Ready for managed security services?
VeriSign's network operations center in suburban Virginia is unremarkable from the outside. It sits on a pleasant lake, across the water from an Olive Garden restaurant. Inside it's what you'd expect from a major NOC (it was cool to see a
But NOCs like these are ready to become central to government's efforts to secure their networks. George Schu, VeriSign's public sector head and a former Navy officer
, told us agencies have "had an epiphany" in the last couple years when it comes to embracing managed security services.
Not long ago, handing over network security to a third party would have been a dicey proposition (other types of managed services have been better accepted). But Schu said budget constraints and policy mandates (not the least of which is FISMA) have opened agencies' minds.
Government isn't exactly a laggard in this area. Ken Silva, VeriSign's chief security officer (and a former National Security Agency analyst), cited Merrill Lynch as one large, cautious financial institution that wouldn't have considered managed security services a short time ago. Now VeriSign handles the firm's network security.
Pretty soon, we'll see more evidence of this awakening. Word is that VeriSign is working on a managed security engagement with a major agency. Stay tuned.
As Silva explained, network security still isn't a core competency of many government agencies'or other enterprises for that matter. So do wretched FISMA grades
accurately reflect the state of network security in government? Silva and Schu agreed government networks are still "terribly insecure."
The NOC we were sitting in the other day has a sister facility up the road. The two combine to form a fully redundant site. VeriSign has more NOCs around the world, including one in Providence, which can support government customers who want their managed security services housed further away from the capital for continuity of operations planning
How do agencies begin to approach the decision to outsource their network security? They can start with a US-CERT-sponsored publication
(121-page PDF) on best practices in choosing managed services. It's a few years old, but very detailed.Posted by Brad Grimes
Posted by Brad Grimes, Joab Jackson on Apr 26, 2006 at 9:39 AM