Managed Security Services: Buy Or Build?

Managed services in the channel took on a life of their own in 2006. Resellers and service providers, recognizing the need among SMBs, demanded changes in vendor pricing and services so they could build or sell vendor-managed services.

Given its placement at the top of end users' priority lists, security is one of the hottest opportunities in the services market. The grand potential for VARs, of course, is the SMB space, where companies typically don't have the internal resources to effectively and cost-efficiently secure their networks.

But there's confusion in the market around the pricing of services for companies that can't afford to pay for comprehensive, 24/7 coverage.

"All along, our bread and butter has been in the enterprise," says Fergal Lyons, senior product manager for Symantec Security Information Manager (SIM). "The smaller organizations, and the VARs supporting them, are not going to spend a couple-hundred grand for enterprise-level managed services."

Who Should Deliver Services?
Even as vendors struggle with the price and availability of security information management (SIM), the chasm is growing between managed-security purists and the new, evolving managed security that's being redefined by smaller market forces.

To managed-security purists like Adam Gray, CTO of Novacoast, a Santa Barbara, Calif.-based VAR that sells Symantec security services to SMBs, solution providers have no business taking on the liability and responsibility without extensive resources like those of BT Counterpane or IBM's Internet Security Systems.

"It's a substantial amount of risk and capital to get started in managed security services (MSS)," Gray says. "We turn even our small organizations to our MSS vendor, Symantec. It's not cheap, but to do it properly, you have to invest that kind of money."

Even as companies like Symantec struggle to make their pricing models affordable to smaller businesses, VARs are moving ahead into this space as trusted advisers to their clients. They're doing that by selecting a SIM platform that's complementary to their existing lines of business. In the best cases, they're adding security to their existing IT management services.

According to the VARBusiness State of Technology survey on security, solution providers are equally split between selling services provided through their vendors and delivering security services themselves. Nearly 51 percent of the responding solution providers plan to build their own security-services portfolios this year, while some 60 percent plan to resell vendor services and take a profit. (The 10 percent overlap represents a buy-and-build combination.)

"Anybody could put their hat in the ring and say they're a [managed security services provider]," Gray says. "But until you have an issue or assessment or event that requires response, you really don't know what it is you're paying for."

NEXT: Small is big for services

The key is in what capacity managed services can effectively swing to service smaller markets. At the high end, the premium model means real-time monitoring of security information coming off all of a customer's readable devices and network traffic. At the low end--the sub-100-seat market--there's some remote management of security devices and after-the-fact reading of logs, combined with manual services at the client site.

Vertical IT Solutions, an IT outsourcer in Tampa, Fla., and a SonicWall partner, manages its customers (mostly at the low end) with SonicWall's gateway antivirus, antispyware and intrusion prevention. The rest, such as firmware patches and log reviews, is done on the client site during regularly scheduled visits and installations.

"Our clients want to see us on-site to do deployments and scheduled visits, so we've wrapped security into that process," says Tim Coker, Vertical IT's consulting practice leader. "This has been enough for these customers to date. And even if our customers were demanding real-time monitoring, how would you manage a 24/7 operation?"

Gray, whose clients range in the 500-to-3,000-user range, refers to this type of security service as "pager management," meaning there's no person behind the scenes for real-time response as an event unfolds. He says the level of security in these situations is limited and that even his own company, which is well-protected, responds quite frequently to events behind the firewall.

The Vast Middle Ground
It helps that Innovative Computer Solutions (ICS), whose clients range from 150 to 500 nodes, is already in the business of remote network and systems management, a trend that's on the rise. ICS was already doing perimeter security, so threat management and mitigation services were the logical next step.

But to do this, the VAR, like all of those entering the space, needed to find an affordable platform, which turned out to be Fortinet's unified threat-management appliances. In June, ICS began offering MSS and, by year's end, added 20 MSS customers, with managed-security services accounting for 30 percent of its business. "Customers need to maximize the availability and performance of their IT with minimal resources," says Jim Bakic, director of sales at ICS, Milwaukee.

ICS also does comprehensive e-mail security (scrubbing, spam filtering), content-filtering and Web-monitoring through a single Fortinet interface. "The Fortinet program is solid. Their margins are good [30 percent to 60 percent], and it's easy to manage without a lot of overhead," Bakic says.

Another way VARs are getting similar margins is through third-party managed-services-enablement vendors such as Level Platforms, MXLogix, N-able Technologies and SilverBack Technologies. They provide middleware to centrally manage a variety of network systems and devices from one operations management GUI.

Advantage Micro Systems (AMS), a 10-employee IT services VAR in San Francisco, has tested most of these products, he says. And only one, Level Platforms, gives him the margins and management functionality he feels confident with. Another vendor in this space, he says, demanded more than a $100,000 up front with no way to recover that money when the product didn't deliver on its promise.

Level Platforms' entry point comes to about $40 per client, per month, with no up-front costs, says Peter Sandiford, Level Platforms' CEO and president.

AMS uses SonicWall's integrated devices and global-management system for real-time IDS, integrated antivirus, spyware and VPN management, says AMS' president Steve Hart. AMS also uses AppRiver for e-mail filtering.

"A typical small business will have security information provided by a router, IDS appliance, firewall, Microsoft Base Security Analyzer, log events and all these security products including antivirus and special appliances for antispam and antiphishing such as DoubleCheck," Sandiford says. "Level Platforms has templates for all of these, so now if there's a special volume of e-mail or outbound traffic coming from an internal PC, Level Platforms sends an alert to the service provider's dashboard."

What sold Hart on Level Platforms, he continues, was the product's comprehensiveness, combined with development services (including a live and available product manager) and no up-front costs. With a previous vendor in this space, he adds, the up-front costs were in the hundreds of thousands and not recoverable if he dumped the product for not performing as promised.

NEXT: Navigating a nascent market

These third-party information-management interfaces, say Hart and others, are a new and emerging technology in and of themselves. "I'm not sure if these [middleware management] companies are even going to be around in the long run," Hart adds.

Hart and others contend that solution providers diving into MSS need to step up to the plate and outlay huge capital investments to build their security operation centers, 24/7 staff and infrastructure needed to fully support their SMB clients. Otherwise, they need to bite the financial bullet and resell vendor-managed services like those offered by Symantec, he says.

VARs serving SMB markets, on the other hand, reiterate that this isn't practical. Any level of management, they say, is better than leaving SMBs completely to their own devices, particularly when they have no IT staff to manage their own security.

And many solution providers--particularly smaller VARs--are finding that they can build effective and efficient security services without tremendous capital outlays. The old model of security services was to build infrastructure with excess, nonrevenue-producing capacity to meet the needs of enterprise customers. Today, smaller solution providers, which typically serve small and midsize organizations, say they can build just enough capacity and capability, which contains their conversion costs. If they need more capacity--technical and human support--they simply build out the infrastructure to the next level of service.

These market forces, say Sandiford and VARs working in this space, will continue to push security resellers and, in particular, managed-services VARs, to deliver MSS however they can without too much upfront investment and overhead.