The Evolving Managed Security Model



Hybrid Managed Services Offer the Best of Both Worlds for Security Deployments

Shared computing services have come full circle. What was once known as “time sharing” was necessary due to the high cost of computing. As mini-computers took over, traditional software companies began to offer their applications over the Internet as Application Service Providers. This gave way to Software as a Service, Managed Service Providers, and now Cloud Computing. The names have changed, but the business case has remained constant; a vendor provides management of computers and software so that its customers can focus on their core businesses. For the customer, the result is a lower capital cost, accelerated time to value, and predictable operating expenses.

The model makes sense. If a central organization can manage their specialized software and the required hardware, their customers’ lives are simplified. We’ve seen successful models across markets, including Salesforce.com, DemandWare, NetSuite and Ultimate Software. Security offerings trailed the market, though are catching up; Veracode and Qualys provide cloud security services exclusively.

The argument against using third parties for security has focused around control. Some organizations believe that having the tools reside on premise and operated by full time employees provides the most reliable model. More importantly, they don’t want their security information (often vulnerabilities in unpatched infrastructure or applications) “in the cloud."

In most cases, a stronger argument is to leverage the resources and expertise of a trusted partner/vendor. Security resources are scarce in every organization. Learning to use a security tool properly, whether in configuring it or analyzing the results, requires specialized skills. Recently, this has driven the market for web application penetration testing by scores of security service vendors. A good managed service model will provide 24x7 monitoring and timely alerts. Just as important, it can provide the appropriate contextual and actionable information for internal teams.

If running the software yourself is impractical and outsourcing the responsibility is undesirable, a third model is emerging; on premise hosting of the software/hardware. In this model, the vendor supplies and manages the hardware and software to the application level, while the customer runs the application itself. All management and results remain with the customer, but IT responsibilities remain with the vendor. This "best of both worlds" approach allows organizations with available security bandwidth to manage their own security software without burdening IT with supporting another application. Up front capital expenses are minimized and concerns about third-parties accessing sensitive data are eliminated.

Mike Pittenger

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
Gadgets That Eavesdrop

This holiday season you might be receiving a voice-controlled gadget – a voice controlled TV, a phone, or even an Amazon Echo. The convenience of this is obvious. But what about the downside? In order for the device to respond to your command – even its wake up command – it must, by definition, be listening. And it could be listening – and recording – a business-related conversation.

Feeling the Heat with Data Loss

Since heat is a natural byproduct of digital computation, why not use this electromagnetic emanation as a bypass for air-gap systems?

Are employees slowly leaking data by adopting new communications services?

We’ve seen a lot of reports on encrypted messaging applications in the news recently, but one question remains unanswered: are data leaks via these applications a real risk for enterprises today?

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here