As IT leaders have grown more comfortable with the security of software-as-a-service offerings and cloud storage, they also have started turning to cloud-based managed security services. For both commoditized basic services such as vulnerability testing and cloud security gateways to more sophisticated identity management and threat analysis, public-sector chief information security officers are growing more willing to consider managed security service providers (MSSPs).
Cost savings are one obvious consideration, but so is the fact that state and local governments are finding it next to impossible to compete with the private sector for cybersecurity talent. In a 2015 NASCIO state government IT workforce study, 67 percent of respondents said security was the most difficult position to fill and retain.
“Security is becoming highly specialized, and we are having a very difficult time finding appropriate people to do in-house security,” said Ralph Johnson, chief information security and privacy officer of King County, Wash., whereas a managed security services team often has the expertise and concentration he needs. For example, King County uses a managed security service for its network log and security event management. “For me to appropriately run that with an in-house solution, I would have had to hire three staffers and that would have been their sole function,” Johnson explained. “That would cost me $1.5 million over five years. I got a managed security product from a vendor that cost me $850,000 over the same time period.”
The decision to consider managed security services is akin to other outsourcing decisions, in that the most generic pieces are the easiest to give away, said Wolfgang Kandek, chief technical officer of Qualys Inc., which offers a suite of Web-based security and compliance applications.
“Email is an example,” Kandek explained. It’s important in terms of productivity, but not a distinguishing characteristic of your organization, so why devote your IT resources to running the best email system possible? “You can easily outsource and free up some people to work on more noble things in IT,” he said. “The same thing is happening with security. A bunch of things in security can be automated and given away to third parties.”
A 2014 Gartner market trend report predicted that the cloud-based security services market — which includes secure email or Web gateways, identity and access management, remote vulnerability assessment, security information, and event management — would hit $4.13 billion by 2017.
King County is just starting to redesign a security process around public key infrastructure certificate authorities. “My staff is not expert enough to do what I want to do,” Johnson said. This function should never be in-house unless an agency has staff members who can properly manage it, he added. There are service providers that have the expertise and the processes in place for revoking and issuing certificates. “We don’t have to build it,” he said. “They have already got it, and the prices are reasonable.”
In terms of what to outsource, organizations tend to start with reactive security, such as firewalls and intrusion detection systems, and then move to more proactive threat intelligence, seeking to gain visibility into their environment through security information and event management tools, said Christina Richmond, IDC’s program director for security services. Proactive security, she said, involves gathering threat intelligence not just from your network, but also from a broader group of networks. Managed security services can help customers gain visibility into advanced threats and shut them down more proactively. “Some providers such as FireEye and Mandiant are using big data and analytics to figure out more about the threat actors so they can start to move from proactive to predictive,” she said.
Michael Montecillo, director of security intelligence for IBM Security, said that the aspects of security that CISOs are comfortable outsourcing depend on the overall IT environment. “The first step is usually looking at commoditized security activities — things that are resource-intensive, costly and they don’t want to do them anymore,” said Montecillo, who once served as the vulnerability management coordinator in Michigan’s Office of Enterprise Security.
He makes a distinction between very small organizations, like town governments, where typically there are a few IT staffers who work on network infrastructure and also are responsible for security, and a state agency that might have a CISO and a more mature approach. (IBM survey research found that organizations that have a CISO are likelier to adopt security as a service from the cloud.)
“When you have a CISO, you are developing a road map and identifying services you can outsource to maintain your capability or enhance it,” Montecillo said. “But in a smaller environment, you don’t have that road map, and the adoption of these services tends to be more ad hoc, which slows the adoption rate. You might have five issues in security, but the budget to only move one to an as-a-service model now. Which one do you pick?”
Jim Moore, IT director of Woodstock, Ga., is the type of IT executive who turns to security services out of necessity. With only a three-person department, he automates whatever he can. “We are 24/7 with police and fire, which you can’t really cover with three people,” he said. “Extending your staff with a service, you have people who think about security all the time, deal with it rather than being one of the 40 or 50 hats we have to wear.”
Woodstock implemented Microsoft Office 365 earlier this year and has turned to Web-based Centrify for Office 365 for Active Directory-based user provisioning, single sign-on and mobile management. Employees can access all Office 365 clients and other SaaS, mobile and on-premises apps through a Centrify user portal.
“The Human Resources Department uses several online resources,” Moore said. “One of our HR employees literally kept a notebook with all the various log-ins. If that person left or if they left that notebook somewhere, we could have had a security issue.” The city also uses Mimecast, a cloud-based email security solution that provides protection from malware, spam and data leakage, he added.
Edward Block, CISO of Texas, said small to medium-sized state agencies are more likely to turn to managed services. “The idea that they would have a firewall expert on staff is not really realistic,” Block said. “They don’t need a firewall expert 40 hours a week. They need it 40 hours a month, or even a year. So if they go with an MSSP, they can procure someone who lives and breathes that technology for the period of time they need it. They are not sacrificing expertise by trying to find a jack-of-all-trades.”
Although its IT structure is federated rather than consolidated, the Texas Department of Information Resources is planning to do a feasibility study for a statewide identity access management solution. “We will look at whether it makes sense to do that internally or if it is better suited as an outsourced, cloud-based service,” Block said.
But not all CISOs are comfortable with the idea of identity and access management in the cloud. “I don’t support outsourcing the keys to the kingdom,” said Agnes Kirk, CISO for Washington state. “That authentication and ID management are how we ensure we are protecting privacy and data entrusted to us.”
IBM’s Montecillo said identity and access management as a service could have a lot of benefits. “The caution is if you don’t have a strategy in place, and you don’t understand what some of the iterative steps are to be able to adopt that model, you could get in trouble if you try to jump from step one to step five without progressing along a maturity curve.” A good service provider will work with clients to help them develop the road map and integrate that capability in a model where they can avoid pitfalls, he added.
Washington is both a customer of MSSPs for services like vulnerability assessments and a service provider itself. The central IT organization offers a variety of services to state agencies. The state provides a set of common security services that agencies use so they don’t have to duplicate the cost and effort of implementation. These include perimeter security, logging and monitoring, forward proxy services, a secure single sign-on portal to state applications, and vulnerability management. The cost is covered by the state through an internal transfer process.
“We are finding a good mix between on-premises and cloud services, and we make that determination through a full risk assessment,” Kirk said. “We continually evaluate managed services offerings to determine when it makes sense to leverage a third party.”
Public-sector organizations have some challenges not faced by the private sector, Kirk added. As states move to provide services anywhere, anytime, it becomes harder to keep track of information and ensure it’s appropriately protected. As the state outsources various types of services, the requirement to find and retrieve information does not change or transfer to third parties, she noted. “That means you must have the ability to know where your data is, who touched it and when, retrieve all copies of it, and provide it in a timely fashion,” she said. “If the state does not manage its third-party relationships well, that could create unexpected risk.”
Like many other states, to augment its services and expertise, Washington turns to Multi-State Information Sharing Analysis Center (MS-ISAC) services such as log analysis and threat information sharing. “They provide information that is specific not only to our state but all the other states,” Kirk said. “That makes them a valuable partner in the security space. If we have an incident and need to quickly analyze logs to determine the extent, MS-ISAC has a free service to do that for us. They are great at that.” (MS-ISAC is funded by the U.S. Department of Homeland Security and provides most of its services at no cost to state and local governments.)
The need for security services is increasing because so much more data traffic from employees is bound for the Internet rather than the data center. “You still need to protect the data centers in a traditional way, but all Internet traffic needs to go through security checkpoints, and a Web service makes sense for that,” said Jay Chaudhry, CEO of Zscaler, a multi-tenant, distributed cloud security platform.
So for example, he said, New York now points the Internet-bound traffic of state employees to Zscaler, which also works with other states, counties and school districts. “We are acting as a checkpoint to make sure nothing bad comes in and nothing leaks out,” Chaudhry said. “Email security and vulnerability assessment are now done regularly in the cloud. The next natural step is to have the traffic headed to the Internet go through a checkpoint to be inspected. With more applications moving to the cloud and users increasingly mobile, cloud services will be the only way to do security.”
NEW ON THE PODCAST