The risk and threats that companies face in protecting confidential information is making them look for outside expertise in managing security. Hacking incidents, losing data in transit, storing transaction data in violation of company policy, money laundering — all of these form a witches brew of vulnerabilities that can easily lead to losses in millions of dollars in the form of lawsuits, regulatory actions and reputation damage.

It’s no wonder then that managed-security service providers are stepping forward to relieve corporate information-security officers of the burden of protecting sensitive data. Such providers can eliminate the pitfalls of managing and monitoring security devices and events, and ensure a rapid response to real threats.

Obtaining security services on an outsourced or offshore basis, or both, demands an understanding of what such services are, as well as the ability to subject a company’s security policies, technology and standards to objective scrutiny by a third party. Since data are the crown jewels of most enterprises, they have to look carefully before entrusting their protection to an outside party.

Management and Monitoring

The types of services offered under the managed-security umbrella fall into two categories — each essential to an enterprise’s security strategy. Security management deals with management and maintenance of security devices such as firewalls, Intrusion Detection Systems (IDS), servers and routers. Security monitoring employs sophisticated expertise to analyze the data that flows across multiple devices throughout an enterprise.

Security management encompasses fault management, including notification when a security device ceases to function and periodic reports on the operational status of security devices; configuration management, which covers security device application and operating system modifications and upgrades; and performance management, which includes statistics on speed and efficiency of networks, identification of network bottlenecks and logging data generated by security devices.

Security monitoring includes data collection — for example, the process of collecting and transforming security-device data, such as firewall logs and IDS alerts into a standardized, actionable format; data mining, including cross-correlation of data across different devices and domains; security-event correlation, by which signs of malicious activity are grouped by logical criteria, enabling analysts to navigate millions of lines of code for clues about threat vectors; and expert response, ranging from simple notifications to alerting law-enforcement agencies.

Security Engagement

“This type of protection doesn’t come easy or cheap. Providers of outsourced IT-infrastructure services must maintain tight controls over access to sensitive data and programs, as well as ensure that each client’s data is kept separate from others. Getting security officers to accept the idea of a shared infrastructure for security services can be a formidable hurdle. Initially, customers may insist on having dedicated resources, but will gravitate toward shared resources for economy and in order to take advantage of the latest technologies,” says Nick Sharma, Global Head, Infrastructure Management Services, Satyam Computer Services, which provides hosted infrastructure services from a central data center in Chennai, India, as well as other local sites, including Cleveland in the U.S.A.

Sharma further adds that infrastructure services, including security, make up a small percentage of Satyam’s business, which is heavily based on software development. However, they represent the “next wave” of outsourced services for Satyam and other global service providers.

“An engagement begins with a detailed security audit, which provides the foundation for creating a security architecture,” he says. This requires different forms of experts: Those proficient in understanding and interpreting the security aspects of laws and regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA, as well as technologists skilled at engineering a secure network, making threat assessments and developing business-continuity plans.

“Among the many questions that need to be answered are: What policies and processes are needed? Where does data flow, and to whom? Who gets security clearance for access to sensitive information, and what policy is there for granting and revoking clearances? How do you maintain physical and perimeter security?” says Sharma.