Operation complexity of e-security driving the adoption of managed security services
One of the many challenges for FSPs during an economic downturn is maintaining their security posture with shrinking resources. With hackers and viruses becoming ever more sophisticated, security has stopped being a series of protective product installations and become instead a full-time, 24x7x365 process. It is simply not enough to deploy point products, or even families of products, and assume that the organisation is safe. All of the various products require ongoing maintenance, frequent patches, updates and proactive management. This is obvious for signature-based systems such as virus scanners and intrusion detection systems, but perhaps not as obvious (but equally important) for devices such as firewalls.
As such, there is an increasing 'stealth trend' for large financial institutions to outsource this maintenance and management process to managed security service providers. This represents a significant sea-change in attitudes towards both security and what companies will entrust to a third party outsourcing partner.
There have been numerous instances of FSPs allegedly outsourcing their security. When you read into the details this is not quite the case. Financial institutions are outsourcing some aspects of their security infrastructure. Typically this will be the operational aspects of the primary IT defence and detection systems, such as firewalls and intrusion detection systems (IDS).
However, a FSP's website and web services still leaves it dangerously exposed - the network perimeter can no longer be like an impenetrable wall, rather it has to be porous, letting in customers and partners crucial to doing one's business. It is perhaps not surprising then that most hack attacks are http based, bypassing the firewall and aimed at the web server, in order to exploit the "seams" between applications.
Online banks, such as Egg, cannot afford to have their security breached. It has taken time for web-based financial services to build sufficient customer confidence, a successful hack attack can set this process back months and have a significant impact upon revenue and transaction volume. Website defacement, despite the company website residing on a server unconnected to those holding customer data, is a visual warning to prospective customers that the FSP is incapable and/or uncommitted to providing necessary security levels.
A recent Gartner report predicted that by 2005, 60 percent of organisations would be outsourcing the monitoring of at least one perimeter security technology. Why are FSPs doing this? It would appear to be against the general accepted principles of security, but there are a number of advantages. Firstly it can dramatically reduce the associated costs. Secondly, by outsourcing the management and monitoring of the firewalls and IDS systems a company frees up valuable IT resources.
Information security infrastructure can be very complex, comprising of different products such as firewalls, intrusion detection systems, VPNs, anti-virus systems and web server shields. Typically, these solutions will be from different vendors. With such a complex environment it becomes a challenge to manage and monitor all these devices. Not only do you need highly skilled security staff, but you also need them round-the-clock, as security is by definition a 24/7/365 process.