As IT moves deeper into network security, AT&T Corp. is preparing managed offerings that company officials hope will change the way enterprises think about and purchase security products and services.
The centerpiece of the strategy is Project Gemini, an initiative through which the company intends to augment, or entirely replace, customers edge defenses with security services delivered over the wire.
Some 30 customers are testing Project Geminis network-based IDS (intrusion detection system) and firewall services, and AT&T plans to add other options, including anti-spam services, in the near future. Also coming soon is an advanced security management console, dubbed Aurora, and a major professional services initiative, which will initially focus on security consulting.
Project Gemini, for which development began nearly a year ago, sprang from AT&Ts belief that it could better manage customers security by having the defenses on the companys IP backbone network rather than simply administering security devices on the customers premises. As a result, customers would have the choice of adding these security services to the bandwidth they purchase from AT&T.
The concept is a departure from the traditional managed security model, but, so far, AT&T officials said enterprises have been surprisingly receptive to the idea.
"We were managing edge firewalls for 2,000 customers and doing a really good job, but we looked at the whole thing and said the security should be sitting on our network," said Ed Amoroso, chief information security officer at AT&T, based in Bedminster, N.J. "It turned out to be a lot easier than we thought. It became obvious that it was easier and cheaper, and it was a trivial change for the customer."
While beneficial to users, the move is hardly altruistic. AT&T, which has endured several years of falling revenue and layoffs, is searching for ways to wring more value out of its network infrastructure.
Under the proposed model, AT&T will handle all the day-to-day operations of the security services delivered through Project Gemini, but customers still have control over the policies in the firewalls, IDSes and other defenses. And customers also can tunnel into their boxes through a VPN to make emergency changes.
"The idea of not having to set up a DMZ and monitor the perimeter is a little different, but it works for us," said one AT&T customer, who asked not to be named. "Its not a question of having less security; its just in a different place."
In addition to the network-based services, AT&T is also working on a security event management system called Aurora that it plans to sell as a software solution. The system relies on the companys Daytona database and is designed to do more than simple event correlation and normalization. Aurora includes a console that gives administrators access to real-time alerts about attacks and vulnerability advisories, as well as live case management and descriptions of the methods and procedures AT&T analysts are using to handle the event.
AT&T has been using Aurora internally for approximately 18 months, Amoroso said, and only started selling the event management system on a limited basis recently after a customer saw the system and asked for it. The company is unsure precisely how Aurora will be packaged for sale, but it will likely include the option of having AT&T personnel at the customer site to help manage the solution.
That option is part of the companys plan to exploit its deep pool of networking talent to bring in more consulting work, officials said.
Amoroso said that he envisions AT&T developing its consulting group into something resembling IBMs Professional Services arm, which accounts for a huge amount of that companys revenue.
"Were in a perfect position to do consulting. Were not deciding to do it because we need the money. Every business we talk to is desperate for this kind of help," Amoroso said. "Were going to use security as the front door and build it out from there."
Amoroso said that the main stumbling block in getting customers to adopt the Project Gemini concept of a perimeterless network comes in dealing with the people in the IT department, not the inherent technical challenges.
"By outsourcing the DMZ to us, the same security team needs to be there at the customer site to set policy, make decisions and all of that," Amoroso said. "The social process in convincing these folks that it wont put them out of a job is key. All were doing is outsourcing a lot of the unattractive components of running a DMZ."
Elements of AT&Ts security plan for next year
- Project Gemini network-based defenses, including IDS, anti-virus, firewall and anti-spam
- Aurora security event management system
- Amped-up security consulting services