ISS offers security outsourcing package

Internet Security Systems Inc. recently moved into the federal market with its ePatrol managed security services, which will enable agencies to outsource security management while maintaining control of security policy.

Security vendors are starting to move beyond offering products, consulting or integration services. ISS plans to offer ePatrol on its own through Internet service providers and through other partners. The company's goal is to add network security to the list of network services that can be outsourced to industry.

The ePatrol managed security services are the result of ISS' recent acquisition of Netrex Secure Solutions and NJH Security Consulting Inc. Both companies had been offering managed security services - featuring products from many companies, including ISS - that have been rolled together into the ePatrol package.

Outsourcing is becoming more popular as companies and agencies fight over the small number of qualified information technology professionals, and security often is bundled into general network management, said David Tapper, research analyst for International Data Corp.'s network and desktop outsourcing services group.

IDC projects that the managed security services market in the United States will grow 44 percent each year over the next five years, Tapper said.

ISS realizes that offering these services is different than providing products, said Allen Vance, director of offer management for the company's eServices group. Many agencies are using ISS products and have worked with the company for several years. The needs of federal customers are not very different from those in the commercial market, he said. "They have to have the utmost confidence in the vendor...the people, the resources, the product."

Agencies may be hesitant to outsource security management, but some agencies will be interested, said Dave Jarrell, technical director for the Federal Computer Incident Response Capability.

"There are some agencies that have no problem with [outsourcing security] and do it quite frequently, and there are others that are very reluctant. It's one thing to have someone engineer a product; it's another thing to say I'm going to trust a contractor with my security."

The services under ePatrol include many that can be acquired elsewhere, including firewall management, virtual private network management and virus protection. But ISS' remote risk assessment and vulnerability scanning is what sets the company apart, analysts said.

"What is key in this announcement...is the breadth of services that ISS is offering," said Matthew Kovar, senior analyst with the Yankee Group, Boston.

Another unique service ePatrol offers is a secure World Wide Web interface that provides real-time monitoring to users and enables users to change back-end services at any time from any computer. This is a big differentiator from vendors that usually only allow users to view what is happening with their network through static reports, Kovar said. An end user with "an interface to the security management is unique in this market," Kovar said. "They're trying to position [ePatrol] and get into the business needs of the user...not just take the technical view."

ISS partners with ISPs and network management firms who resell the ePatrol services, but for the federal market, ISS may license the services to an agency that can serve other federal offices, Vance said.

This may overcome some of the reluctance on the part of agencies, but it is more of a cultural change than anything else, Jarrell said. "There's no reason to think that government is any more or less trustworthy than industry...it's just that government historically has not outsourced its IT security," he said.