Can MSSPs help you stay legal?

With an alphabet soup of new laws and regulations flowing out of some state capitals as well as Washington, D.C., organizations face more hassles as they strive to ensure they are in compliance (and can prove it).

Organizations that decided Managed Security Service Providers (MSSPs) are a better buy than in-house developments are looking to those MSSPs to cure the compliance headache.

Eric Cook, COO of Marshall Savings Bank in Marshall, Michigan did not hesitate to hand the compliance requirements under the Gramm-Leach-Bliley Act (GLBA) to its MSSP, SecurePipe. "I have a provider that understands the building of a network security system around the areas that the government is concerned with. I know that GLBA will be taken care of if I follow SecurePipe's best practices and do what they tell me," he says.

That will translate into shorter examination time as he believes other small banks will use SecurePipe, which is recommended by the trade group America's Community Bankers. Examiners will see the same compliance standards in many places and Cook believes that will speed up the process.

SecurePipe recently signed an agreement with META Security Group to sell the latter's Regulatory Compliance Assessment capabilities alongside its own managed security services. The META capabilities are aimed at businesses needing GLBA compliance and those affected by the Health Insurance Portability and Accountability Act (HIPAA), as well as those complying with industry standards like ISO17799.

Patrick McBride, META's co-founder and CTO, believes compliance concerns are driving small banks to MSSPs. Previously, they were not as concerned about security. "Basically, they had done the minimum. They had passed the 'village idiot's test' by having a firewall and virus protection," he says.

Part of the appeal of version 5.0 of Command Center, META's policy management product, is that because it is a web-hosted application, there is no hardware or software to purchase or install and no maintenance concerns for the customer's staff.

In addition to this product's launch in January, META has made a deal with LURHQ similar to its deal with SecurePipe. That leaves LURHQ free to concentrate on enterprise-size clients (more than 400 use its full package of services).

For bigger companies, compliance is just one piece of a complex puzzle. Jerry Garland, CSO at Magellan Health Services, a specialist in managed behavioral health and employee assistance programs, says LURHQ helps the company address its regulatory compliance responsibilities from both a HIPAA and a Sarbanes-Oxley perspective.

"The HIPAA security rule is based on best practices and principles and its goal is to have a well-rounded security environment. From that standpoint, intrusion detection is an integral part of our overall protection plan. Whether or not we do it in-house or outsource it makes little difference. It's something we have to do if we're going to have an effective program. The main benefit we derive from LURHQ is that it is a trusted partner and it saves us money over what we would have to spend to create the same service level."

Magellan, with 4,600 employees, several service centers across the U.S., and the largest data warehouse of behavioral health care information in the country, initially chose LURHQ to provide 24/7 monitoring because it did not have to hire additional staff or create an expensive security operations center.

Magellan is typical of most of LURHQ's large clients in having a strong grip on its security requirements. At the enterprise level, says Tony Prince, the founder and chief executive of LURHQ, it is only the manufacturing sector that is using the compliance factor as a driver for bolstering its security systems. Like all public companies, manufacturers have to comply with Sarbanes-Oxley and that is making them ponder other security services.

"Manufacturers have traditionally been technology laggards and their security programs are not as mature as some of the others. Sarbanes-Oxley is definitely acting as a catalyst," he says.

The very nature of Sarbanes-Oxley, HIPAA and GLBA has Michael Rasmussen, principal analyst at Forrester Research, wondering whether MSSPs are suitably equipped to provide compliance services.

"If you are talking about HIPAA or GLBA or Sarbanes-Oxley, a lot of times it necessitates the protection of internal systems," he says. "But most MSSP deployments are very much perimeter focused – perimeter vulnerability scanning, perimeter intruder detection and perimeter firewalls. So they are not very well suited to be able to provide managed services at the core of the network where a lot of these regulations impact the organization."

Because they do not have the systems to handle the terabytes of information produced from monitoring internal systems, Rasmussen doubts whether MSSPs have many clients for their compliance services. "A lot of organizations out there message that they can handle not only the perimeter, but also the internal network," he says. "But they have very few clients they are actually doing that for – if any."

Kelly Kavanagh, a senior analyst in Gartner Research, has a more upbeat view of the current circumstances. "We are seeing some push to MSSPs based on compliance issues. Frankly, I think we will see more of that over the next couple of years. I have to say it is still not the major driver," he says.

According to Gartner, the global managed security services marketplace was worth almost $2 billion last year, and it will grow at a rate of 20 percent over the next couple of years (perhaps 30 percent in Asia Pacific).

Gartner's research shows that in the U.S., there is flood of interest in compliance solutions in the federal government as various agencies and departments work to comply with the Federal Information Security Management Act (FISMA). FISMA compels agencies not only to ensure that their systems are secure, but also to document it with annual tests and extensive reports.

"We are getting a fair amount of feedback that agencies that are concerned about implementing physical requirements are turning to outsourcers," says Kavanagh.

In agreement is Ken Ammon, co-founder and president of NetSec, whose clients include nine of the 15 major departments in the executive and legislative branches of the U.S. government.

Traditionally NetSec, in particular, and MSSPs, in general, have operated at a technical level within the federal government, taking responsibility for the management and monitoring of complex security to secure their data.

That all changes with FISMA. "What they are asking for is performance accountability and cost," says Ammon. "Now the mission is to take that technical solution and convey the performance of that system to both cost accountability and reporting requirements that are less technically-based and more management-based."

In April, NetSec launched its FISMA Enterprise Tracking and Reporting service (FISMA ETR), which makes information managed by other NetSec services available for reporting. FISMA ETR automates two important requirements under the law. First, there is the tracking progress in certifying and accrediting systems. Second, reporting on plans of action and milestones for correcting security weaknesses that were identified under the Office of Management and Budget's guidelines.

Within government, NetSec saw redundant solutions being developed by agencies and it realized it could leverage its managed services platform to deliver a cost-efficient, rapid-implementation answer to the problem.

FISMA is stimulating a lot of action from agencies and departments that previously had done little about information security. "Organizations that haven't even got their technical house in order are really in a hole because they also now have to get to the management reporting stage as well," says Ammon.

"They need to get the system up and running quickly and then report. So it makes a lot more sense to go to a MSSP, which can provide a packaged service that will accomplish those goals."

According to MSSP RedSiren, providing customers with the technical tools to be in compliance is all well and good... but they need more. They require serious handholding and that is why the company recently launched its Trusted Advisor Program. It is a consultant's service that works with customers on a quarterly basis to develop initiatives to bridge compliance gaps. Customers receive monthly training sessions on new technologies and also new legislation requirements.

"We believe that what is happening in the MSSP space is that customers are beginning to trust their providers and they are moving from a provider status with the organization to becoming a trusted partner," says Nick Brigman, RedSiren's vice-president of product strategy. Customers are telling RedSiren that they are thinking of rolling out an application and asking what issues they should be aware of, he says.

The program augments its GLBA, HIPAA and ISO17799 compliance benchmarks. RedSiren is working with the energy industry to develop a compliance benchmark for the North America Electric Reliability Council (NERC) "Urgent Action Standard 1200." The standard requires the industry to implement a wide range of security measures with, of course, compliance reporting requirements.

The Trusted Advisor Program is not yet contributing big dollars to RedSiren's bottom line, but Brigman says the strong interest from customers led the company to formalize the consulting approach. He believes that more and more government regulations regarding security are on the way, which is good news for MSSPs.

As Marshall Savings Bank's Cook says: "I want to be a banker. I don't want to be a network security guy. I want to concentrate on putting the right products in front of my customers at the right time, making good money for my shareholders and serving the community. I don't want to have to worry about anything stopping me from doing that from a network perspective."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.