How would you feel if you were spending 40 percent of your annual IT budget on security—software, hardware and people—but your business-to-business customers still insisted on third-party confirmation that your network was locked down? Probably a lot like Geoff Teekema, CIO at e-Travel Inc., who decided last year to outsource some operations to an MSSP, TruSecure Corp.
So far, Teekema said, although he has chosen not to use the managed security services provider to handle all of e-Travels security operations, the move has enabled his company to reassure its customers that critical information about them in e-Travels systems is safe. Its also had the benefit of helping Teekema reduce overall security costs to between 20 percent and 30 percent of his IT budget, mainly by shifting security-focused employees to other roles.
"Security is probably one of our biggest expenditures, and we felt this was a fairly inexpensive way to ensure we have the best security processes in place," Teekema said.
e-Travel, in Waltham, Mass., isnt the only company turning to an MSSP. Research company Gartner Inc., in Stamford, Conn., estimates that, through 2005, managed security services will be the fastest-growing segment of the security service market. Like e-Travel, most enterprises will continue to control security strategy and policy internally. But many will increase use of shared security services for design, validation, deployment, operation and day-to-day management of security solutions, according to Gartner.
e-Travel, the e-commerce business unit of Amadeus Global Travel Distribution SA, in Madrid, Spain, originally turned to TruSecure to reduce costs and reassure corporate customers that its networks and systems were well-protected. e-Travel provides electronic travel booking and management services to airlines, travel agencies and corporate customers. Employees of e-Travels corporate customers—230 Fortune 1000 companies—can access their travel profiles and book their trips using personalized portals. As a result, e-Travels Oracle Corp. databases house lots of proprietary data, including employee identification numbers and travel schedules. With so much proprietary data at stake, many prospective customers wanted to do their own full-scale security audits of e-Travels infrastructure.
But Teekema didnt want nonemployees rooting around in his data center. So he decided he needed an MSSP to audit his company and to provide security certification that would satisfy his customers. The TruSecure managed service, which is subscription-based and costs Teekema "in the low six figures" per year, provides e-Travel with three tiers of security: intrusion detection, internal scanning, and an assessment of security policies and procedures.
Although TruSecure, of Herndon, Va.—and other MSSPs such as Foundstone Inc., of Mission Viejo, Calif.—also offers a wider range of service up to and including responding to security threats and updates, Teekema decided e-Travel would retain control of managing patches and updates to user names and passwords, as well as management of the companys 128-bit encryption software. Thats because, Teekema said, he wanted e-Travel to retain complete control of its infrastructure.
During the initial auditing process, TruSecure employees attacked the e-Travel Web site, all of the companys IP addresses and the companys network in an attempt to find weaknesses. The MSSP then moved into e-Travels data center and plugged in security scanners to see what type of damage, if any, a rogue employee or hacker could cause if they were able to get behind the companys firewall. Lastly, all security policies and procedures were analyzed to determine how e-Travel was monitoring its site, how it reacted to potential hack attempts and how it verified that no one was illegally accessing its data.
"They essentially turned the place inside out and did a full-scale analysis of our setup," Teekema said.
So far, Teekema said he has made some changes to his infrastructure as a result of the security audits. He recently implemented intrusion detection software and became more stringent with security procedures. (He declined to say if, as a result of using the service, e-Travel has reduced the number or success of attempted hacks.)
As part of the service contract, e-Travel also provides TruSecure with an image of its infrastructure, along with a complete list of its software and hardware specifications. TruSecure monitors all software patch releases and alerts Teekema when a new patch needs to be installed. If e-Travel chooses not to install a patch because of application incompatibility, for example, its IT managers are required to document the reason. Those holes are then targeted during the next security audit to ensure the missing patch does not leave e-Travel vulnerable.
The security audits have enabled e-Travel to earn TruSecures Perimeter Certification. The certification states that e-Travel has met TruSecures requirements for security and protection from external infiltration for its hosted customer information and that the company creates controls to define and enforce internal IT policies and procedures. To remain a certification holder in good standing, e-Travel undergoes the auditing process every three months.
"The nice thing about using [an MSSP] is that we have a single source for security, and that means one less thing we need to worry about," Teekema said. "We let them track the patches and look for the vulnerabilities so that we can spend more time on our customers."