat or email.

Beyond visibility, MSSPs may also pursue a variety of outside certifications to demonstrate that processes are in place to deliver their services in a consistent and reliable fashion. Popular certifications include ISO, SAS-70, BS-7799, SysTrust and certification through the MSP Alliance. Independent certifications like these also demonstrate that you are doing everything possible to guard against security breaches.

Finally, MSSPs may tout redundancy in their infrastructure to guard against risk due to security service interruptions. For example, providers may require periodic downtime to maintain or upgrade their own infrastructure. Any such "routine" downtime is normally written into the service contract. Providers with redundant facilities can minimize the potential risk of service outages by maintaining operation (even at degraded performance) through backup facilities.

How to charge for your managed security services

Most MSSPs charge some up-front fee for equipment and setup, along with a recurring monthly fee for services. But it's interesting to note that MSSPs are seeing a change in paradigm. Traditional fee structures involved high initial fees and low recurring charges, but this is reversing to low (or no) initial costs and higher monthly fees -- usually over a contract period of several years.

"The midmarket and SMB aren't going to pay $5,000 up front for security technology … the market won't bear it," Savage said, noting that the same consumers are much more receptive to a $150 per month fee for several years. The actual monthly fee can swing wildly from $50 to $500 per month per location, and is substantially influenced by the particular vertical market. For example, the retail vertical is extremely frugal, while the same security services provided in the financial vertical may be as much as 10 times more expensive.

Dig Deeper on MSP business model transformation