Apr 23, 2007 12:00 PM,

Locked in on security

By Dan O'Shea

For the last two years, telephone companies have dropped hints that they plan to become major player in the market for managed security services for corporate enterprises. A couple of those hints were acquisitions — first, MCI's 2005 buy of NetSec, and second, BT's acquisition of Counterpane.

More on this Topic

Industry News

Blogs

Briefing Room

These deals have given enterprises an idea of how far carriers are willing to go to win the right to provide them with managed security services. They also answer a key question of how telcos with somewhat little experience in plying network security — even in their own networks — plan to build expertise within their own organizations.

“Security is getting driven into carrier organizations now. MCI's NetSec deal and BT's Counterpane deal were evidence of that,” said Cindy Bellefeuille, director of security product management for Verizon Business, the part of Verizon largely made up of assets from the telco's acquisition of MCI that closed just months after MCI's NetSec acquisition. “A lot of the methods and practices that Verizon Business uses now came out of that NetSec acquisition. There are about seventy-five people in our professional services group than came from the NetSec acquisition, and that is some hardcore security experience.”

Corporate enterprises and small and medium-sized businesses have become extremely important customer segments to telcos in recent years. Still, their past ignorance and indifference to the enterprise market leaves them with a lot of ground to make up, and managed security services in particular have been dominated in the early going by specialist service providers like CGI, Internap and MegaPath.

But telcos like Verizon Business and Qwest Communications are beginning to change the game with increasingly broad portfolios of security solutions being created by experienced security professionals in their well-staffed managed services programs. Martin Capurro, who is in charge of Qwest's managed security services, said that telcos' increased interest in providing security services directly reflects a fundamental evolution in network security threats over the last several years.

“In early days, the threats were from hackers who were motivated by fun and youth,” he said. “There was no maliciousness. Now, it's much more pervasive. There are all kinds of security threats and attacks that are driven by real dollars. Viruses keep evolving, and having simple end-point security and a firewall just isn't enough anymore.”

Danny McPherson, chief research officer for network security platform vendor Arbor Networks, said that only 50% of the virus software available on the market at any given time matches the capabilities of the most recent virus threats enterprises are experiencing. “About 99% of the time, the service provider doesn't own the end point where the attack was introduced, but it affects their infrastructure and their customers, so they have to do something,” he said.

Capurro added that telcos have a responsibility to prevent attacks and viruses from spreading. “The service provider plays a key role because once it's in your customer's network, it's too late to help them.” He said that even as security threats have matured in sophistication over the years, a whole generation has grown up understanding such threats and giving telcos a rich base of people to recruit for their service teams.

Arbor's McPherson noted that the opportunity and ability for telcos to address network security problems coincides with other market factors, such a commoditization of bandwidth, that have telcos looking for new revenues sources, as well as an abundance of other responsibilities for corporate IT departments. “It used to be that enterprises wouldn't trust telcos with this kind of stuff, but now the telcos have a foundation that enterprises can trust.”

Verizon's Bellefeuille said she's comfortable telling corporate customers that her company has up to seven years experience as a managed security service provider, long before NetSec came into the mix. Also, she said the security capabilities are not just a value-added capability that Verizon uses to help win connectivity deals. “Connectivity and security are not interdependent in any way,” she said. “We can manage security in places that we don't supply the connectivity.” However, having said that, she added that it's becoming less likely that enterprises will buy connectivity services and security services from separate sources. “It's really very natural to talk about connectivity and security in the same conversation,” she said. “The further out in the network cloud you can stop stuff from happening, the more sense it makes.”

The new foundation within telcos for providing managed security services has resulted in a rapid broadening of the service portfolios in recent months. Just last month, Verizon Business launched a new managed Web content service that's an expansion of the carrier's existing managed e-mail service. The content service allows an enterprise to have Verizon block access to specific Web sites, even on a dynamic and granular basis, such as a couple hours on a given day. The carrier also began offering network-based firewalls to keep threats from spreading beyond infected end points, and denial-of-service attack mitigation.

Now, Bellefeuille said, Verizon Business is starting to look into developing managed security services that take into account the increasing Internet usage from enterprise-owned wireless devices.

Qwest, meanwhile, launched a new series of anti-spam, anti-virus gateway solutions last December, designed to provide enterprises with better e-mail security. “Out skill sets are evolving,” said Qwest's Capurro. “I'd no longer refer to us as a carrier or a telco, but as a service provider that offers a whole lot more than we did ten years ago.”