Back Office - It's a New, Dangerous World for ICPs

Managed Security a Good Option for Protection, Profitability

One danger increasingly being reported in industry and mainstream media is attacks by hackers. These hackers are intent on breaking into computer systems, usually just to see if they can and to see what's there, but sometimes maliciously or for criminal purposes.

"I think as the phone companies and local carriers are trying to get into the Internet provider business, and to a certain extent vice versa, they are facing some new challenges," says Tommy Ward, vice president of product management for the security services provider Securify Inc. (www.securify.com). "The difference between the Internet and the telephone system is blurring greatly."

Ward says ICPs will be facing the same type of security issues that Securify's customers have been facing in the Internet world, and he says that will prove a challenge to them, especially in staffing areas.

Ward explains that, according to recent surveys, there is a shortage of about 850,000 general IT workers in the United States. If IT personnel dedicated to security represent 5 percent of all IT workers--a level Ward says is needed to provide adequate security--then there is a shortfall of more than 40,000 workers.

Academia is unable to fill that gap, Ward says. For example, Purdue University (www.purdue.edu)--considered to have one of the best computer security programs in the country--only graduated five from its program last spring. Another major center for Internet security learning, George Mason University (www.gmu.edu), had 40 graduates last spring.

The military also is a source for Internet security expertise, but Ward says there is "quite a bit of difference" between the skills practiced in the military and what a lot of commercial industry needs.

"There is generally a very intense lack of expertise within most of the industry, as far as security goes," Ward says.

As a result of the staffing shortfall, such expertise is available only at a premium. Computer science or electrical engineering degree holders with either a concentration in security course work or with direct security practice are able to command salaries starting in the $80,000 to $85,000-a-year range.

CLECs will be able to supplement their staffs through training programs, but those programs take time, and in an industry where time to market is critical, "the time it takes to train internal staff probably means you're just going to wind up with too little, too late," Ward warns.

As a result, many CLECs likely are going to be forced to outsource their security needs, says Matthew Kovar, a program manager for the Yankee Group (www.yankeegroup.com).

Kovar suggests that Internet security will be an issue more for the CLECs' customers than for the CLECs themselves, with those customers expecting that their carrier will provide at least some degree of protection. That type of service will probably only be available through an outsourced provider.

Kovar says that in the last four months of 2000, Yankee Group analysts talked to about 80 players in the managed security arena. The majority of those companies were "trying to play some kind of wholesale game--going out to CLECs, going out to DSL players, going out to ... BLECs, and even to the hosting providers, to provide [them] with a managed security services offering," he notes.

Chart:Cost of Security

Security services can be a valuable revenue stream, with the CLEC able to gain a 30 percent margin off the sale of the managed security service. "And they don't have to put up any kind of work on the front end," Kovar says. "If CLECs are not providing this as part of their Internet service, they're doing themselves a disservice. And I would think that their investors and shareholders should hold them to the fire to tell them why they are not offering services that are just purely profitable."

Among the leaders in providing such services to the CLECs is DefendNet Solutions Inc. (www.defendnet.com).

"DefendNet is one of the most progressive in this area at this point, in terms of targeting the CLECs," Kovar says.

Protection From Hacker Attacks

DefendNet CEO Vin Giordano says Internet security is going to be a cornerstone of the services the next- generation CLECs will have to provide. He explains that an Internet connection means the CLEC is connecting a public network to a private network, making the CLECs and their customers vulnerable to Internet attacks.

"There's a major concern regarding security," Giordano says. "People are worried about it. It's the number-one concern when you have people getting dedicated connections to the Internet today."

Giordano says that Internet communications are going to have to be secured because there is always the possibility--or likelihood--that "somebody is on the other side of that pipe who may not have your best interests at heart."

Giordano believes the best way to provide security is through use of a firewall, which forms a boundary between the Internet and a private network.

"Through that firewall, you can run virtual private networking services, and you can run augmented technology such as virus scanning [and] content filtering. You can lock down different ports to open up or shut down," Giordano says, but he warns that a firewall is not a "set it and forget it" technology.

For it to be effective, Internet security requires 24/7 vigilance and service. That means a CLEC needs the resources to provide round-the-clock surveillance by personnel trained in the security solutions being employed and the methods hackers use to breach them. The anti-virus software also needs to be constantly updated to meet those ever-changing threats. Giordano explains that new viruses infect the Internet regularly, which means anti-virus software likewise has to be updated. If the CLECs don't update their software, their systems become vulnerable.

As an example of just how critical the need for Internet security is becoming, and how important it is becoming in the eyes of consumers, Giordano points to last year's attack on Microsoft Corp. (www.microsoft.com), which drew national and international attention after the software giant realized that hackers had had access to its code for months.

"[Consumers] are saying, 'Hey, this is bad stuff. I'm willing to pay extra money in order to get this problem solved,'" Giordano says.

However, the kind of security services carriers will need--for themselves and their customers--doesn't come cheap. According to DefendNet, a carrier wanting to start its own security-service offering would face startup costs of $1.6 million for the first year. If the carrier had projected annual revenues of $1.5 million, it would suffer a $100,000 loss. DefendNet suggests that by outsourcing such services, that same carrier would realize a profit of $450,000 in that first year.

While there is across-the-board agreement regarding the need to provide Internet security, what form it should take provides fodder for argument.

According to a National Security Agency (www.nsa.gov) paper published in 1998, "current efforts to provide security are unlikely to succeed." The reason, the paper states, is that security efforts "suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems." The paper's authors suggest that security cannot be adequately provided in the application space unless there are also certain security features in the operating system.

Greg Tennant, senior vice president and general manager of the Secure Web Appliance Division of Argus Systems Group Inc. (www.argus-sytems.com), also warns that hackers don't hack the service application, "they hack the operating system to get to the application."

Tennant explains that a hacker, in looking to attack an application such as softswitch call processing software, will go into the operating system, which is typically housed on a UNIX platform. Then the hacker will try to commandeer the system through any one of myriad ways, and try to gain root privilege access to the application, where the hacker subsequently can get to other systems in that network or operating system, behind the firewall.

Because the operating system can be used to attack other systems, a security solution needs to comprise more than just a firewall, which basically provides a "fortress around your network" but also leaves some doors open to attack. Many security systems use a layered approach, which means a hacker may defeat one firewall, but a subsequent layer of firewalls will stop any further intrusion.

"A lot of times, a hacker can access an operating system in that 'DMZ' [demilitarized zone] which is the difference between that front firewall and the back-end firewall that tries to shut much more of everything," Tennant says. "That's typically how hackers can get into other networks and create problems. The issue is that, once they have access to an OS, like in the Microsoft case, they could be there for weeks or months and you may not know they are there."

That's why one of the biggest issues facing telephony is how to integrate Internet communications with the PSTN world. ILECs grow nervous about anything that could pose problems to their networks and any point where the PSTN and the Internet connect offers an avenue for intrusion by hackers.

"So when you introduce a potential back door into their network ... they get really worried," Tennant says.

However, Giordano admits that it is possible to have too much security.

"This is a very critical point," Giordano says. "The whole point of security is not to block out all traffic, [but] to allow you to do what you need to do safely, while protecting you against any potential harm." He says it's possible to lock down a network so tightly that it becomes impervious to almost any form of attack, but that would also mean that the ease of communication possible on that network could be degraded to the point that it becomes useless.

"And that's a fine line," Giordano says. "That's a line our IT professionals and security professionals pretty much have to walk every day."

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines