‘Managed Security Services’ seems to be one of the new buzzwords in the ICT sector. When signing up with a Managed Security Service Provider (MSSP), this company will take over the real-time monitoring, management and support of your security devices on a 24x7x365 basis. These devices can include firewalls, VPNs, intrusion detection systems, anti-virus systems, etc., and a strong Service Level Agreement (SLA) is put in place to ensure the quality of service delivered by the MSSP. Don’t be mistaken, selecting a managed security service does not mean you outsource the whole ‘security problem’. As a company, you are still responsible for your own security policy. There are two principle reasons why the concept of managed security is so well received by financial institutions around the world. The first reason has to do with legal requirements and recommendations. The second reason resides in the operational complexity of e-security.
Legal requirements leading to new e-security challenges
Financial organisations and service providers (FSPs) are confronted with numerous legal requirements and recommendations. One such predominant regulation is the ‘Basel Capital Accord’ from the Basel Committee. More than a decade has passed since the Basel Committee on Banking Supervision (the “Committee”) introduced its 1988 Capital Accord (the “Accord”). The original framework described a capital measurement system for financial institutions, stating that these need capital available in the amount of 8% of their credit risk. The Accord is enforced by regulatory agencies in the so-called G-10 countries, and is applicable to all Internationally active banking institutions.
The business of banking, risk management practices, supervisory approaches, and financial markets each have undergone significant transformation since 1988. That is why in June 1999 the Committee released a proposal to replace the Accord with a more risk-sensitive framework. This Basel II Capital Accord is expected to be effective as of 2006.
The 1988 Accord focussed on the total amount of bank capital, which is vital in reducing the risk of bank insolvency and the potential cost of a bank’s failure for depositors. The 1998 Accord set a capital requirement simply in terms of credit risk (the principal risk for banks), though the overall capital requirement (i.e., the 8% minimum ratio) was intended to cover other risks as well.
In 1996, market risk exposures were added as a second separate type of risk and were given separate capital charges. The new framework of Basel II will introduce operational risk as a third type. The Committee has been working with the industry to develop a suitable capital charge for these operational risks; for example, the risk of loss from computer failures, poor documentation or fraud. Based on work to date, the Committee expects operational risk on average to constitute approximately 20% of the overall capital requirements. IT risks, such as the risk of being hacked and the risk of online fraud, are important elements in this.
The higher these operational risks, the higher the capital requirements. It is therefore key to minimise these risks as much as possible. As such, the new Basel recommendations are a clear incentive for banks to use sophisticated risk management methodologies, use advanced methods for calculating their capital requirements and enhance their control environment.
An advanced Managed Security Service can clearly help financial institutions to quantify IT risks and identify which steps have the highest marginal impact to reduce those risks as an overall reduction of operational risk will lead to lower capital requirements. For a financial institution, reducing the capital requirements with even a few base points has drastic profit and loss implications.
Apart from sector specific requirements such as the Basel Accord, more generic legislation on computer crime and privacy (e.g. the Data Protection Act of 1998) form a clear incentive for financial institutions to streamline security risk management on a company-wide level.
Operation complexity of e-security driving the adoption of managed security services
One of the many challenges for FSPs during an economic downturn is maintaining their security posture with shrinking resources. With hackers and viruses becoming ever more sophisticated, security has stopped being a series of protective product installations and become instead a full-time, 24x7x365 process. It is simply not enough to deploy point products, or even families of products, and assume that the organisation is safe. All of the various products require ongoing maintenance, frequent patches, updates and proactive management. This is obvious for signature-based systems such as virus scanners and intrusion detection systems, but perhaps not as obvious (but equally important) for devices such as firewalls.
As such, there is an increasing ‘stealth trend’ for large financial institutions to outsource this maintenance and management process to managed security service providers. This represents a significant sea-change in attitudes towards both security and what companies will entrust to a third party outsourcing partner.
There have been numerous instances of FSPs allegedly outsourcing their security. When you read into the details this is not quite the case. Financial institutions are outsourcing some aspects of their security infrastructure. Typically this will be the operational aspects of the primary IT defence and detection systems, such as firewalls and intrusion detection systems (IDS).
However, a FSP’s website and web services still leaves it dangerously exposed – the network perimeter can no longer be like an impenetrable wall, rather it has to be porous, letting in customers and partners crucial to doing one’s business. It is perhaps not surprising then that most hack attacks are http based, bypassing the firewall and aimed at the web server, in order to exploit the “seams” between applications.
Online banks, such as Egg, cannot afford to have their security breached. It has taken time for web-based financial services to build sufficient customer confidence, a successful hack attack can set this process back months and have a significant impact upon revenue and transaction volume. Website defacement, despite the company website residing on a server unconnected to those holding customer data, is a visual warning to prospective customers that the FSP is incapable and/or uncommitted to providing necessary security levels.
A recent Gartner report predicted that by 2005, 60 percent of organisations would be outsourcing the monitoring of at least one perimeter security technology. Why are FSPs doing this? It would appear to be against the general accepted principles of security, but there are a number of advantages. Firstly it can dramatically reduce the associated costs. Secondly, by outsourcing the management and monitoring of the firewalls and IDS systems a company frees up valuable IT resources.
Information security infrastructure can be very complex, comprising of different products such as firewalls, intrusion detection systems, VPNs, anti-virus systems and web server shields. Typically, these solutions will be from different vendors. With such a complex environment it becomes a challenge to manage and monitor all these devices. Not only do you need highly skilled security staff, but you also need them round-the-clock, as security is by definition a 24/7/365 process.
Providing the resources to maintain and monitor the environment on a 24-hour basis requires a lot of manpower. The costs are therefore expensive. By outsourcing time-consuming, repetitive tasks, FSPs can focus their own security resources on activities that support the security objectives, such as overall policy compliance. Selecting a quality managed security services partner will allow institutions to increase their security profile while managing the costs.
As stated earlier what is being outsourced is the operational aspects of some security technologies. Organisations will not and should not outsource their security responsibilities. They will still need to develop a security management infrastructure and supporting processes. This will include the security outsourcing and how the security partner interfaces with the FSP. Perhaps a better term is “co-sourcing”, to indicate the overall control and responsibilities that the FSP retains.
For an organisation to achieve the best results the security infrastructure needs to be in place or at least defined, before they invest in any Internet security products or services. Organisations need to carefully select the appropriate co-sourcing partner. They will also need to pay due care to the terms and conditions of the contract. This will have to capture the types of service and service levels required by the organisation, not those that can be provided by the supplier.
Key criteria for selecting a managed security service provider will be the responsiveness and the quality of the services provided. Trust in the supplier will also be an important factor as will a global presence for large international organisations.
One possible pitfall which should not be underestimated is the internal politics that can arise. Technical operational teams may well resent and resist attempts to take ownership of their cherished firewalls away from them. While not strictly true in that the teams will still own the equipment and specify what changes are to be made, it is still a difficult mindset to overcome. Care has to be taken to involve all parties and ensure a smooth transition from the in-house support teams to the co-sourcing supplier.
While there are possible pit falls when co-sourcing to a managed security services provider, the substantial benefits are there to be gained. This is why so many institutions are considering engaging a managed security services partner. For the maximum benefit it will need an initial effort on the part of the client organisation to select a supplier and then to specify the services required. However, such effort would be well rewarded.
FSPs have been outsourcing their physical security for decades, including the key security requirements for the transferral of funds. The outsourcing of electronic security is the next logical step.