WP130181 8/13

IMPROVING ENTERPRISE SECURITY BY RELOCATING

INTO THE CARRIER’S NETWORK

INTRODUCTION

As the Internet threat landscape continues to evolve, so too must security technologies.

Yet, the practice of stacking an increasing number of independent security technology

“boxes” can contribute to several undesirable outcomes, notably: operational complexity,

sub-optimized security expenditures, and inefficiencies in risk management. Overcoming

these outcomes is the aim of all-in-one security. This approach consolidates multiple

essential security technologies onto a single appliance, with control of all technologies

through a single management interface—a single pane of glass.

Representative of the customer

value of all-in-one security has been

the market demand for Unified

T h r e a t M a n a g e m e n t ( U T M )

appliances. Industry research firm

Frost & Sullivan estimated that the

number of UTM appliances sold in

2008 worldwide was 786,000.1 For

2012—four years later—Frost &

Sullivan estimated the annual sales

rate of UTM appliances increased by more than 50 percent, to 1.2 million. This growth is

projected to continue, with 2 million UTM appliances to be sold in 2016.

Contributing to the market demand in UTM has been the improvement in security

efficacy it offers by synergistically integrating previously separate security technologies.

An example of this is what is now referred to as next -generation firewalls (NGFW).

NGFWs integrate the capabilities of firewalls and intrusion detection and prevention

systems (IDS/IPS) to support more granular and context -aware defenses. UTMs are the

precursor to NGFWs, as firewall and IDS/IPS have been working together as part of

UTMs since UTMs were first introduced. Plus, UTMs include several other security

technologies.

Another noteworthy aspect of all-in-one security is location. In this regard, UTM

appliances are no longer exclusively deployed at the perimeter of a business’s local area

network (LAN) or in front of a private data center—that is, customer premises

1 Frost & Sullivan, Analysis of the Global Unified Threat Management (UTM) Market – Enterprise Features and Product Value Propel

Market Growth (November 2012).

equipment (CPE). All-in-one security is also available as a bundle of security services

delivered from a shared, multi-tenant platform hosted in a carrier’s or Internet Service

Provider’s (ISP) network. This network-based location and use of multi-tenant platforms

follows the same evolutionary trend in firewalls, intrusion detection and prevention

systems, Web content filtering, and anti-malware. At one time, each of these security

technologies was exclusively deployed as a CPE appliance. Now, each of these security

technologies can be subscribed to as a security service delivered from a shared, network -

based platform. This service delivery approach is frequently referred to as “Security as a

Service.” As shown in the figure below, the all -in-one approach advances this concept by

relocating security from site-dedicated, CPE-based appliances to security services offered

from within the carrier’s network (i.e., network -based) to network-connected sites of

small and midsized businesses (SMBs), as well as the geographically dispersed sites of

large enterprises.

Relocation of Site-dedicated, CPE-based Appliances to Network-based

Security Services

In this white paper, we take a closer look at all -in-one security, its benefits when

subscribed to as network-based managed services, and service attributes that you, in

your dual roles of business leader and manager of security risk, should consider.

ALL-IN-ONE SECURITY ESSENTIALS

There is no “silver bullet” in Internet security. The threats are too diverse for any one

technology to be effective against all. Additionally, the risk of using the Internet is not

exclusively from external attacks and ploys. End users, even the most security -conscious,

can inadvertently or, in a lapse of good judgment, initiate activities that are risky (e.g., in

the heat of multi-tasking, selecting and sending a document with sensitive or non-public

information to an unauthorized recipient, or by clicking on a Web link of questionable

authenticity or purpose). For these reasons, the majority of businesses rely on a

Source: Frost & Sullivan

combination of security technologies to narrow their risks, while still allowing legitimate

business use of the Internet to continue.

This multi-layered approach is also aligned with the widely accepted defense -in-depth

concept. In this concept, security “fences” of different types are erected to mitigate risk.

In practice, if one fence is penetrated by an attacker, there are other fences to penetrate

with each requiring different attacker skills. While eliminating all potential of a successful

attack through a sequence of fences cannot be guaranteed, the probability of a successful

attack is materially reduced with multiple fences.

Another noteworthy perspective is that a multi -layered approach increases attackers’

costs, thereby reducing their incentive to continue with an attack. The more

sophisticated the attack sequence must be, or the longer it takes to be successful, the

greater the likelihood that attackers will forgo a multi -layer protected business, and

pursue other targets that are less fortified. Also, the multi -layered approach creates

several sensor points to detect attacker activities from which countermeasures can be

implemented. For example, when a threat is detected through an intrusion detection

system (IDS), a reputation tag is associated with the intruder (e.g., identified as an IP

address). Once tagged, that same IP address can be systematically blocked from future

communications with a firewall policy.

The aforementioned past and projected market demand for UTM reflects its alignment

with this multi-layered security approach. Additionally, the modular design of UTMs has

been a contributor, as it supports upgrades in security technologies that are already part

of the UTM, as well as introduction of new security technologies.

Currently, the security technologies commonly included in UTMs are:

▪ Firewall

▪ Intrusion detection and prevention systems

▪ Virtual private networking (VPN); Internet Protocol Security (IPsec VPN) and

Secure Sockets Layer (SSL VPN)

▪ Anti-malware

▪ Web content filtering

UTMs did not originally include all of these security technologies. They have evolved to

this mixture over time, primarily due to a diversifying threat landscape—more security

technologies were required to maintain an effective defense. Furthermore, this expansion

in security technologies took advantage of UTM’s strategic, in -line location with a

business’s network traffic flow. An example of this is data loss prevention (DLP) —a

capability that is starting to materialize in UTMs. With DLP, businesses define and

enforce data protection policies (e.g., warn, quarantine, block, and encrypt) during the

real-time examination of outgoing traffic for the existence of sensitive information (e.g.,

payment card and social security numbers).

Another example of the evolution in UTM is firewall protocol inspection and control.

Gone are the days that legitimate traffic could be defined exclusively by its protocol (e.g.,

HTTP or SSL). The traffic within a single protocol is more often a mix of legitimate,

known illegitimate, and questionable, such that a binary protocol policy of on or off is

too coarse. For this reason, standalone or pure-play firewalls have advanced in policy

granularity through use of contextual variables to define and enforce policies. The same

is true for the firewall functionality contained in UTMs; it too has advanced in

sophistication to counter new threats and better serve businesses’ evolving Internet

usage.

ALIGNED WITH PREVAILING BUSINESS AND IT TRENDS

The multi-layered, defense-in-depth security proposition of UTM has, as pointed out,

gained significant market traction. However, from our perspective, businesses should not

limit their security decisions to only whether a collection of security technologies

consolidated in a UTM appliance is preferable to a stack of single function security

appliances. We recommend that businesses also consider the virtues of network -based

security services versus in-house ownership and management of on-premises UTM

appliances. When considered, the advantageous alignment with several business and IT

trends becomes apparent. These trends include:

▪ Operate from a Distributed Footprint – Instinctively, the thought of a

distributed footprint centers on businesses that need to be where their

customers are, such as in retail, banking, insurance, consumer and professional

services, and hospitality. Yet, a distributed footprint is not limited to these

industries. Talent, too, is distributed; and to bring together the employee talent

needed frequently requires more than one location. Additionally, in some

industries, such as high tech and media & entertainment, mergers and acquisitions

are prevalent—forcing businesses to maintain geographically distributed

locations, at least temporarily, during a transition period. Regardless of reason, a

distributed footprint is the norm for many businesses. This raises the question of

how to provide the security each location needs, economically, and with

straightforward policy administration.

Network-based security services are well suited to support the security

requirements of a distributed footprint for midsize businesses and very large

enterprises. As a network-based service, an always-on virtual instance of security

functionality is hosted in the carrier’s network for each location. As security

needs vary among locations, the virtual instances can be customized to reflect

just the security technologies needed for each location. Naturally, in this “as a

service” model, the customer only pays for the security technologies in use at

each of its locations. Additionally, when consistent security policies are needed

across virtual instances, that too is inherently supported in a single -click

broadcast fashion (i.e., define once and automatically apply to all).

▪ Drive to Core – Maintaining a secure environment, protecting sensitive

information, and complying with regulations is a complex and dynamic endeavor.

Furthermore, the necessary skills and knowledge required to establish and update

security policies, and respond to security alerts, demand continuous

development. Plus, management downtime is nearly non-existent as threat actors

never sleep; so neither can their targets. Last, attackers, in their quest to be

effective, will attempt the same ploys or attack sequences across multiple targets.

In other words, businesses face a common foe. For all of these reasons,

businesses are justified in rethinking an exclusive do-it-yourself (DIY) approach

to security. While security is essential for business, it may not define the

business. Accordingly, driving more in-house emphasis to areas of competitive

differentiation, and outsourcing parts of security, is a prudent strategy.

Network-based security service is a managed service. As a managed service, the

service-delivery infrastructure is fully maintained by the service provider. The

essential tasks of ensuring uptime, updating, and patching software are no longer

the responsibility of the business; the provider fully owns these responsibilities.

While the customer retains responsibility for its security policies, the provider

lessens the policy-creation burden by having a library of field-tested security

policies available for customer use, and can provide guidance on policy selection.

The provider is also responsible for updating and distributing signature files, for

example, for IDS/IPS, anti-malware, and anti-spam. The service provider will also

send high priority alerts on security threats, and provide recommendations on

how to mitigate. With an around-the-clock staff of security specialists and a

customer community of virtual sensors, the service provider is a clearinghouse of

security information, and a guiding hand in assisting its customers in becoming

more effective in their defenses.

▪ Be Lean – The cloud is part of the “how do we modernize business”

conversation of today. At its basic level, the cloud is a usage-based consumption

model that helps businesses match compute, storage, and application

expenditures closer with actual needs. The cloud reduces the excesses—that is,

spare or underutilized servers, storage systems, and software licenses—that

creep up with nearly any IT environment.

Network-based security services are patterned after the cloud model. Customers

select and pay for only the security technologies they need for their connected

locations. Also, situated in the carrier’s network between the customer’s

locations and the Internet, network-based security filters unwanted and

undesirable inbound traffic; essentially blocking this traffic closer to its source

and before traversing customer’s access lines. In this manner, a larger share of

the customer’s access bandwidth is available for essential traffic flows.

Additionally, for businesses accustomed to backhauling Internet -bound traffic

from remote sites to a central location, in order to enforce security policies,

network-based security eliminates this practice, as the same policies can be

applied for remote locations from within the carrier’s network. Not only will

eliminating backhaul reduce bandwidth consumption at the central location, but

end users at the remote sites will encounter less latency in their Internet -

centered activities.

▪ Transform – Mobility and Bring Your Own Device (BYOD) are two non-

reversing IT trends that are stretching the boundaries of where business is

conducted and through what end-user devices. In the process, security is

becoming increasingly fragmented. At the same time, data breach consequences

and regulatory intensity is rising. And with more business activities being

conducted through mobile wireless connections and on endpoint devices not

owned or fully managed by the business’s IT and security organizations,

vulnerability to data loss, malware infections, and backdoor entry into critical

internal systems is also rising. As businesses adapt and incorporate mobility and

BYOD into their normal operations, security practices must also transform from

security policy enforcement just at the edge of the business network to wherever

business is conducted.

A virtue of network-based security services is that it relaxes the definition of a

protected location. No longer must a protected location be defined strictly in

terms of a physical address. Rather, protection is extended to any connection.

Whether that connection is from a mobile device, from an employee’s home PC,

or the laptop of a travelling employee, as long as the connection is directed

through the carrier’s network-based security service environment (e.g., through a

VPN tunnel), the business can enforce its security policies.

NETWORK-BASED SECURITY SERVICE ATTRIBUTES TO CONSIDER

Network-based security delivers a strong value proposition for the distributed business.

It starts with the foundation of UTM, and drives it further with the usage -based

economics of cloud-modeled services, the assurances of managed services, and the

bandwidth optimization benefits of being situated in the carrier’s network. There are

other service attributes that are also important to consider in selecting network -based

security services: (1) visibility and reporting, and (2) pricing.

Visibil ity and Reporting

An essential element of security is information; and each security technology included in

the customer’s network-based security services is a source of information. In order to

maximize the effectiveness of this information, it needs to be presented in a meaningful

way for its intended users. This can be a dilemma, as the intended users collectively

represent a diverse range of needs. For example, business executives may only require a

report card view of the state of protection and regulatory compliance. At the other

extreme are security administrators. In their role, highly granular information is essential.

They are, in effect, in charge of day-to-day decisions on protecting critical systems, data

privacy, and ensuring that end-users’ Internet usage stays within company parameters.

Yet, waves of granular information are overwhelming. To counter this, the information

must first be presented to alert and prioritize effort. From there, administrators can drill

down to detailed specifics, in order to qualify security threats or issues of regulatory no n-

compliance; and then develop an action plan, such as modifying an existing security

policy, creating a new policy or rule, or drawing end-users’ attention to risky behaviors.

In assessing network-based security services, consider your visibility and reporting needs.

At minimum, you will want report card views. Beyond that, your level of active security

management will be a determining factor. For example, if your intent is to be highly

active (i.e., self-managed), then enterprise-grade visibility and reporting capabilities are

warranted. However, if your intent is to be more reserved in your day -to-day security

management, and your relationship with your network-based service provider includes

support for event investigations and policy changes, then your visibility and reporting

needs are not as stringent. Nevertheless, you will still want more than just report card

views, in order to facilitate effective and efficient communication with your service

provider about security issues and how to resolve them.

Pricing

Usage-based pricing with a cloud-delivered service is compelling, but how does it work

with network-based security services? The reality is that there is no standard or

benchmark pricing structure. Nevertheless, in stepping back and considering the service -

delivery elements of network-based security, there are three characteristics that stand

out:

▪ Security Technologies – Each connected site or remote user aggregation point

(e.g., VPN concentrator) included in network-based security is defined by

security technologies in use. These, of course, represent capabilities that define

the protection your business is receiving. Thus, these are foundational elements

in network-based security pricing.

▪ Throughput – Security, particularly when it entails examining the flow of

network traffic in real-time, consumes computational resources. As more

security technologies are turned on, or the number of connected users increases,

the need for higher levels of throughput increases. Consequently, the second

element of network-based security services pricing is how much throughput or

bandwidth is required to support traffic flow examination and policy enforcement

(e.g., block) without affecting the end-user experience (i.e., adding a perceptible

amount of latency) on safe and legitimate usage.

▪ Customer Support – As previously stated, network-based security is a

managed service. However, the type and level of personalized support across

subscribing businesses will vary. Some businesses prefer a self -managed approach

in which they have full control of their security policies; for example, the

frequency of policy changes and the speed at which the changes are enacted.

Other subscribing businesses prefer to utilize the service provider’s staff to

administer policy changes on their behalf. Similar to security technologies and

throughput, staff time and talent has a cost associated with it, so customer

support is also a justifiable pricing element.

As each of these pricing elements could be metered and charged for at a very detailed

level (e.g., daily megabytes processed and customer support minutes), this would be

inconsistent with a prominent need of most businesses—cost certainty. Therefore, a

commonsense network-based security services pricing structure is tiered with a bursting

allowance (e.g., to accommodate, without extra charges, a seasonal spike or end -of-

month spike in network traffic). In this manner, businesses gain certainty in their security

expenditures, without compromising service consistency (e.g., fluctuations in latency due

to a surge in network traffic).

CENTURYLINK BUSINESS AND NETWORK-BASED SECURITY SERVICES

The content on this page was provided by CenturyLink

Responding to the evolving security, regulatory, and data protection needs of

businesses—from large and highly distributed organizations to single site businesses —

CenturyLink now offers Network-Based

Security—a managed and monitored

security service delivered from within

CenturyLink’s nationwide, fiber-based

network. This service provides layers of

protection for each location in a

company’s private network.

Th i s op t im i z e d , n e twork -b a se d

combination of essential, state-of-the-

art security technologies moves

CenturyLink customers from a scenario

of “inefficient security” to “optimized

security.”

Today’s Network Security Scenarios

Inefficient Security Optimized Security

Unpredictable capital expenditures and

technology obsolescence

Efficient operating expense model and

automatic security technology upgrades

Resource contention, congestion, and sub-

optimal performance

Highly expandable network-based model and

avoidance of network backhaul

Insufficient security expertise 24x7 expert threat monitoring and enterprise-

grade visibility and reporting

Single points of failure

Always-on security with geographically diverse

and redundant virtual infrastructure

deployment

Unpredictable security expenses Flexible and predictable pricing terms

Stratecast

The Last Word

Enterprise decisions on security need to be expanded beyond the essential “what” to

also include “how” and “where.” UTM appliance vendors have advanced the all -in-one

concept of security in multiple areas—performance, security efficacy, and

manageability—and businesses of all sizes are including UTMs in their standard

approach to security. Taking the all-in-one concept one step further, network

carriers are offering bundles of integrated security services from within their

networks; the Security as a Service approach. The benefits of this relocation from

CPE-based deployments to virtual network-based services are numerous and

impactful. And that impact is not limited to security efficacy; there are operational

benefits in optimizing bandwidth, streamlining administration, adapting to prevailing

IT trends, and managing security expenditures.

Stepping back and taking the appropriate “broad” view, one should ask what is

security doing for my organization and how can security be matched with my

organization’s business needs and objectives? In answering these questions, the value

of network-based security services becomes apparent. The time is right to evaluate

your network-based security service options.

Michael Suby

VP of Research

Stratecast | Frost & Sullivan

msuby@stratecast.com

877.GoFrost • myfrost@frost.com

http://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary

innovation that addresses the global challenges and related growth opportunities that will make or break today’s

market participants. For more than 50 years, we have been developing growth strategies for the Global 1000,

emerging businesses, the public sector and the investment community. Is your organization prepared for the next

profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends,

breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the

Discussion

For information regarding permission, write:

Frost & Sullivan

331 E. Evelyn Ave. Suite 100

Mountain View, CA 94041

ABOUT STRATECAST

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper -

competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription

research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only

attainable through years of real-world experience in an industry where customers are collaborators; today’s

partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your

Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

Silicon Valley

331 E. Evelyn Ave., Suite 100

Mountain View, CA 94041

Tel 650.475.4500

Fax 650.475.1570

London

4, Grosvenor Gardens,

London SWIW ODH,UK

Tel 44(0)20 7730 3438

Fax 44(0)20 7730 3343

San Antonio

7550 West Interstate 10, Suite 400

San Antonio, Texas 78229-5616

Tel 210.348.1000

Fax 210.348.1003

Auckland

Bahrain

Bangkok

Beijing

Bengaluru

Bogotá

Buenos Aires

Cape Town

Chennai

Colombo

Delhi / NCR

Detroit

Dhaka

Dubai

Frankfurt

Hong Kong

Iskander Malaysia/Johor Bahru

Istanbul

Jakarta

Kolkata

Kuala Lumpur

London

Manhattan

Mexico City

Miami

Milan

Moscow

Mumbai

Oxford

Paris

Rockville Centre

San Antonio

São Paulo

Seoul

Shanghai

Shenzhen

Silicon Valley

Singapore

Sophia Antipolis

Sydney

Taipei

Tel Aviv

Tokyo

Toronto

Warsaw

Washington, DC