If you receive errors when attempting to view this white paper, please install the latest version of Adobe Reader.
"Symantec Hosted Services uses the power of cloud computing to secure and manage information stored on endpoints and exchanged through email, Web, and IM interactions. Our hosted security services help protect against viruses, spam, spyware, phishing, DDOS attacks, directory harvest attacks, data leaks, and other organization-damaging threats."Source: Symantec
Selecting Your Hosted Security Service Provider: What Every IT Manager Needs to Know
Hosted Security Service
is also known as : Hosted Email Service
, Hosted Security Vendor
, Web Security
, Do-IT-Yourself Security
, Outsourcing Security for Email
, Diy Security
, Hosted Service Providers
, Network Security Monitoring
Suite of Security Services, Email Security Services, Email Secure, Hosted Security Solutions, Web Hosting Service Providers, Evaluating a Hosted Security Provider, Best Hosted Security Providers, Total Cost of Ownership for Hosted Security, Email Security Technology, Web Application Security, Comprehensive Security Coverage for Company Email, Hosted Security Service Provider, IT Security Managers, Costs for Hosted Security Services, Reputable Hosted Security Providers, Hosted Business Services, Competent Hosted Security Providers, Web Guard Security, TCO for Hosted Security, Independent Security Service Providers, Email Security Considerations.
This buyer's guide was developed for IT managers in growing companies, particularly in midmarket firms that require a suite of security services. Hosted security services are an effective and cost-efficient solution for SMB IT Managers especially where IT budgets are already stretched. These services provide reliable and comprehensive security coverage for your company's email, Web and instant messaging (IM), without requiring extensive expertise or equipment in-house.
Do-it-yourself (DIY) security is often daunting and expensive. It entails significant time, effort and expertise to maintain strong security as well as comply with rules and regulations governing information access and disclosure. In a tight economy where companies focus their efforts on high-priority, high-value functions - outsourcing security for email, Web and IM access makes good sense. Most studies show that while subscription costs for hosted security solutions comprise a substantial portion of the costs involved (50% and higher), the Total Cost of Ownership (TCO) for hosted security is usually much less (30% or greater) than the costs of DIY solutions.
In addition to its strength as a cost-effective solution, Hosted security exhibits a truly broad spectrum of security services unmatched by on premise alternatives. Pre-screening and filtering email, Web and IM traffic produce substantial network bandwidth savings - while fending off attacks, and protecting vital network infrastructure and information assets. Hosted security also eliminates hardware and software selection. Installation and maintenance are handed-off to a service provider, while reducing needs for specialized in-house staff and skills. In exchange, customers get consistent, predictable monthly operational expenses.
Although IT and security managers welcome these host of benefits, they face increasing demands to deliver more with less resources. Therefore selecting the right service provider can be challenging—competition ranges from Internet service providers (ISPs) to independent security service providers to DIY out-of-box solutions. What are the important security considerations, and how does IT compare hosted service providers based on these considerations?
Key Questions: Selecting the Right Hosted Security Provider
Selecting a hosted security provider is a serious and non-trivial matter. The process should be comprehensive, covering not only the most important security considerations but also critical attributes of providers to deliver on these considerations: support and guarantee of offerings, knowledge and infrastructure to back up their services, service level agreements, false positive record, technical depth, references and more.
What Are the Most Important Security Considerations?
Arguably, any security consideration that negatively impacts the flow of business or a company's reputation is important, but some security considerations loom larger than others. The following items stand at the top of any list of important security considerations:
Small businesses of 50 to 100 employees may have only one full-time person—typically an IT generalist — to support a complex array of IT resources and users. In medium businesses (100 to 999 employees), IT staffing grows, averaging about one full-time IT person for every 100 employees.
"The Compelling TCO Case
for Cloud Computing
in SMB and Mid-Market
Hurwitz & Associates , 2009
Given the number and complexity of security threats, it's essential that a hosted security vendor recognize and handle known threats, and provide reasonable heuristics, protection and monitoring to deal with new and unknown ones. Protection depends on distinguishing permissible from impermissible, and allowing legitimate communications to pass to users quickly while blocking malicious or harmful communications.
In the security world, a false positive represents a non-threatening content element (email message, Web page or link) that is labeled incorrectly as "unwanted" or "malicious." A false positive can impede communications or prevent users from accessing legitimate information needed to perform their jobs. The best hosted service providers use global content analysis, user reporting and trend information to correct false positives in minutes.
As the Internet never sleeps it is imperative a hosted security vendor be able to provide 24/7/365 technical support. Most companies are already stretched to provide this level of support internally. And since problems can be quite company-specific this support should be personalized and live versus a FAQ or email.
Technical depth and research:
A security provider's research and technical staff, facilities and procedures should be first-rate. If not, they may be unable to provide the necessary protection companies depend upon. Look for organizations with three or more levels of technical escalation, with dedicated teams for threat analysis and countermeasures on duty 24/7/365.
Depth of threat analysis:
Because of spam, poisoned Web links and other threats - it's no longer sufficient to simply analyze threats that present themselves directly within individual emails, Web pages, instant messages and online feeds. Security solutions should follow up on embedded links, and examine attachments or links to files and downloads—before those threats make their way into end-user in-boxes, address books and file systems. The best hosted security providers will explain how they follow links and file references to recognize and block malicious content, attacks and other bad behavior online.
For security practitioners, external validation comes from important databases and information sources maintained by neutral third parties. Examples of this include Mitre's Common Vulnerabilities and Exploits (CVE) or the CERT and OCTAVE tools from the Software Engineering Institute at Carnegie Mellon University. The best hosted security providers monitor and update these databases regularly.
Protection depends on distinguishing permissible from impermissible, and allowing legitimate communications to pass to users quickly while blocking malicious or harmful communications.
What Technical Criteria Are Most Important for evaluating a Hosted Security Provider?
A wealth of technical criteria adheres to the services that hosted security provider's offer and to the work they perform on their customer's behalf. The following are important technical criteria prospective buyers should consider:
Because hosted security providers support multiple customers, their ability to handle increased demand for services often exceeds what companies can deliver on their own. Find out how much and how quickly a provider can scale up service delivery. This is where the number of current customers and users, the number of data centers and the provider's ability to expand and grow to meet your company's needs is important.
Business continuity (BC)/disaster recovery (DR):
A hosted security provider must be proactive in dealing with disaster, outage and connectivity issues. In order to ensure availability and security of your firms email, Web and IM applications, you should examine a prospective provider's BC/DR plans should one or more of their data centers go offline. The best providers operate redundant data centers with fail-safes, so that if one data center goes offline, another steps up to take its place - ensuring continuity in your business communications.
Patents/intellectual property (IP):
Find out if the provider has patents or proprietary technology to support its security services and capabilities. The top providers will gladly discuss their IP holdings and explain the business value those holdings deliver.
Ease of management and use:
As a key component of your company's network infrastructure, a hosted security service should be easy for in-house IT staff to monitor and manage. Look for a provider that offers dashboards and integrated management tools to create custom reports on and control security environments, with minimal impact on the end user experience.
Conducting day-to-day business:
The best hosted security providers strive to be easy to work with and to earn and retain their customers' trust. They generally offer proactive training and support to help customers make the most of their business partnership.
The best providers operate redundant data centers with fail-safes, so that if one data center goes down, another steps up to take its place, ensuring your business communications never go offline.
How Do You Compare Hosted Security Providers to Deliver on These Security Consideration?
Reputable hosted security providers offer detailed, relevant information about their services. Buyers should read this information closely, and then turn to third parties and independent reviews to compare a vendor's information against the overall industry. Analyst firms, such as the Gartner Group, maintain profiles and ratings or rankings of hosted security providers, and provide detailed reports for a fee.
The following "short list" of important evaluation points should help buyers to compare prospective providers:
Service level agreement (SLA) details:
At a minimum, obtain information regarding availability and security coverage levels or guarantees, along with response times and compensation in the event of service downtime or failure. For example, what are the company's statistics on availability and uptime? Ideally, you'll see SLA values like 99.XX% email uptime. How many data centers does the provider maintain? Redundant data centers offer failover to ensure uptime, and additional capacity upon demand.
Ensure any preferred hosted security provider offers 24/7/365 support. Also, elicit a provider's usual response times when detecting and responding to new threats, and in providing warnings and workarounds in the interval between initial detection and published response.
The top hosted security providers will have at a minimum over a decade of experience. They will gladly discuss their security research and development centers, patents and proprietary technologies, and the heuristics and algorithms they use for threat detection, filtering and screening. Ask about published papers, conferences attended and staff skills, company awards and certifications.
Minimal customer turnover is an indication of a well-run hosted security provider. Inquire about the average age of customer accounts, growth rates and customer retention history.
Numerous major technology corporations have security divisions, but only a few practice security as their primary business. The best hosted security providers focus entirely on security technologies and incident handling as their core business. Find out how security efforts are undertaken, funded and supported at the highest levels of the provider's organization. Also inquire about security audits and compliance regimes, including ISO 27001/27002, ISO 17799 and the American Institute of Certified Public Accountants (AICPA) SAS 70 Type II audits.
Learning about claimed capabilities from the provider is good, but hearing a customer confirm such claims is even better. Ask prospective providers for a list of reference accounts, then ask the references the same questions you ask the provider and cross-check the results. Customers may be more willing to talk about glitches, and how well or quickly the provider responds to critical threats, availability issues and other serious situations.
Armed with answers to these questions, you can more easily separate truly capable and competent hosted security providers from those that fail to meet expectations or requirements. Although you may hand off security services to a third party, that doesn't absolve you of liability or responsibility. It's imperative to choose a provider that meets the highest standards and delivers the best services.
How Can You Make a Business Case for Hosted Security?
Once a company examines the economics and capabilities of hosted security providers, the next step is to use that information to make a business case for hosted security. Thoroughly address the following items to maximize the odds of making a successful case:
Complete cost information:
Evaluate security alternatives by comparing costs and requirements for each one. This is often an eye-opening exercise for companies that handle their own security in-house. You should capture the magnitude of the costs involved, both hard and soft, as well as the necessary staffing requirements. A useful comparison takes a time window—usually based on the lifecycle for retaining computing equipment (generally 30 to 60 months)—and compares costs from a holistic point of view.
Work breakdowns, including costs and savings over time:
While compare multiple alternatives, you should detail the effort and expense involved in converting from one to another. This includes up-front costs, along with reductions in expenditures over time for equipment, software, staff and overhead. The up-front costs of changing security regimes will be softened over time because of the lower recurring costs for hosted security services. When considering a hosted security provider, remember, it's not just a matter of overall cost savings and cost effectiveness, it's also a matter of the predictability of costs over time.
Risk analyses, and "before" and "after" scenarios:
Other important aspects of switching from in-house to hosted security services come from risks and potential losses or liabilities involved. With a hosted service, the customer delegates those risks and losses to the service provider as part of the contract, and can hold the provider to service level agreements. The "after" is often more appealing than the "before," including lower costs for insurance and mitigation.
When switching from on site equipment and software to the provider's, companies invariably free up security appliances, servers and networking equipment. These companies may even reduce overall bandwidth requirements. An implementation plan to switch to hosted services should address re-use or proper disposal of local computing assets that will no longer be involved in a security role.
Calculate the TCO/ROI, compare them to corporate guidelines, describe savings and value:
For executives the truth comes from metrics that detail the financial impact of any change in approach or implementation, including security. Calculate the TCO for hosted security services and determine the return on investment (ROI), ensuring these numbers meet or exceed existing guidelines that govern such change. Often the most compelling aspect of a business case for hosted security services comes when IT explains that it can save significant annual budget, swap capital investments and depreciation for operating expenses, add capacity and capability on demand and even redeploy/reduce headcount required to deliver industry leading safety and security.
The best hosted security providers focus entirely on security technologies and incident handling as their core businesses.
Are Objective Third-Party Analyses of Hosted Security Providers Available?
When searching for external provider information, one important resource is the Magic Quadrant from Gartner Inc1, a proprietary research tool that offers a qualitative analysis of various markets and their direction, including maturity and participants. Reference accounts can be very helpful, if you take the time to speak with them, and to conduct a thorough survey of their needs and experiences with a provider. Also, don't overlook published case studies or provider comparisons, many of which you can find by searching the Internet. Likewise, industry awards for hosted security services and their providers can be helpful as well.
When considering a hosted security provider, remember, it's not just a matter of overall cost savings and cost - effectiveness, it's also a matter of the predictability of costs over time.
Overall hosted security services provide savings and improved protection on many fronts, and make good economic and technical sense for most businesses. At Symantec Hosted Services – MessageLabs, our hosted security solution is second to none when it comes to accuracy, support, technical depth and research, depth of threat analysis as well as broad external validation. We welcome the opportunity to be the first vendor you examine in addressing the criteria detailed in this report. Contact us today via telephone or through the web and we can assist you in moving your project forward!
US & Canada: 800 460-0000
Free 30-day Trial:
SYMANTEC HOSTED SERVICES
About Symantec Hosted Services - MessageLabs
Symantec Hosted Services is the world's leading provider of hosted services for securing and managing email, Web, and IM traffic (or communications). Over 21,000 organizations and over 9 million end users in 99 countries employ Symantec Hosted Services to protect against viruses, spam, phishing, inappropriate Internet use, spyware and other organization-damaging threats.
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at http://www.symantec.com/.