Security Advisor
To Outsource -- or Not
For some security chores, outsourcing just might be the right answer.
- By Joern Wettern
- 11/01/2006
Most of the time, it's best to closely control all aspects of your security infrastructure. Some security-related tasks, though, are better handled by external service providers -- and, yes, that means outsourcing. By identifying those tasks and finding reliable service providers, you can make your life easier, save money and end up with a more secure environment.
IT professionals get nervous whenever the term outsourcing comes up. They often feel like their livelihood is threatened. Also, network security is simply too important for most organizations to entrust to another company. These are justified concerns, and the main reasons most security service providers have difficulty securing new customers.
However, there are some security functions that can be done less expensively and more reliably by companies with specialized expertise. It doesn't always require that a company gives up control over its network security. When the outsourced tasks are the ones most administrators don't want to deal with, then even IT professionals can get excited about the prospect.
I have always been very skeptical about using outsourced services for infrastructure tasks, but while working on some projects for Microsoft that involved Exchange Hosted Services, I've become convinced that outsourced services can be a great solution in the right situation. (Full disclosure: Microsoft did compensate me for these projects, but exerted no influence on the content of this article.)
When identifying areas suitable for outsourcing, you should examine several characteristics. First, performing the tasks yourself should give you no strategic advantage over your competition. In other words, customizing how you do something doesn't make your operation more efficient. Second, when high availability is important, that service should be more reliable than an in-house solution. Once you've identified these areas, you can start comparing the cost of an in-house solution to that of an outsourced service.
Microsoft Exchange Hosted Filtering and Hosted Continuity can meet these requirements in most cases. Many companies find that these services save money, but of course only you can decide what is best for your organization. In describing these services and why I've become a fan, I'll highlight aspects that should apply to any type of hosted service you may consider.
Garbage In, Garbage Out?
Consider garbage disposal -- an ideal candidate for outsourcing. Unless you're living in a rural area, you don't dispose of your own garbage. You let a garbage hauler do it for you, usually contracted by your hometown. You and all your neighbors need the same garbage-disposal services, nobody wants to deal with it, and it can be done better and cheaper on a larger scale.
Message hygiene, which includes blocking spam and viruses in incoming e-mail, fits a similar dynamic. Any organization wants to block spam and stop all virus-laden e-mail before it reaches users' mailboxes. There are few tasks that IT administrators hate more than the constant battle with spam and viruses. Companies that offer message hygiene services also can realize the benefits of scale, because they spread the costs of computer hardware, bandwidth, software updates and manpower across all of their customers.
You can implement Exchange Hosted Filtering simply by changing your organization's DNS records so all incoming e-mail is delivered to one of Microsoft's data centers. The network currently includes 13 locations around the world, with more being added each month. At the data centers, spam and messages with viruses are deleted or placed in quarantine. What remains is delivered to your mail server. It doesn't require any changes to your e-mail operations. You continue to run your servers as you always have.
The main benefit is obvious: You no longer have to deal with the tedious task of blocking spam and viruses. There are other benefits as well.
Because Microsoft's network is highly redundant and geographically dispersed, it's virtually guaranteed that incoming e-mail arrives even when one or more servers are unavailable. After filtering mail, if Microsoft can't deliver it to your mail servers, it will let you know and continue trying for several days. This means that even if your mail server is down for maintenance or because of a failure, you won't lose any incoming e-mail.
Unwanted e-mail is never sent to your mail server, so spam doesn't waste any of your bandwidth. On average, Microsoft's customers experience a 70 percent reduction in the bandwidth required for incoming e-mail. This bandwidth savings becomes even more important during a drastic increase in incoming spam. Seeing such spikes a few times a year is not unusual. Using a hosted solution, the e-mail traffic across the local loop between you and your ISP remains constant, no matter how much the volume of spam increases.
Finally, Exchange Hosted Filtering can achieve higher detection rates because Microsoft can benefit from economies of scale and allocate more resources to virus updates and spam filtering technologies than most companies would be able to on their own. You can see exactly how it's working by generating reports to find out how much spam and what type of spam was blocked (see Figure 1, below).
[Click on image for larger view.] |
Figure 1. Spam
reports let you know how much spam has been blocked and help gauge the effectiveness
of your anti-spam service. |
Is It for Your Company?
Using a hosted service for e-mail hygiene makes sense because a company doesn't
gain any competitive advantage, even if they perform this task flawlessly or
differently that their competitors. Also, it can be done more efficiently at
a larger scale. When there are specific filtering requirements for a given organization,
Microsoft and other message hygiene providers can help you fine-tune the rules
accordingly.
It's difficult to predict whether Exchange Hosted Filtering or another service will be more reliable than an in-house solution, but there is an important distinction. If you perform the task yourself, downtime is unpredictable and can be costly. Service providers normally offer a service-level agreement (SLA) that guarantees specific performance and availability levels. If those levels aren't met, the service provider pays because SLAs normally include penalties if promised targets are missed.
Ultimately, only you can decide whether an outsourced solution makes sense
for your company.
About the Author
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.