Difficult economic times are forcing some organizations to ...


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Difficult economic times are forcing some organizations to ...

  1. 1. contents Tips and Tactics 2 SaaS considerations 7 Questions to ask your SaaS provider Evaluating 16 Outsourcing vulnerability management 23 Security in the cloud SaaS Difficult economic times are forcing some organizations to look at security as a service. We’ll weigh the opportunities and the pitfalls. BY INFORMATION SECURITY AND SEARCHSECURITY.COM S P O N S O R E D BY
  2. 2. SaaS Taking the Services-on-Demand Plunge BY BARBARA DARROW Tight budgets and regulatory some watch Web content. They all issue demands are driving companies alerts and take action in the event of a to tap service providers for security. threat. So what leads a business to trust out- Some of these I siders with its inside-the-firewall treasures? subscription Constrained IT budgets and burgeoning services watch regulations are prime factors. t may seem a counterintuitive move, Scott Smith, senior network engineer for overall IP traffic, but a growing number of companies Lincoln Property in Dallas, says Lincoln some scan email, have signed on outside services to brought on a service so it wouldn’t have to some watch Web protect their internal networks and data. hire more people to monitor its system and content. Vendors such as Veracode, Websense, security logs. Before signing on with security Qualys, Alert Logic and Google subsidiary services provider Alert Logic, the real estate Postini lead in answering this security-as-a- management company didn’t have much service charge, while incumbent security more than a syslog server and staffers read- powers such as McAfee and Symantec ing through tons of logs. “That is a night- figure out how to enter the fray without mare, and the odds of finding what you’re cannibalizing their existing businesses. looking for are slim to none. It was an over- Some of these subscription services whelming task,” Smith says. watch overall IP traffic, some scan email, And logs read after-the-fact are of little • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 2
  3. 3. SaaS Considerations use against ever- and quickly changing of which see the cost of deploying on-prem- security threats. ises personnel and solutions as beyond their “The things that change most in our world budget. are security threats. Why invest in an expen- The PCI penalties demonstrate how secu- sive [in-house] system when we can use rity-as-a-service differs in one respect from “The things that experts? They read the logs, they provide business application service offerings like immediate alerts. And there is no capital Salesforce.com or NetSuite. While cost change most in expense, but a small monthly fee,” Smith analysis shows that hosted CRM, for exam- our world are says. ple, can cost more than on-premises CRM security threats. Compliance pressures also are driving after three or four years, such calculations Why invest in companies to bolster security via a subscrip- don’t necessarily hold in the security realm an expensive tion service. Chris Smith, vice president of for one good reason: The downsides of a marketing for Alert Logic, cites the Payment big breach are incalculable. [in-house] system Card Industry Data Security Standard (PCI “You can’t run a spreadsheet that will tell when we can DSS) as a key motivator. Pushed by the you how much you might lose because you use experts?” major credit card companies, these stan- don’t protect your information,” says Alert Scott Smith, senior dards dictate what users must do to comply Logic’s Smith. One might point to the network engineer, and assess penalties for noncompliance, massive TJX credit card breach as a Lincoln Property ranging from $500,000 per instance to a cautionary tale. ban on processing credit cards. In some cases, SaaS doubters don’t want “Unlike some government regulations their information residing anywhere in the which can be very general, PCI is very cloud; the outside-the-firewall aspect still prescriptive,” says Smith. “You must have spooks many companies and government antivirus, you must have a firewall and agencies. intrusion detection, you must have periodic “These in-the-cloud providers must haul scans.” event and security data to a central data Whereas Qualys mostly targets large center,” says Andrew Plato, president of enterprise accounts, Alert Logic’s sweet Anitian Enterprise Security, a consulting firm spot is more in midmarket businesses, many in Beaverton, Ore. “That turns off a lot of • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 3
  4. 4. SaaS Considerations customers who do not want their security hardware, support, service and mainte- data commingling with other companies’ nance. It’s almost a no-brainer,” says Joey [data].” Rappaport, IT manager for Rosetta For Paul Simmonds, former global informa- Resources, an oil and gas company. tion security director for chemical giant ICI Rosetta started with one Alert Logic appli- “Predictability and now chief information security officer for ance at its Houston headquarters a few London-based Astra Zeneca, that fear is years back and has added a second at its helps for budget- unwarranted. ICI adopted Qualys’ service Denver site. “The only time the cost goes ing. You know about five years ago to offload the manage- up is when you add another hardware unit,” how much you’ll ment of network protection and its associat- Rappaport says. spend annually ed headaches. But the biggest driving factor for choosing on hardware, “My data is encrypted with my keys on SaaS, Rappaport says, is there is no need to their database. [Qualys] systems admins dedicate personnel to security and threat support, service can’t even access my data,” Simmonds says. monitoring, which are full-time jobs. and maintenance.” Another perk is that security services over- Qualys CEO Philippe Courtot says the Joey Rappaport, lay the customer’s existing infrastructure. ICI nature of the Web forced the move to secu- IT manager, Rosetta Resources and other users continue to run their existing rity services. As companies opened their desktop security and other software. “Qualys lines of electronic communications to work is an addition; we don’t have to change the better with partners, suppliers and cus- way we’re working,” Simmonds notes. tomers, their networks had to become more For smaller companies, the notion of fore- porous, so the old tactic of defending the seeable costs also leads them to security perimeter was no longer applicable. services versus on-premises solutions. “People used to do security audits once Incremental subscription payouts aren’t a year; the rich ones implemented scanners large capital expenditures like big up-front from ISS. But now people realize all these purchases of hardware and software for vulnerabilities are not just at the perimeter security monitoring. but inside. They need to understand their “Predictability helps for budgeting. You network from beginning to end…and it is know how much you’ll spend annually on no longer practical to deploy a management • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 4
  5. 5. SaaS Considerations solution that requires you to install it and services model. manage it yourself,” Courtot says. Those giants would disagree. Symantec He likens how Qualys combined its serv- has promised to make a set of infrastructure ice—which watches a customer’s network from software services available starting with a outside with an appliance that guards it from new backup service that was due late this “Apple Computer the inside—to what Apple did in another realm. year. “Apple Computer connected its iTunes Symantec’s promised network “will be connected its service to a device, the iPod and now the delivered via a software-as-a-service para- iTunes service iPhone, and completely changed how music digm over the Web by browser, adminis- to iPod, and com- is distributed. We connect our service with tered over the Web and managed over the pletely changed our appliance to look at your network vulner- Web,” says Chris Schin, director of product how music is abilities. We are bringing security and com- management at Symantec. pliance together,” Courtot says. Symantec’s recent acquisition binge distributed. We Another player, Veracode, offers an on- included Brightmail, a leading antispam serv- connect our demand service to find software vulnerabili- ice, which bolsters its services expertise. service with our ties. In the past year there has been a flurry It is becoming clear—whether the market appliance to look of M&A activity as tech giants and lead goes to one of the young upstarts or to at your network others are buying their way in: Google a more traditional incumbent—that more cus- vulnerabilities. We snapped up Postini; SurfControl bought tomers would like to stop threats before they BlackSpider and was in turn bought by enter their domain. are bringing secu- Websense. The security incumbents are Alert Logic’s Smith likes the answering rity and compli- also reacting; McAfee is starting its own machine analogy. “How many people now ance together.” service and Symantec is promising several use an answering machine versus a phone Philippe Courtot, service-delivered capabilities. company service? That’s a great example CEO, Qualys Courtot maintains that just as Microsoft of moving key infrastructure off-site to a struggles with the SaaS model because it provider. [Those services] can do things that wants to protect its lucrative on-premises a machine could never do, like put your software business, the security giants will messages on a Web server,” he notes. not be able to retrofit their wares into a There is evidence that more companies • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 5
  6. 6. SaaS Considerations of all sizes are seeing the logic there and now beginning to favor the higher cost “We expect this are at least kicking the tires of the security savings from on-demand solutions,” Credit trend to acceler- service model. Suisse research analysts Phillip Winslow In a July report, Credit Suisse said the and Dennis Simson wrote.m ate in the coming security-on-demand model is starting to find years as cus- favor in both SMBs and enterprise tomers are now accounts. “We expect this trend to acceler- Barbara Darrow is a Boston-area freelance writer. beginning to favor ate in the coming years as customers are the higher cost savings from on-demand solutions.” Phillip Winslow and Dennis Simson, research analysts, Credit Suisse • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 6
  7. 7. SaaS 7 Security Questions to Ask Your SaaS Provider BY HEATHER CLANCY Outsourcing an application means It also reminds businesses of all sizes that your organization relinquishes some just because they’ve outsourced an applica- control; don’t, however, loosen your tion doesn’t mean they can be any less grip on security. vigilant about defining a security policy. “A lot of time, The difference is now they’ll need to entrust I find I’m putting I enforcement to someone else. myself in the role “A lot of time, I find I’m putting myself in the role of a chief security officer,” says of a chief security n a bizarre way, the high-profile phishing Mathew Hegarty, director of infrastructure officer.” attack against Salesforce.com suggests and security for Net@Work, an IT services Mathew Hegarty, the software-as-a-service (aka SaaS) firm in New York that often recommends the director of infrastructure and security, Net@Work model has come of age. SaaS approach to its customers. There are In that attack, a spoofed email message certain fundamental things you need to was apparently used to lure a Salesforce.com study—from authentication policy to infra- employee to release certain customer infor- structure redundancy to how often the SaaS mation, which was in turn used to launch provider invests in independent penetration a secondary phishing campaign. While testing—especially when you’re talking about the breach was certainly embarrassing, it a single-tenant service where all customers illustrates the power of the Salesforce.com share the same instance of the software, brand. Hegarty says. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 7
  8. 8. SaaS Questions to ask “The biggest thing we focus on with all of this is critical. In that message, the SaaS this is control of the data,” says Michael giant acknowledged that data purloined from Mucha, chief information security officer for Salesforce.com was later used to compro- Stanford Hospital in Palo Alto, Calif., which mise accounts at some of its customers, and uses several clinical applications that are Salesforce.com moved to disclose its expo- “The biggest delivered as a service, including transcrip- sure. Salesforce. com declined to comment tion, and radiology and analysis systems. on its security policy for this story, but in its thing we focus Given that health care is by far the most reg- email last fall, it made several suggestions on with all of ulated industry he has worked in, Mucha has for how its customers could protect them- this is control created a standardized checklist for his tech- selves in the future, including ignoring of the data.” nical assessment of any application deliv- potential phishing messages, activating IP Michael Mucha, ered via the SaaS model. Among the most range restrictions so that the software could chief information security critical of those items include whether or not only be used on a specified internal network officer, Stanford Hospital the service provider complies with SAS 112 or VPN, or using two-factor authentication. audit requirements (which applies to non- Building on those ideas, we offer seven profits), how it documents its procedures for questions you should resolve with your handling a security breach, and how it han- provider before investing in SaaS. dles requests for changes and customized features, Mucha says. QUESTION 1: Even more important will be the simple WHO HANDLES PENETRATION policies that a SaaS provider uses among its TESTING, AND HOW IS IT DONE? staff to protect your data. “We have com- It stands to reason that if you would hire plete access to the data, and we are the an outside company to test the effectiveness only ones with control of the authentication,” of on-site firewalls and other IT security Mucha says. “The point is that you need a measures, your SaaS provider should consistent approach to all these situations.” do the same—regularly. The Salesforce.com breach, which the Chuck Mortimore, director of platform company acknowledged in an email last services for Rearden Commerce, which November, offers a perfect example of why offers the application Rearden Personal • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 8
  9. 9. SaaS Questions to ask Assistant that helps coordinate various orga- Other providers of vulnerability assess- nizational tasks of your business and per- ment services for SaaS include Qualys sonal life such as booking travel, says his (which itself offers its capabilities as a serv- company employs someone to manage ice); Akibia, a security services firm and aspects of the vulnerability management Microsoft Gold Certified Partner; Perimeter “We would have process. The Foster City, Calif.-based com- eSecurity, which has been acquiring a slew pany regularly runs both threat assessments of SaaS security integrators; and Computer been foolish if we as well as tests that verify its ability to with- Sciences, which offers a set of operational thought we could stand denial-of-service attacks. If a service services for ISVs looking to turn themselves do this ourselves.” provider doesn’t invest in creating regular into SaaS providers. Jim Till, CMO, Xythos processes for penetration testing, its risk increases exponentially, Mortimore says. QUESTION 2: Likewise, Xythos Software, which offers WHAT ARE THE SIGN-ON, ACCESS its enterprise document management sys- AND AUTHENTICATION POLICIES? tem as a service, has hired several special- The most common way to get at an appli- ized service providers to help manage cation via the Internet is via a username and security functions. Jim Till, CMO for San password. “The normal way is to go to their Francisco-based Xythos, says many of the front door,” says Patrick Harding, chief tech- company’s clients store highly sensitive nology officer for Ping Identity, a Denver information such as legal documents or company that makes identity federation logistics data in its application, which it first software. started selling as an on-premise option. For But a growing number of companies are starters, the company has teamed up with working with their service providers to pull OpSource, which recently announced Level the SaaS sign-in process into the bounds 1 compliance with the rigorous Payment of their firewall or VPN, providing a higher Card Industry Data Security Standard. degree of authentication. Simply put, the “We would have been foolish if we user must first safely log in to the company’s thought we could do this ourselves,” corporate intranet before he or she can sign Till says. on to the application in question. This • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 9
  10. 10. SaaS Questions to ask ensures that the login conforms to the com- SINGLE SIGN-ON pany’s security policy. Later, if an employee leaves the company, it’s easier to disable his One & Done or her account access. Liz Herbert, an analyst with Forrester Single sign-on simplifies access control. Research who follows SaaS, says this effec- How many account passwords can the average human manage? tively puts the access policy back into the The holy grail of single sign-on, allowing a person to log in just once for multiple hands of a company’s internal IT depart- applications, is being accelerated by the move to SaaS accounts, says Adam ment. “Your company may have a password Sroczynski, CEO of Ebiztechonline, an early user of TriCipher’s new on-demand single policy, but sometimes the SaaS application sign-on software myOneLogin. The more passwords a person must remember, the isn’t being managed according to the same better the chances that at least one will be lost or compromised, he says. Chuck Mortimore, director of platform services for Rearden Commerce, a SaaS rules,” she says. One thing to look for, she provider that offers a personal assistant service, says that single sign-on puts access says, is whether the SaaS sign-in process control and authentication back into the hands of the IT department. “It’s very impor- can be tied into a single sign-on process tant. It provides them with one set of information to worry about, which they already (see “One & Done”, right) or integrated with have control over.” an LDAP directory service such as Active Patrick Harding, chief technology officer for Ping Identity, says single sign-on also Directory. makes it simpler to disable access quickly if an employee leaves or is terminated. “I’ve looked at some Web-based applica- “Plus, organizations can add whatever authentication they feel is necessary. They can tions that I’ve rejected because of this,” reuse things they already have like certificates and tokens. It takes the burden off the SaaS provider.”m says Adam Sroczynski, CEO of —HEATHER CLANCY Ebiztechonline, which uses SaaS to handle project management and business func- tions. The biggest issues for Sroczynski are reduce the potential for human misjudg- the policies a SaaS provider has in place to ment. Businesses should consider main- protect the username and password. If taining control of this process themselves, there is no formal plan in place, a breach of he suggests. That means, however, if a the Salesforce.com sort is more likely to password is lost, the SaaS provider won’t happen because internal personnel haven’t be in a position to recover it on behalf of put in the proper security measures to the customer. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 10
  11. 11. SaaS Questions to ask QUESTION 3: SAS 70 WHAT ENCRYPTION POLICIES WILL PROTECT DATA AS IT IS Up to Standard? TRANSFERRED, OR WHEN IT SAS 70 audits verify data protection methods. IS BEING STORED? For starters, you should look for and insist SAS 70 is by no means a guarantee of security, but it is helping shine a light on accept- on the strongest encryption levels possible. able security processes around SaaS. This was the deciding factor for Aimable SAS is short for Statement on Accounting Standards. The SAS 70 report details Mugara, the IT and multimedia director for exactly what measures someone is taking to protect your company’s data. The Type I the nonprofit organization Free The Children audit covers whether a SaaS provider has internal controls that are described in its disclosures to customers; Type II tests those controls in action. in Toronto, which about a year ago opted to John Pescatore, security analyst with research firm Gartner, says one good thing use the Mozy online data storage and back- about SAS 70 is that it is recognized by corporate auditors. “If you use someone who up service. While 128-bit SSL encryption is doesn’t use this measure, then you’re always at risk,” he says. “It sets a barrier to entry.” now fairly typical, Mozy—a division of EMC— But Pescatore recommends adding a service-level agreement that outlines specific offers 448-bit Blowfish on-disk encryption. security measures, what will happen if something goes wrong and who is liable.m —HEATHER CLANCY “That is very rare,” Mugara says. Mozy also has taken steps to ensure its service meets compliance standards of the Health Insur- gets out, is it encrypted?” ance Portability and Accountability Act Another question worth asking: What (HIPAA), which also gave Mugara a higher breaches has the company had, if any, and comfort level. how did it manage them? Prat Moghe, founder and chief technology One way to review the SaaS provider’s officer for Tizor Systems, an enterprise data data protection policies is to request a copy auditing and protection firm in Maynard, of its SAS 70 Audit Report (see “Up to Mass., says it’s also important to study how Standard?,” above). While SAS 70 is a just the provider stores each customer’s data. a “gross level” audit, it does provide a “How strong is the security program when it common ground for discussion, says John comes to the data being stored. If there is a Pescatore, security analyst with research breach, how is that caught? And if the data firm Gartner. “This forces companies to • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 11
  12. 12. SaaS Questions to ask define things in a way that’s meaningful of your environment and be seen by other to both sides,” Pescatore says. customers, potentially even their competi- Shally Stanley, managing director of tors,” says Acumen’s Stanley. global services for Acumen Solutions, a There are several ways in which customer security technology services provider, says data can be separated, and it’s important “The risk is that her team forces its customers to step back to understand which method your SaaS and consider the type of data that would provider uses, she says. For example, if the your data could be stored. division occurs within the application itself, leak out of your “These questions are largely governed by a bug within the application could cause a environment and the company’s own risk posture and the type failure of separation, meaning your data be seen by other of data that is being handled,” Stanley says. could be exposed to other customers or, in customers, poten- “There are organizations that have very a worst-case scenario, to the outside world. sensitive data that cannot, under any cir- Another way of keeping customers separate tially even their cumstances, be seen by anyone else. Their involves working with separate Web servers competitors.” posture will be different than another com- running on shared hardware. Shally Stanley, pany that has confidential information, but The rise of virtualization, with customers managing director of global services, it isn’t disastrous if it gets out,” Stanley potentially hosted on different virtual Acumen Solutions says. machines, should make separation easier. But Burton Group cautions that while this QUESTION 4: will cut down on risks, these virtual operat- IS THERE A SINGLE-TENANT ing systems are subject to the same risks. HOSTING OPTION SEPARATED Moreover, the hypervisor management layer FROM THAT OF OTHER CUSTOMERS? adds a level of vulnerability. Another complicating factor is that in a Stanley says your provider should run true SaaS multi-tenant deployment, your regular tests for data leaks. If it is not, you company’s data may be side-by-side with might be better off insisting on a single-ten- another company’s data. So it’s important to ant data storage option (closer to outsourc- understand how things are kept separate. ing) or looking for a provider that offers this “The risk is that your data could leak out choice, she says. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 12
  13. 13. SaaS Questions to ask QUESTION 5: such as the carrier rate tables or the WHO MANAGES THE APPLICATION accounts payable information. ON THE BACK END, AND WHAT “This is really process-oriented security,” POLICIES ARE IN PLACE TO Bostick says. “It’s only a problem if you allow THWART INSIDER BREACHES? it to be a problem.” “A lot of SaaS As the Salesforce.com breach illustrates, A bigger problem, perhaps, comes in management of an application back at the providers offer many security issues are tied more to the flaws of human nature than to some techni- provider. Forrester’s Herbert says it’s impor- optional 128-bit cal weakness. tant to understand who will be able to modi- encryption on the “A lot of SaaS providers offer optional fy the application, along with the rules and fly, but this hasn’t 128-bit encryption on the fly, but this access rights. From the customer stand- always been hasn’t always been made mandatory,” says point, this should remain under the control of the business’ internal IT team, which can made mandatory.” Jay Elder, managing director of service interface with the technical contacts at the Jay Elder, development for Incentra Solutions, a secu- managing director of rity services firm in Boulder, Colo. “Users service provider, she says. There needs to service development, really need to be trained to log in using be strong measures in place to ensure that Incentra Solutions [the toughest] encryption and to be aware account information cannot easily be shared of the social vulnerabilities of giving away or accessed by personnel at the service their passwords.” provider. The company should also have The matter of user administration specific policies related to spoofing of rights once you’re inside the application accounts and phishing. also can’t be underestimated. Gregg Bostick, vice president of transportation QUESTION 6: at Pinnacle Foods, uses the SaaS applica- WHAT IS THE BACKUP tion LeanLogistics On-Demand TMS to AND RECOVERY PLAN? manage transportation arrangements One thing that doesn’t get talked about between his team and various shipping as much when it comes to SaaS security partners. Bostick closely controls who is business continuity—how the provider has the right to view certain types of data, protects its customers against potential • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 13
  14. 14. SaaS Questions to ask denial-of-service attacks or in the event QUESTION 7: of a natural or man-made disaster. HOW WELL DOES THE PROVIDER’S But that was a major consideration for SECURITY POLICY MATCH MY Michael Roseman, vice president of finance COMPANY’S (IF MY COMPANY and strategy at Astadia, a 155-person man- HAS ONE)? “These compa- agement consulting firm that uses several If your company already has a security different SaaS applications including Sales- nies can make policy in place, it should be relatively simple force.com, Workday and Cornerstone on to compare the vision of a would-be SaaS much better Demand. provider against your own. A SaaS compa- investments in “These companies can make much ny’s ability to provide security measures security than better investments in security than we can,” could actually be more sophisticated and we can.” says Roseman. “If we did this on-premise, thorough than a customer’s capabilities, Michael Roseman, we would have to provide backup and especially if you’re talking about a small vice president of finance redundancy. How can my company hope business or midsized account. That doesn’t and strategy, Astadia to offer the same levels as these supercede the need for the customer to vet providers?” the provider’s policy, but it makes it simpler Gartner’s Pescatore says businesses to justify going with SaaS. should also be concerned with the physical “This really saves us a lot of money,” says location of the hosting facility, requesting Mike Stump, director of information technol- an on-site inspection if possible. Geogra- ogy for Roundtable Corp., which owns 46 phy also matters: If the service provider Dairy Queen franchises that use various hosts the data in another country, the SaaS applications to manage their opera- business should acquaint itself with tions. “For us, that is the biggest advantage.” privacy and data ownership laws of those For other companies, it comes down to jurisdictions. “You have to worry a lot more focus—and scale. Dan Nadir, vice president if something goes wrong,” he says. Plus, of product strategy for ScanSafe in San it may be tougher to enforce service-level Mateo, Calif., which offers managed services agreements. for Web security, says many of his compa- • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 14
  15. 15. SaaS Questions to ask ny’s customers have few IT staffers to better off everyone ends up being.”m handle issues like security. “We make their headaches go away. Heather Clancy is a business journalist and commu- …We use multiple engineers, which they nications consultant based in Midland Park, N.J. She can’t. We’ve got tons of techniques they specializes in writing about emerging trends, includ- can’t use. We’re able to react. The more ing mobility and green technology, and can be users we have, the more traffic, and the reached at hccollins@mac.com. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 15
  16. 16. SaaS Outsourcing Vulnerabilty Management BY DIANA KELLEY Giving it to an outsider could be an Though it may appear that outsourcing easy solution, but enterprises need VM is a no-brainer for many companies, out- to first understand the gritty details. sourcing any security function is a far more Though it may complicated decision than sending your appear that out- shirts to the cleaners. We’ll take a look at sourcing VM is T what outsourcing VM means, and review a no-brainer for the technical and non-technical considera- many companies, he idea of outsourcing an espe- tions enterprises should sort through when cially difficult duty is pretty appeal- assessing the benefits and costs associated outsourcing any ing. At home, who wouldn’t happily with VM outsourcing. security function “outsource” cleaning the bathroom, is a far more doing the laundry or taking out the CONSIDERATIONS complicated trash? And, in the professional IT world, who Before considering VM outsourcing, decision than wouldn’t want to outsource the tough task of it’s important to understand VM. When vulnerability management (VM)? discussed in an IT context, it’s not meant to sending your With the growing number of software encompass the whole spectrum of potential shirts to the patches, regulatory requirements, and enterprise vulnerabilities. Whole-enterprise cleaners. increasing complexity of networks and threat vulnerability management would need to models, managing network and system include the vulnerability associated with vulnerabilities has become an arduous having a criminally minded CEO, or the chore for most enterprises. vulnerability of investing time and money • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 16
  17. 17. SaaS Vulnerability management in an ill-conceived product. of their VM system, and accomplish this, in When IT professionals discuss VM, we are part, by sharing the data collected and man- most often talking about how to identify and aged via the VM systems with external tools. remediate threats in the resource layer. This In addition to integration with workflow and means looking for vulnerabilities in the oper- change management solutions, VM tools When thinking ating system, applications, databases and can share critical event information with other IT resources, and then closing the risk network systems management (NSM) tools, about outsourcing window via some form of remediation, like security event and information management VM, break down applying a patch or making a configuration (SEIM) tools, compliance dashboard tools, what types of change. and other correlative and analytic portals. services an Be aware, though, that taking the wrong external provider action could introduce a greater vulnerability SERVICES to the enterprise. For example, if a database When thinking about outsourcing VM, supplies. vendor releases a patch designed to fix an break down what types of services an exter- obscure and difficult-to-exploit vulnerability, nal provider supplies. Here are some of the and the patch is problematic, it can bring most commonly outsourced VM services down your enterprise servers. Automatic (most large outsourcers supply all of these responses outside the normal trouble ticket- services, but always check for details of ing, workflow and change management specific vendor offerings): accountability chain can introduce unac- ceptable levels of risk. Risk reduction • Asset identification. There’s an old say- controls, such as testing the patch prior ing that is appropriate in the VM world: “You to applying it to the production server, can’t manage what you don’t know.” There can keep risk in check, as can keeping the are dozens of vulnerabilities released every response and remediation process inline day, but many aren’t a priority for your net- with corporate workflows and approval work. The only way to know which vulnerabil- processes. ities and exploits matter to your company To close the loop, most companies imple- and your systems is to know exactly what ment ongoing verification and monitoring you’ve got. It can also help to know where • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 17
  18. 18. SaaS Vulnerability management the systems are. Many attacks can be takes action as needed—anything from thwarted via port blocking; if a device is in a applying a patch to reconfiguring access protected zone and all traffic into that zone control rules on a firewall. Alternately, the can be filtered, the vulnerability can be miti- outsourcer could integrate with the cus- gated. Asset identity services scan your net- tomer’s workflow and trouble ticketing sys- Many attacks can work and return detailed listings that identify tem, so the patch is queued for deployment, what systems are on the network, their patch but the actual deployment task is completed be thwarted via and configuration levels and their location by the customer. port blocking; if within the network topology. a device is in a • Control verification and monitoring. protected zone • Vulnerability identifica- Because VM is fundamentally about closing and all traffic into tion/assessment. What vulnerabilities are in windows of exposure, it’s important to the wild? Part of the intelligence process of ensure that there is an audit and verification that zone can be a VM outsourcer is the ability to gather and function to verify that changes and fixes have filtered, the vulner- disseminate data on vulnerabilities and been applied properly. It is also important to ability can be patches. know who approved the change and who mitigated. Vulnerability information can come from a applied it. An outsourcer should be able to variety of sources: vendors, lists and media provide the customer with detailed, real-time reports, among others. The depth of the access into the audit and verification func- information gathered in the asset identifica- tions. Additionally, many enterprises want to tion is then assessed against known vulnera- have transparency back to the internal cor- bilities and exploits. The outsourcer can then porate network and event management notify the customer where the problems are engines via the export of log information and what actions are recommended. from the service provider. • Remediation and patching. Taking ARCHITECTURE action is a critical part of VM, but what about Before moving forward with outsourcing when remediation is outsourced? It can of vulnerability management, enterprises mean that the outsourcer makes the call and must take into account a number of impor- • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 18
  19. 19. SaaS Vulnerability management tant architectural considerations. VULNERABILITY ASSESSMENT Will the outsourcer be using internal scans, external scans or both? If out- Ironing Out the Details sourcers are only scanning from outside the company (usually in front of the firewall), In the outsourced VM services world, the phrase “vulnerability assessment” usually means scanning a network of target devices for current patch levels and configurations, they will only be able to see what an external and matching this information against technical security policy requirements and known attacker can. While this is useful information, vulnerabilities. there are vulnerabilities inside corporate net- The question that often arises from customers is whether the vulnerability assess- works that should not be ignored. The tradi- ment offered as part of a VM service is the same kind of large-scale vulnerability tional single perimeter continues to move assessment offered by consulting firms and even some VM outsourcers. The answer deeper and deeper into the network and is, “No, not really.” is distributed on hosts and sub-zones. VA, as part of VM, is tightly focused on automated scanning and information If the decision is made to allow the out- gathering from target devices. A full-blown security and vulnerability assessment usually includes a people, process and technology review of security and vulnerability sourcer to place internal scanners on the in an enterprise. A large-scale security and vulnerability assessment project can include network, be clear up front about who is a number of moving parts: responsible for managing those scanners • Tiger team penetration testing and how the data being sent back to the • Process and procedure reviews outsourcer is protected. What level of trust • Interviews with key personnel will the outsourced scanner have inside • Documentation reviews trusted corporate zones? If the scanner from • Code reviews the outsourcer is being placed in a restrict- • In-depth assessment of threat models and paths • Recovery readiness ed zone, will the owners of that zone have appropriate control of the scanner? Clearly, a vulnerability or security assessment of that level is a much more complicat- Then consider how invasive the scans will ed process than automated scanning of systems. Before contracting with a VM out- be on the network. Scanning can be done sourcer, check to see what the company will explicitly provide as part of the vulnerability via an agent or from the network, with or assessment service. If you need a deeper and more complete VA, it’s possible to out- without credentials. An agent requires a source that, too. Be aware, though, that you may need to contract with a specialized piece of code be installed on every host that consulting firm (such as one of the Big 4) for this type of detailed assessment work.m —DIANA KELLEY will be scanned. Does your company feel • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 19
  20. 20. SaaS Vulnerability management comfortable having a piece of code from near real-time, or is there a delay? Some VM an outsourcer installed on all its monitored outsourcers provide dashboards that enable devices? Many do not, so the outsourcer the customer to have the same visibility into may have to use a network-based scanning the current state of the network that their solution. Although these are less invasive security operations center engineers have. Any company because no code installations are required, Also, can the information be accessed they can be a heavier hit to network traffic securely, with appropriate authentication that is considering depending on how frequently and how many and protection in transit, and can it be outsourcing devices they scan. exported to stem systems and consoles, vulnerability In addition, VM scanning can be more such as a SEIM or other event correlation management or less invasive based on whether or not tool? needs to take a credentials are used. In credentialed scan- ning, some form of valid credentials is given ACCOUNTABILITY long, hard look to the scanner so that it can log in and look Any company that is considering out- at accountability for vulnerabilities as a legitimate user. This sourcing vulnerability management needs issues. kind of scanning can turn up more informa- to take a long, hard look at accountability tion, but can also crash systems. issues. The bottom line is that accountability Some scanners attempt to exploit vulnera- cannot be outsourced. This places addition- bilities, with or without credentials, which al management and monitoring responsibility can result in system or service crashes. on the company that has contracted with an Check with your outsourcer to determine outsourcer. If a critical accounting server the right level of invasiveness to keep goes down in the last quarter of the year, system outages to a minimum. your IT department will be accountable even It’s important to consider the general if the server went down because of an error readability of the information gathered by the by the VM outsourcer. Simply put, any infor- outsourcer. Having a lot of wonderful data mation that is lost and any downtime that is stored at the outsourcing partner won’t help suffered will be your IT department’s respon- much if you can’t access it and understand sibility. it easily. Is the dashboard data shown in Cyber-insurance may defray the cost of • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 20
  21. 21. SaaS Vulnerability management losses due to internal or outsourcer errors. the SLA regarding remuneration should the Think through what kind of data the out- outsourcer fail to keep to the terms of the sourcer will be holding, and whether you agreement. Although accountability can’t trust the outsourcer to hold this data. If your be transferred, partial cost of failure can servers do not have the latest patches, does be distributed back to the outsourcer in Once your that constitute a risk to your organization? the event of a security incident. This vulnerability could be used by an attacker questions have to know where to strike, or by a lawyer to RETURN ON INVESTMENT been addressed, prove lack of diligence. Security is a notoriously difficult area in get everything Also, you need to examine the level of which to prove ROI; what is being measured in writing before communication that you expect between is often the cost of nothing bad happening. contracting the your IT team and the outsourcer. Defining To realize realistic ROI, focus on metrics that key liaisons from each team to work together can be measured rather than estimated. service. can increase the success of the communica- For VM outsourcing, review how the serv- tion process. Make weekly status calls to go ice may save your enterprise head count. over any outstanding issues. The communi- Are there full-time employees currently in cation plan should extend to escalation and charge of internal scanning, monitoring disaster procedures: When and why should vulnerability lists and deploying patches? the outsourcer start paging internal adminis- If so, how many of them can be reassigned trators? What constitutes an emergency? to other jobs if the VM task is outsourced? What is the escalation path at your organiza- Don’t forget that you will still need staff to tion that the outsourcer should take to get manage the outsourcer, as well as some to resolution? oversee escalation and change management Once your questions have been approval. addressed, get everything in writing before Many enterprises are outsourcing vulnera- contracting the service. Clear, concise, bility management to reduce demands on enforceable service level agreements (SLAs) internal personnel and resources. There are can go a long way to keep the relationship many benefits that can be realized by out- productive. It also helps to have a clause in sourcing VM. Overall head count require- • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 21
  22. 22. SaaS Vulnerability management ments for VM may go down as the tasks If all your white shirts come back from the Remember that are assigned to the outsourcer and, laundry gray due to a bad process, who has while much of subsequently, internal resources can to go to work the next day in a gray shirt? If be reassigned to other projects. your systems are attacked because the right the labor and But VM outsourcing is not a decision patches or configurations were not applied, resource require- to be made lightly. For the best chance at who takes the fall? ments can be out- success, think through the questions and Think carefully about the process and sourced, account- concerns that matter to your enterprise and how it will work optimally for your organiza- ability cannot. get the answers from your outsourced tion before dumping this laundry load on an agency in writing. outsourcer.m Remember that while much of the labor and resource requirements can be out- sourced, accountability cannot. Someone Diana Kelley is a partner with Amherst, N.H.-based at your organization will still be on the hook consulting firm SecurityCurve. She formerly served as vice president with research firm Burton Group. to ensure that the outsourcer takes the She has extensive experience creating secure net- correct steps in managing the vulnerabilities. work architecture and business solutions for large • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 22
  23. 23. SaaS Security in the Cloud BY MICHAEL S. MIMOSO Security managers are looking to few financial services organizations and the keepers of the Internet cloud SMBs among the early adopters. Carriers, for relief. meanwhile, continue to seek the right com- bination of technology to mitigate threats Carriers are and add new services down the line—all starting to offer A the while managing a level of cooperation in-the-cloud among competitors to keep incidents in s attackers get more sophisticat- check. security services ed, security managers are looking If carriers take hold of the ever-dissolving that take advan- for a little help from above—the network edge and move enterprise DMZs tage of their inline Internet cloud and the keepers of into the cloud, companies will be able to retire position with the Internet backbone. Carriers hardware licenses and subscribe to services network traffic. are starting to offer in-the-cloud security currently offered by managed security service services that take advantage of their inline providers at a fraction of the cost. position with network traffic and their ability “All security functions will be forced into to stop attacks before they reach the enter- the cloud—DDoS, antivirus, firewalling. If prise gateway. we’re right, it’s a profound concept,” says Savvis, AT&T, Verizon and Perimeter AT&T CSO Ed Amoroso. “We become an Internetworking sell DDoS, antispam and MSSP. We are taking what MSSPs do and antiphishing protection and other security meshing that with our own infrastructure so services from the cloud. The majority of that the service provider and the carrier these services are in their infancy, with a become one.” • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 23
  24. 24. SaaS Cloud services A CRUCIAL HEADS-UP edge in their ease of access to network traf- Mark Ramsey, formerly the global manager fic, and that there is an economy of scale in of data security and compliance for Pitney outsourcing network security services to the Bowes, had the scoop on the Zotob worm cloud. outbreak days before most of his peers. “The big Tier-1 types definitely have the “The biggest Zotob exploited a buffer overflow in Windows advantage because they see everything at Plug and Play and spread from network to the backbone,” says Gartner vice president advantage to network. It opened a back door and enabled John Pescatore. doing [security] remote access to infected machines. It The trickle-down to security managers in the cloud is appeared less than a week after Microsoft rests in the fact that carriers have to meet that you remove released security bulletin MS05-039. bandwidth SLAs with their customers. attacks from But Pitney Bowes’ network survived Carriers must invest in avant-garde technolo- unharmed. Why? Its bandwidth provider, gies to defend and clean their pipes, and bandwidth.” AT&T, put out the word that spikes in activity to absorb DDoS attacks and malware out- John Pescatore, vice president, Gartner on port 445 were signaling an impending breaks while still hitting these service levels. outbreak of malicious code. Ramsey was Also, in order to squeeze a few bucks out able to act on this intelligence and order of their investments and stave off tumbling patching and other remediation steps. revenue and profit margins, carriers can offer Eighty-five percent of Pitney Bowes’ network cloud security services cheaper than an was patched days before Zotob struck. MSSP, putting a chokehold on that segment AT&T, meanwhile, choked off the bad traffic. of the competition. “AT&T has the unique perspective that it “The biggest advantage to doing [secu- can see everything at the bits and bytes rity] in the cloud is that you remove attacks level, collate that information and see things from bandwidth,” Pescatore says. “If I pay for like this coming quickly,” Ramsey says. “It’s a T1 line, and 700 kilobits per second [of great as a security manager getting that kind traffic] are worms and viruses scanning my of heads-up. We’re not blindsided.” network, I might consider buying another Carriers are banking on enterprises recog- T1 because I need more bandwidth. If that nizing that bandwidth providers have the noise gets filtered at the cloud, I might not • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 24
  25. 25. SaaS Cloud services have to buy another T1.” T1 lines can cost to the Net. Companies with many locations more than $1,500 a month, which includes may use multiple service providers. If some carrier and ISP fees. “You’re looking at real security functions are transferred to a carrier, big numbers,” Pescatore says. “If you’re the carrier becomes responsible for that risk, looking at some of the big T3s, how many Forrester says. A company would then have “If ISPs don’t megabits per second are they logging for no to make decisions on who would provide reason? Think about the amount of spam connections to the Internet and where, what take care of this before filtering became popular—hitting hard kind of traffic is carried via those connec- themselves, you’re drives and requiring more storage.” tions and what security services would be going to see a The numbers are compelling, but they’re required for the different connections. reduction in not the clincher in this kind of decision. A online activities.” company needs to consider how its network UP IN THE AIR Ken Emerson, architecture is constructed, how it connects Ken Emerson, CIO of Boiling Springs CIO, Boiling Springs Bank to the Internet and what kind of trust rela- Bank, a 14-branch regional financial servic- tionship an enterprise has with a network es provider in New Jersey, says his organi- service provider. zation’s investment in cloud services (IDS A Forrester Research paper points out that management, spam filtering) from Perime- security managers are usually unwilling to ter Internetworking helps keep its business give up control over part of their infrastruc- model viable. Perimeter sells managed net- ture, but should to realize that providers work security services and acts as a utility already carry company’s sensitive data and between a customer and its carrier or ISP. are responsible for how they connect to and Traffic is routed through Perimeter via a present themselves on the Internet. Internally, point-to-point switch or frame relay VPN, there has to be a determination in an SLA cleansed and then routed back to the what a carrier, for example, would be respon- customer. sible for blocking and what a company would “If ISPs don’t take care of this themselves, secure. you’re going to see a reduction in online That would force security and network activities,” Emerson says. “The business teams to examine how a company connects model won’t work, and people won’t invest • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 25
  26. 26. SaaS Cloud services in it unless we have a cleansing of the Inter- Networks, McAfee and others that have net at the level of those who provide access established DDoS protection tools on the to it—it’s incumbent upon ISPs and carriers market. to do so.” “The difference is in expertise,” Laslop AT&T’s Amoroso says the challenge with says. “It’s just not the same.” He also argues “[DDoS] services, security managers is not only overcoming that carriers cannot adequately satisfy the those reticent to give up control of all or security needs of medium or larger compa- for example, are part of their security operations to a carrier, nies getting bandwidth services from multi- next to impossible but fighting long-standing infrastructure ple carriers. to do themselves investments. “[DDoS] services, for example, are next to unless you are “The only thing standing in the way would impossible to do themselves unless you are the largest of the be inertia, meaning, ‘I’m set now; this would the largest of the large with 20 gigabits of be a change. Even if it’s cheaper, it would bandwidth. You have no chance of stopping large with 20 be a change,’” Amoroso says. “The issue in an attack yourself,” Laslop says, adding that gigabits of the industry is that there are an awful lot of a trend is developing where many DDoS bandwidth.” companies that are not happy about the attacks originate from competitors and arrive Keith Laslop, message that we are proposing. It’s been a without warning. “A lot of companies want to vice president of very lucrative market for so long to sell IDS be proactive and want protection either business development, Prolexic Technologies and IPS. Then Ed comes along and says, because they’re being threatened, or some- ‘Hey, this functionality really can be embed- one in their [market] has been threatened.” ded in the carrier infrastructure.’ Naturally A company like Prolexic can charge about that’s not going to make everyone happy.” $5,000 per month for its anti-DDoS servic- MSSPs argue that the carriers don’t have es, as opposed to almost double that price the in-house expertise to develop technolo- per month from a big carrier, according to a gies like theirs. Keith Laslop, vice president Gartner study. While some may think that a of business development for MSSP Prolexic steep figure, providing DDoS protection Technologies, which offers a Clean Pipe internally could run in the hundreds of thou- managed service, says the carriers have to sands of dollars annually, factoring in the rely on partnerships with providers like Arbor purchase of additional hardware, bandwidth • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 26
  27. 27. SaaS Cloud services and staffing expertise, Gartner says. CONSIDERATIONS Verizon, via its acquisition of NetSec, veered away from AT&T’s approach to cloud Are Cloud Services for You? services. NetSec’s Finium platform integrates input from a user device with intelligence Pros: Cons: gathered from Verizon ’s IP network to priori- • Alerts customers to potential • Limits carrier configurations or policy outbreaks before they happen options because equipment is shared tize threats and manage them according to by multiple customers policy. • Cleanses traffic on their networks before it reaches • Restricts customer control over “We combine our cloud services with enterprise border security devices what’s happening inside,” says Verizon vice • Blocks unwanted traffic • Relies on portals for updates on president of security Sara Santarelli. • Mitigates DDoS attacks device status and analysis “In pure cloud services, you’re not match- • Eliminates customer premises • Complicates coordination of cloud ing up what’s happening inside with the equipment (CPE) services among multiple carriers in cloud perspective. How do you protect the same organization inside threat as well as the outside?” • Eliminates licenses, or redeploys Sources: AT&T, Verizon, Perimeter Internetworking, Verizon has been offering DDoS mitigation detection and prevention CPE Gartner Inc. and detection services since June, and it also to other areas of infrastructure offers an e-mail content service and a WAN • Frees up bandwidth defense service, both available since May. • Uses familiar service models CLEAR OR CLOUDY FORECAST? must iron out before cloud services become Gartner’s Pescatore says the carriers’ viable, especially for larger enterprises. Prima- cloud services model resembles what secu- rily, Pescatore says, security managers are rity managers are used to from bandwidth concerned about sharing routers, servers and providers—services across a shared infra- switches with others on the carrier network, structure. The difference is that enterprises and whether carriers would limit configura- would no longer have to manage expensive tions or policy options to reach a particular hardware or pay licensing fees. price point. Security managers aren’t willing There are several sticking points the carriers to be flexible in most cases and will demand • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 27
  28. 28. SaaS Cloud services dedicated equipment at the carrier. capabilities. The biggest worry, especially Carriers must Control loss is another issue; AT&T offers for SMBs going with a smaller telco or ISP, also provide customers a portal service where they can is the long-term viability of the provider. monitor device status and alerts. “If a [provider] goes under, now I don’t even availability Ramsey is an AT&T portal customer and have a firewall,” Pescatore says. “I’m stuck. It’s guarantees, shrugs off the control question. “Trust but not so much an issue of loss of control and and reporting verify; we have a stipulation [in our SLA] not being able to control policy, but the issue and auditing that we can monitor anytime we want,” Ram- of what happens if the service provider goes capabilities. sey says. “You miss something and we’re hit away and I don’t have protection.”m financially, you’re partly responsible.” Carriers must also provide availability guarantees, and reporting and auditing Michael S. Mimoso is editor of Information Security. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 28
  29. 29. SaaS Cloud services OPTIONS Do It Yourself In the Cloud Option 1 Option 1 In-the-Cloud Services MSSP SOC Portal Monitoring Telecommunications providers are in position to offer Firewall IPS console the following security services from the Internet cloud: Denial-of-service protection MSSP IPS This chokes off large-scale DDoS attacks, as well as those targeting SOC Firewall specific organizations, before they reach the enterprise edge. Option 2 Option 2 MSSP SOC Firewall, IPS management A natural service because attacks can be stopped before reaching Portal a gateway. Carriers can cheaply price these services because virtual firewalls are shared from a single device. With the do-it-yourself configuration, left, an enterprise has the option of either retaining the human and financial resources to manage network traffic (Option 1), or outsourcing it to a traditional MSSP (Option 2). Opting for in- Antivirus, antispam filtering the-cloud security services from a telecommunications carrier or a network services provider, right, frees a com- Monitoring and blocking unwanted e-mail in the cloud reduces pany of expensive hardware purchases and license renewals. Moving the DMZ to the Internet cloud enables a carrier infrastructure investments for the enterprise. Gartner says one-fifth (Option 1) or NSP (Option 2) to cleanse traffic inline, re-route it to your network and keep denial-of-service, spam of the e-mail filtering market already comes from in-the-cloud services. and phishing attacks to a minimum. IDS management IDS management in the cloud eliminates the need for sensors on the enterprise network edge. Content filtering This cuts off unwanted inbound content and prevents the outbound loss of intellectual property.m Sources: AT&T, Verizon, Perimeter Internetworking, Gartner Inc. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 29
  30. 30. SaaS Resources from our sponsors AlertLogic MessageLabs Using SaaS for Security and Compliance: Why On-Demand is in High Demand Block Evolving Spam, Secure Your Network This webinar shows how Alert Logic revolutionizes the way PCI DSS compliance and security solutions are designed, delivered, and utilized through Software-as-a-Service. Choosing a Solution for Web-Filtering: Software, Appliance, Managed Service? Is Mid-Market PCI DSS Compliance the Killer App for Software-as-a-Service? Email Security Buyer's Guide: Software, Appliance, Managed Service? Listen to this podcast to hear why SaaS equals PCI DSS compliance for organizations who do not want to be in the business of managing messy IT infrastructures. Employee Web Use and Misuse: Companies, Their Employees and the Internet Log Management meets Software-as-a-Service: Marriage of Convenience or Match Made in Heaven? In this videocast, two industry heavyweights debate whether SaaS-based log management has any inherent advantages over traditional on-premise log management. Log Management in the Cloud: A Comparison of In-House vs. Cloud-Based Management of Log Data This white paper addresses best practices for any log management solutions, questions for the SaaS provider, and considerations for in-house log management. The Essentials Guide: PCI Compliance Download this guide from Rebecca Herold of Realtime Publishers to understand how to use PCI DSS-compliant log management to identify insider access abuse. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 30
  31. 31. SaaS Resources from our sponsors Ping Identity Purewire Single Sign-On for SaaS Applications White Paper: Hackers Announce Open Season on Web 2.0 Users and Browsers Understand the complete Web security threat landscape; learn best practices to keep the Web productive and safe. Secure Internet SSO & User Provisioning for Salesforce CRM (with Tutorial video) White Paper: Security-as-a-Service — How SaaS Can Improve Your Secure Internet SSO & User Provisioning for Google Apps (with tutorial video) Organization’s Security Discover the shortcomings of on-premise security solutions and how SaaS can improve your organiza- tion’s security posture. White Paper: Federated Identity and Software as a Service (SaaS): Single Sign-on to the Cloud Analyst Opinion: Purewire Vendor Profile Hear from the experts at IDC how to protect your organization from malicious destinations, objects, hackers and attacks. FREE Interactive Educational Webcast: Why URL Filtering Isn’t Enough! Learn what’s happening in your environment, vulnerabilities facing your organization’s confidential data, and how to defend your users and your network against malicious Web activity. FREE Trial: Web Security SaaS Learn what’s happening in your environment, vulnerabilities facing your organization’s confidential data, and how to defend your users and your network against malicious Web activity. • TAKING THE • 7 QUESTIONS TO ASK • OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES SaaS PLUNGE YOUR SaaS PROVIDER 31