Resellers Lock Up Revenue with Managed Network Security

By Tara Seals

With threats to corporate networks becoming more sophisticated, many companies’ typical security approach - installing firewalls and running antivirus software on its PCs - is proving a shaky defense. A new need for an approach to security that goes beyond the network borders is creating a strong managed services play for service providers and resellers.

“Security is moving from the network perimeter further into the enterprise to critical network links, key hosts and servers, databases and end user workstations,” notes Matthew Kovar, the Yankee Group’s security solutions and services analyst, in a research note. “It also is moving from a pure network-centric protection domain up to the applications and users.
The network no longer defines how information is accessed and secured; rather, the applications and users dictate how communications are conducted.”

What with e-mail traffic (a notoriously dangerous hole in the fence) continuing to grow, the rise of systems integration with partner networks, ad hoc swapping of information by FTP, disk or download, and barely regulated remote and teleworkers, there are broad avenues of attack the network administrator has to worry about. A firewall just won’t cut it.

To meet increasingly pervasive bands of marauders with any hope of emerging unharmed requires training, good weapons and constant vigilance. To most organizations, that sounds like a job for a security squad. It also sounds expensive and complex. Those observations would be correct, and it’s as much of problem for the small to midsize company with limited resources as it is for the large enterprise with various systems and thousands of users in multiple locations it needs to keep on top of. Thus, managed security services represent a way to make a daunting task, well, manageable.

The approach typically consists of software loaded on a platform or standalone devices, deployed at the customer premise but managed remotely by managed security providers that monitor, maintain and update corporate communications security. Companies pay a monthly subscription fee for the protection.

Forecasted by the Yankee Group to grow 65 percent this year and from $1.9 billion last year to $3.7 billion by 2008, managed security offers significant market for resellers. The option also provides for monthly residual income from the subscriptions. And, it’s a play that applies to a wide swath of organizations, from small to large.

NTT/Verio Inc., through a joint venture with ISS, offers IntelliSecurity Managed Solutions, a modular product set that can be customized according to customer size and needs. “It requires skill, expertise and constant training to keep up. You can’t be out madly scanning all the security sites for the latest signatures, so having someone to do that intelligently is a real value,” explains Lloyd Kiltz, director of technical sales for the viaVerio partner program. “That’s the message resellers need to have.”

Managed security also can lead to other things. “Resellers were deploying premise-based best-of-breed services and products and layering management on top,” says Cliff Young, CEO at ClearPath Networks Inc. “If a company had an application that needed to be deployed, it couldn’t because the underlying infrastructure was too expensive, and resellers were losing. Under a managed model, they can bundle functions and become application deployment specialists - and make recurring revenue.”

A FULL QUIVER

To fully take advantage of the opportunities in the market, resellers and service providers would do well to become security deployment specialists. One big obstacle in security is understanding the different areas of protection. Like the days of the American frontier, England in Robin Hood’s time or even the post-apocalyptic world of “The Road Warrior,” the biggest problem is a lack of centralized law enforcement.

There’s no FBI in cyberspace, no agency alerting us to potential threats and precautions to take. Every organization is on its own, and travels the Internet at its own risk, using a hodge-podge of defenses available from a jumbled mess of vendors.

Resellers can provide the kind of leadership a wary company needs. “Resellers need a checklist,” says Russell Morgan, president if the Information Technology Solution Providers Alliance (ITSPA). “There hasn’t been a systematic approach in the past, and the vendors have all come at security in different ways. There’s no standard way to approach it.”

He says solutions providers should be up to speed on individual vendors’ offers, deploy a sales force to sell security assessments, then offer a consultative approach where the reseller looks at the environment and sells any components that are missing. “Fundamentally there’s an assembly process that’s going to occur at the reseller level.”

For example, end user behavior and remote endpoints are an overlooked threat area. For instance, workers with unrestricted access to the Internet could unwittingly download a virus. Or, if a worker uses a home PC to do some weekend work, she may not have a VPN to connect to the corporate network, or she might not have updated the virus definitions often enough. Traveling workers also pose a concern. “Increasingly, we’re seeing enterprise users who don’t come back to the VPN, because maybe they don’t need the corporate intranet because they’re checking Web-based e-mail, etc.,” says Rick Bilodeau, director of corporate marketing for iPass.

“So they could be hanging around the Internet without the VPN protection.
They can get infected and stay that way for a long time. And if the fix is driven out from the corporate network, we see effects as in the virus and worm attacks last fall. It was a two-bump phenomenon - one wave at first, and another as remote users came back.”

Similarly, Wi-Fi hotspots pose risks. “Without stringent security policies, a trusted provider and automated client software, mobile workers and the corporate networks they connect to can be vulnerable to malicious attacks when utilizing unfamiliar Wi-Fi access points,” says Eric Paulak, research vice president at Gartner Inc.

Resellers can offer managed services as a fix for these concerns. Many continually monitor end-user connections and generate reports the reseller can use to define security policies for end-user behavior that can then be implemented within the managed service.

AT&T Corp. has introduced a service available through VARs and on a private-label basis, with an embedded firewall and policy enforcement, so that infected machines coming in from a remote access/VPN client or those out of compliance cant authenticate, and are fenced off and quarantined.

Another area for resellers to understand encompasses firewalls, intrusion detection and prevention, the flagship area of Internet security from the beginning.

“The firewall is the lock on the doors of the bank,” explains Kiltz. “But once you have the key to the door, you’re in. So you have closed circuit camera surveillance and recording, and that’s intrusion detection.
Intrusion protection systems are the security guards in the bank that can walk over and stop you from doing what you’re doing.”

Resellers could position a managed solution as a way to make these basic services productivity-bolstering. “The nature of the threats are changing there are new intrusion detection signatures being developed every day by hackers. Viruses are constantly changing. Firewalls stay the same, so you can buy it and a year later it will still give you good security, but the other threats change,” says ClearPath’s Young. “A basic challenge is maintenance, and it can be quite onerous. Security administrators must proactively go out and download virus protections on a constant basis.” Thus, managed models allow companies to focus on other areas beyond the basics.

There are also ongoing security assessments and professional services such as audits to consider as an offer. “The Achilles’ heel for nearly every enterprise remains the potentially exploitable vulnerabilities that are not addressed by [network security perimeter defenses],” writes the Yankee Group’s Kovar. “Unpatched, outdated and misconfigured software is the choice target of hackers. A continuous assessment of not only external but also internal network and application infrastructure is necessary to identify vulnerabilities and mitigate them in a timely manner.”

For instance, Verio’s vulnerability assessments start inside the telecom network, scan all the devices and log the vulnerabilities, where the patches are improperly applied, misconfigurations, default passwords still in place and so on. Then the service, available through Verio’s resellers, generates different reports aimed from the executive level to the tech that has to fix it, listing remedies.

“Security also is an issue that never gets solved,” says ITSPA’s Morgan. “Whatever you do today won’t be good three months from now. So, at a minimum, a quarterly review to audit business processes and everything else that has a bearing on the security of the network is a good idea for resellers to offer.”

Content filtering, e-mail scanning and spam is yet another practice area. BorderWare’s CEO, John Alsop, explains that “most companies have no idea how much e-mail, spam or viruses they have coming in, so it’s hard for them to make intelligent decisions. Lots of companies will purchase and run products themselves if they’re big enough to have an IT person on that level of skill and the resources to apply. But many would rather outsource.”

ISPs and other service providers can provide customers BorderWare protection by placing CPE at the customer site and managing it remotely through a secure browser interface. Or, the CPE can be installed at the service provider and have the traffic flow through them. One service provider capitalizing on the space is Aaron Miller, president at ALM Technologies LLC. Miller routes inbound e-mail traffic through his network.

“I clean up inbound e-mail for spam and viruses and perform message backup, using the BorderWare appliance,” he says. “Almost everyone has some type of virus protection. But usually it still ends up clogging the system. I offer a service where those messages never touch the corporate network. I filter the viruses before they reach the message connection, and I never send a message that had ever had viruses attached.”

ALM also scans some outbound mail. “If I see a rash of bogus messages I can call and tell them something’s wrong. Usually with a virus infestation there’s a 5,000 to 10,000 message increase.”

“Over the past year, the distinct product category of e-mail security appliances has emerged,” says BorderWare’s Alsop. “Before, there was a mishmash of point solutions for virus, spam and content filtering, etc. Now there are all-in-one products, which gives service providers a good opportunity.”

THE WELL-LIT PATH

Some overall trends in the managed security space are worth noting. IT security has become a C-level concern, for instance. Point solutions for the practice areas detailed above have given way to more integrated solutions.

And, intelligence is on the rise. Regulatory requirements, including the Health Insurance Portability and Accountability Act (HIPAA), Graham-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act and Basel II elevate security to “an executive-level and boardroom imperative,” according to Yankee Group’s Kovar. For instance, Sarbanes-Oxley has meant corporations have invested in technology, processes and documentation to separate operations from line-of-business activities, he notes. This is good for the managed services business.

“Customers are beginning to tie Internet security to corporate liability in the wake of HIPAA, Sarbanes Oxley and the like,” says Britt Isaac, corporate communications director at NetWolves Corp. “People down the line will turn to managed-service providers because that will insulate them.
They contracted with a known company and did due diligence.” Resellers have an opportunity to act as regulatory compliance consultants.

Also, the security market in general is moving away from point solutions to integrated offers. ClearPath offers the SNAP VPN, a managed device that bundles content filtering, virus scanning at the network level, intrusion detection and prevention, encryption, firewall and a spam filter add-on, available through VARs and service providers. The new version 5.1 includes additional capabilities for traffic management for applications like voice over IP.

Meanwhile, Verio soon will release the ProventiaM, an all-in-one device running one set of software with firewall, anti-spam, antivirus, content filtering, IPS and IDS, and VPN.

“It’s high-speed and doesn’t look at the payload just once - but seven times,” says Kiltz. “It will come in multiple sizes, from the 10- or 15-person shop to large enterprises, and will be available later this year.”

Xspedius Communications LLC will integrate managed security services from TekSecure Labs to provide branded network security monitoring and management reporting, security device procurement, configuration and set-up, and security device maintenance and support. It also will offer fully managed VPN and firewall services “TekSecure Labs delivers a unique service offering for our customers, who rely on Xspedius to help them look beyond the traditional security patches and firewalls currently in place,” says Randall P. Muench, senior vice president of sales and marketing for Xspedius.

Security and connectivity services often operate in different silos, says Bilodeau. “A reseller needs to understand how these are connected, and where from. It’s hard to do real policy enforcement since you don’t know the circumstances and the rules.” Addressing the end user behavior area, iPass has developed iPass Policy Orchestration, which is a management tool that allows various third-party, policy-based security systems to work together more effectively, and gives a comprehensive view of end user behavior from a variety of systems. Orchestration also will secure end points from the moment he or she requests access to the moment the person logs off.

Managed security provider NetWolves has taken it one step further, rolling in the connectivity.

It supplies circuits, endpoint devices with firewall, content filtering, intrusion detection, intelligent failover for dynamic re-routing and VPN security, and management, as a carrier and reseller, along with its own product, the WolfPac, a security platform that acts as the network gatekeeper to control access into and out of a company’s network.

“A financial institution can come to us and get all the equipment, plus our own solution,” says Len Luttinger, NetWolves’ senior vice president of enterprise sales. “We install, configure and support, and it’s a managed and monitored network environment, with one call and one invoice.”

Intelligence is another trend. Cisco Systems Inc. offers Cisco Security Agent, an intrusion detection/prevention system that is behavior-based, so users don’t have to update a security signature to tell it what kind of activity to look for. “It does require tuning and ongoing monitoring to be optimal,” says Alex Thurber, director of wireless and security for worldwide channels at Cisco. “The reseller goes in and sells software and hardware, then works in conjunction with a managed security service provider. They usually remain the main customer contact, since customers want to reduce the number of people they have to contact.”

Cisco is partnering with systems integrators and service providers, such as VerSign Inc. and Jitronics, a systems integrator. Cisco provides the security equipment and network infrastructure, and the partners build and manage the solution as a hosted offer.

The vendor also offers a device a service provider can insert into the network that recognizes an attack, switches over traffic instantly, scrubs the packets and sends them back clean. “Our roadmap is to move to selfdefending networks,” says Thurber. “Security is flowing into the networks and it will become more automatic. It’s not reasonable anymore to see something coming, put out a patch and install it on 1,000 systems in time to prevent a breach.”

AT&T has a similar service. “During denial of service attacks, we can take the traffic, scrub it, and return a clean stream of traffic,” says David Cottingham, from AT&T’s managed security services team. “Individual organizations can’t do this, because they don’t have the network.”

Thinking large is a key to intelligent solutions, explains Jonah Paransky, senior manager of security product management at global giant Symantec, which sells through carriers, VARs and service providers either under the Symantec brand or as part of a total solution, “powered by” Symantec. “Now, we need a real-tile picture of the landscape, showing who’s attacking who and addressing remediation in real time,” Paransky notes. “Our SOC [security operations center] technology platform sifts through a sheer quantity of information, so we can give a global picture of the threat landscape from 200 million systems running anti-virus software, 20,000 centers to help understand how trends propagate. Our deep site early warning services take a look at what the threat landscape looks like, so end users can change the security posture before the attacks. So it proactively addresses emerging threats.”

Thinking Small

Small companies need the same kind of security protection large ones do. In fact, the sharp increase in the volume and severity of threats has many companies taking a look.

ITSPA says security is the No. 1 issue customers in the SMB space are struggling with, and around 75 percent of them are budgeting for it in the coming year. “Resellers could set up a direct mail campaign or seminars, and get the word out, since it’s top of mind for these companies,” says ITSPA President Russell Morgan.

New offers are appearing, such as IP Dynamics’ Self-Service VPN. “We have seen increased interest from service providers who are looking for small business secure connectivity solutions,” says Hasan Alkhatib, CEO at IP Dynamics, which offers a self-service VPN for smaller companies that resellers can sell as a managed solution for around $20 per month. “We’ve have heard that they haven’t offered SMB VPN solutions in the past because CPE solutions are too difficult to deploy to the SMB market and SSL solutions are too limited and don’t support all applications.

“This is easy to sell since it’s Web-based,” he adds. “There is no security liability for the service provider since the end customer administers their own VPN solution through the self service module.” A software-based solution, administrators can perform instant setup, teardown and reconfiguration of dynamic collaborative workgroups and virtual communities.

MegaPath Networks just announced a hosted version of MegaPath Global Remote Access Service (GRAS) for the SMB space that will roll out to resellers later this year.

MegaPath’s GRAS connects mobile workers to the Internet in over 150 countries using analog dial-up and thousands of wired broadband and Wi-Fi public hotspots. It is partnering with iPass Inc. to offer secure access to critical information. The MegaPath Small Biz GRAS and Individual GRAS packages offer businesses an off-the-shelf, easy-to-use software interface with user authentication.

“In order to get more traffic on IP networks, they have to be secure,” says Cisco’s Alex Thurber. “If you can’t trust the network, you’re not going to put mission-critical information on it. We want them to put more and more on the network, because that translates into more opportunities for everyone, especially in the midmarket.

“The threats are getting more sophisticated, but companies don’t have to buy sophisticated stuff to meet the threat,” he adds. “If resellers take that message to the midsized sweet spot customer, they’ll be very successful.”