The Evolving Managed Security Model



Hybrid Managed Services Offer the Best of Both Worlds for Security Deployments

Shared computing services have come full circle. What was once known as “time sharing” was necessary due to the high cost of computing. As mini-computers took over, traditional software companies began to offer their applications over the Internet as Application Service Providers. This gave way to Software as a Service, Managed Service Providers, and now Cloud Computing. The names have changed, but the business case has remained constant; a vendor provides management of computers and software so that its customers can focus on their core businesses. For the customer, the result is a lower capital cost, accelerated time to value, and predictable operating expenses.

The model makes sense. If a central organization can manage their specialized software and the required hardware, their customers’ lives are simplified. We’ve seen successful models across markets, including Salesforce.com, DemandWare, NetSuite and Ultimate Software. Security offerings trailed the market, though are catching up; Veracode and Qualys provide cloud security services exclusively.

The argument against using third parties for security has focused around control. Some organizations believe that having the tools reside on premise and operated by full time employees provides the most reliable model. More importantly, they don’t want their security information (often vulnerabilities in unpatched infrastructure or applications) “in the cloud."

In most cases, a stronger argument is to leverage the resources and expertise of a trusted partner/vendor. Security resources are scarce in every organization. Learning to use a security tool properly, whether in configuring it or analyzing the results, requires specialized skills. Recently, this has driven the market for web application penetration testing by scores of security service vendors. A good managed service model will provide 24x7 monitoring and timely alerts. Just as important, it can provide the appropriate contextual and actionable information for internal teams.

If running the software yourself is impractical and outsourcing the responsibility is undesirable, a third model is emerging; on premise hosting of the software/hardware. In this model, the vendor supplies and manages the hardware and software to the application level, while the customer runs the application itself. All management and results remain with the customer, but IT responsibilities remain with the vendor. This "best of both worlds" approach allows organizations with available security bandwidth to manage their own security software without burdening IT with supporting another application. Up front capital expenses are minimized and concerns about third-parties accessing sensitive data are eliminated.

Mike Pittenger

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
Law Firm Hacks Underscore Third Party Risk

The FBI is investigating attacks on prominent law firms, apparently aimed at stealing sensitive data related to business deals, underscoring the risk of third party data breaches.

What does GDPR mean for you?

With its enforcement date approaching, here are some key points to consider in preparing your organisation for GDPR compliance.

Findings from the 2015 Ponemon Institute Cost of Cybercrime Study: The Threats vs. Defenses Gap

Last month the Ponemon Institute released its annual Cost of Cybercrime report covering damages from cybercrimes in the past year. Here are some of the key findings.

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here