What does an outsourcing company do when it needs to improve security and lower costs? It outsources, of course.
In 2003, Siemens Business Services found itself facing a tough challenge. As an IT outsourcing company, it had plenty of experience handling security matters, but the legwork was beginning to take more time and effort than the company wanted to exhaust on the problem.
In particular, the Norwalk, Conn., company was looking to offload some of the responsibility of constantly testing its perimeter defenses for potential vulnerabilities, a task that had become increasingly complex and challenging as its own infrastructure became more intricate and external threats were ramping up at a perilous pace.
As the issue of handling IT systems vulnerabilities shifted drastically from a maintenance job to daily warfare against external hackers, executives at the 39,000-employee company decided they needed additional help to keep up with the battle.
The crown jewel of Siemens Business Services $6.6-billion-per-year trade is the information it handles for the major companies that depend on its outsourced IT, call center and data center operations, among many other business lines—the same type of data that criminals are hunting for when they target systems and applications vulnerabilities these days.
"Unfortunately, people started attacking us on [the] applications level, and the tools we had didnt look at those at all, so we stepped back and looked at our environment and took the next step," said David Bixler, chief information security officer at Siemens Business Services. "In order to meet our commitments in protecting customers data, we needed new tools, and we only have a small security team; so we wanted something that wouldnt need significant care and feeding that could be rolled out quickly."
While the outsourcing company had been using a set of vulnerability scanning tools licensed worldwide by parent company Siemens, in 2004 it decided to look for outside help to manage its external security testing. Also tired of dealing with the seemingly constant updates needed for identifying and patching new systems vulnerabilities, the company decided to try out the outsourced SAAS (software as a service) approach offered by Qualys, of Redwood Shores, Calif.
After a six-month trial of Qualys outsourced vulnerability testing service that also involved the use of security appliances placed strategically throughout its operations, Siemens Business Services pulled the trigger and decided to stay on board with the technology, officially launching it in January 2005.
Bixler said Qualys technology won out over more traditional security-testing applications not just because it required far less interaction from his employees in the way of management—a primary benefit preached by SAAS proponents—but also because it had the best interface for identifying and managing vulnerabilities and consolidating related reports.
As expected with outsourced applications, the service was up and running quickly, taking over security testing of more than 700 servers and 2,800 PCs in less than 12 hours. Bixler said his company is still working to fix all the potential weak points Qualys hosted applications found—more than 70 problems the company hadnt known about previously.
"Were still in the process of realizing the improvements; the challenge is that you open up a much larger pool of vulnerabilities to find, and those take time to remediate," Bixler said. "Before, we thought we were essentially down to zero vulnerabilities, but now weve opened the door to all these new challenges."
As Siemens Business Services work to fend off security problems has grown, so has its business. Bixler said another benefit of Qualys SAAS model is that his team can set up the companys security appliances in any location around the world and begin using them to scan new operations far more easily than in the past, when such work would involve sending workers out into the field to manually configure new workstations.
One concern with SAAS, in particular for handling security issues, is whether it is strong enough and up and running constantly to ward off threats as effectively as traditional on-premises applications. Another concern is that the hosted tools themselves could be somehow hacked. Bixler said he harbors no such concerns because he learned while vetting the product that Qualys adheres to the same ISO security standards as Siemens Business Services.
Qualys operations have also passed muster with Siemens Business Services customers, who are more demanding than ever when auditing the outsourcing companys security posture, Bixler said. While customers used to require a meeting or two to inquire about the security of the companys operations, they now arrive armed with 500-question surveys regarding every facet of how their data will be protected.
Qualys CEO Philippe Courtot said those types of concerns over moving to hosted security applications are rapidly fading as businesses realize they can spend less time and money defending their operations using SAAS products. Businesses also are interested in offloading some of the responsibility theyve been forced to assume as government regulations demand stricter compliance from corporations in protecting customers data.
"A SAAS vendor can put more dollars than most enterprises could at providing redundancy and disaster recovery," said Courtot. "As demonstrated by Salesforce.com, SAAS inherently eliminates the complexity of deployment and maintenance and greatly simplifies integration because the data is centralized and easily accessible via XML interfaces; furthermore, SAAS has a significantly shorter development cycle, allowing easy adjustments for a rapidly changing environment."
As part of its move to Qualys, Siemens Business Services enlisted the help of systems integrator iQwest Technologies, a security specialist in Valencia, Calif. In addition to helping the outsourcing company decide which technology vendor to choose for its next vulnerability scanning system, iQwest helped with installation of Qualys appliances and Web-based management controls.
The secret to Siemens Business Services success with the technology is simply that the company delivered on its promises to provide improved vulnerability testing without the workload of management and maintenance required by on-premises applications, said Gal Shpantzer, vice president of partnerships and strategic alliances for iQwest.
Shpantzer said the ultimate test of Qualys value is that Siemens Business Services was willing to pay for the product rather than stick only to the applications it licensed freely from its parent company.
"We displaced what was essentially a free product for them with a paid product; I think that speaks for itself," said Shpantzer. "SAAS doesnt just help for fast deployment; its proven very consistent across the network, and theres no need to update the appliances. When any new vulnerabilities come out, those get updated very quickly and uniformly, and that helps greatly in a large enterprise rollout such as this."
From a consulting standpoint, an untrained observer may deduce that a SAAS product might offer fewer opportunities for an integrator to make money off clients, given its outsourced nature, but Shpantzer said customers using a SAAS product come back for new business because they are so impressed with the quality of service.
CASE FILE: Siemens Business Services, Norwalk, Conn.
_ Organizational snapshot Employs more than 39,000 people worldwide and generates $6.6 billion per year in revenue
_ Business need A cheaper, more effective method of testing IT operations for
for external vulnerabilities
_ Technology partner Qualys, provider of security applications using the SAAS delivery model
_ Recommended solution Qualys outsourced vulnerability management services to help identify potential weaknesses in IT security
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.