The Internet has given us lots to love — and lots to be concerned about. As more and more small and medium businesses begin to embrace VoIP, unified communications and other IP technologies that provide a competitive edge, there’s an accompanying recognition that these companies also need resources for securing those communications beyond a simple firewall, since security breaches can erase IP productivity gains in a blink of an eye. For VARs and agents, offering a holistic managed security service that takes out the complexity and expense associated with premises-based solutions can be a differentiator and a way to shore up sales for VoIP to SMBs in the first place. And as managed security services typically offer a monthly recurring revenue stream, it’s a profitability-enhancer too.
The opportunity is growing: Sales of hosted and managed VoIP solutions are expected to grow at an annual growth rate of 56.9 percent through 2010 in North America, reaching $1.56 billion by 2010, according to research firm AMI-Partners. “The concept of voice communications as a service is becoming very appealing as these small businesses have almost no IT and voice communications expertise and resources,” says Sanjeev Aggarwal, AMI-Partners’ vice president for SMB infrastructure solutions.
In tandem, awareness of the need for managed security is quantifiably on the march, too. The Computing Technology Industry Association (CompTIA) says in a poll of 322 SMB organizations using managed communications, it found one-third plan to invest or upgrade their spending in managed security services this year.
“Many SMBs still feel a bit wary about VoIP and IP services,” says Greg Davis, vice president of marketing at service provider MegaPath Inc., which offers circuits, VoIP services and managed security. “Offering a good security solution along with the IP can mean the difference between closing the sale or not.”
While the opportunity is clearly laid out, to capitalize on it means agents and VARs especially need to understand the drivers for managed security, both from a general SMB needs perspective as well as the specific benefits managed services can bring to the table.
From a macro-level perspective, CompTIA says 40 percent of its survey respondents say they are investing in managed services due to a lack of internal skills. Other key factors respondents cited for employing managed services: 30 percent say it is less expensive for their businesses to have an outside party manage certain IT services than if the work was done in-house and 21 percent say that using managed services allows them to focus on their core competencies. “When you go to sell IP, security naturally comes up,” says MegaPath’s Davis. “Offering a solution with all the protection functionality they need is great, but outlining the clear business benefits can make for a no-brainer add-on to the main sale.”
Davis also explains that among the more granular benefits of managed solutions are the abilities for turnkey deployments, reductions in network complexity, business continuity assurance (as an off-site hosted service), help in compliance with government regulations thanks to audit mechanisms, increased network uptime and performance via proactive monitoring and management, and available reporting aids for developing best practices and security policies.
The Threat Taxonomy
When it comes to actual solution functionality, a channel partner also needs to know his or her way around the security landscape, outlining the threats for customers and demonstrating how solutions match up.
There are the well-known worms/viruses/denial-of-service attacks, identity theft gambits and so on to consider, but in the VoIP era, new risks include call hijacking and call eavesdropping, billing fraud whereby a third party bills his or her calls to someone else’s phone number (unbeknownst to the user), and another form of billing fraud that involves changing a corporate calling plan to allow 900 numbers or international calls. Voice-based spam known as “SPIT” is another issue, along with phantom voice mail, codes that cause incessant incoming calls with no one on the other end and the like. And, it’s also important to consider device lock-down.
“Now that you’re seeing more managed offerings for VoIP and not just for data, this is no longer a quick sale, or a well-understood one,” says Brendan Ziolo, director of marketing at Sipera Systems Inc., which offers a unified VoIP security appliance that is deployed at the customer premises but can be managed centrally from a remote location. It offers intrusion detection, session border control functionality and more. “It takes a certain amount of investment in education on the part of the channel partners because things are very complicated out there, and threats never stop coming.” However, he says that for a VAR or agent, learning about the options and being able to make the business case for security can mean a big pay-off. “It’s still a strong differentiator for a VAR to offer something like this, because this market is relatively young,” says Ziolo. “It’s there for the taking, really, once a partner puts in the effort to learn about security and be able to educate the customer on what it covers.”
Indeed, it’s particularly important for the VAR or agent to educate small businesses on the need for wider network protection beyond what is installed on the PC. “The biggest obstacle a VAR faces is the question from customers of ‘Why do I need [network] gateway protection? I already have anti-virus and anti-spam on my computers …,’” says Tri Nguyen, manager of business networking products for ZyXEL Communications Corp., a security provider. “Our answer is that when dealing with network security, you can never have too much protection.”
Some offerings are all-in-one, making for an easier sale. “It’s critical to have an end-to-end solution that addresses various layers of threats,” says Davis. MegaPath’s SecureConnect Managed Security Services is a network-based unified threat-management (UTM) solution for businesses requiring no premises-based hardware or software, available to agents and VARs to sell on a monthly subscription basis. It includes attack mitigation, anti-malware, Web filtering and a VPN capability, along with round-the-clock support by SecureConnect Care, a team of security professionals and online resources. “Looking at just a managed firewall, say, or just Web filtering for users, that’s not going to get the job done for most businesses,” he explains.
Similarly, Perimeter eSecurity offers on-demand, networkdelivered security technologies as a subscription service. Engineered to work together as one seamless multilayer solution, the company has 50-plus services to mix and match. “This is where the VAR becomes a true trusted adviser,” explains Clark Easterling, vice president of marketing at Perimeter. “They can match up the functionalities with whatever the customer needs for a custom fit.”
ZyXEL’s Nguyen says that such a unified approach was prohibitive in the past, but VARs now can show customers that this has changed: “As more and more managed security service providers offer services, it is becoming much more affordable. Before, to pay $X per seat for managed service got really expensive. With UTM and gateway-based services, broad protection services can be offered.”
ZyXEL’s ZyWALL UTM appliance can be deployed on-premises but remotely managed by a VAR, making the VAR the managed service provider. “We have many customers who have taken our ZyWALL product line to provide their own managed service to businesses,” says Nguyen. “Some have looked into Vantage CNM and Vantage Report to provide a complete solution. Others will be able to use third-party solutions, such as LevelPlatforms, to manage our security devices.” It offers VPNs, network firewalls, load balancing, bandwidth management and protection from phishing, virus, spam, malware and other external intrusion protection.
While the unified approach is a growing trend, an enterprising VAR also can highlight some specific solutions to address certain issues such as internal user behavior and client-side concerns.
Allowing businesses to customize security settings for individual users in a way that’s not cumbersome is another perk that VARs can underscore. For instance, managed service provider Appia Communications Inc. launched AppiaSecure earlier this year for permissions-based managed network security, available to its VAR channel to offer business users. While it includes all the traditional external threat protection, it also uses digital certificates for user identification, so managers can customize each user’s access to specific applications or devices on a network, limiting the use of unauthorized software or services, Web access, e-mail settings and so on. Network activity also may be traced back to a specific user, making a network fully auditable. Thus, it protects the network from outside threats, but also from potential internal issues.
“Many people just think about intrusion detection and prevention, viruses, worms and other problems that come from outside Internet connections,” says Nick Nerbonne, marketing communications manager at Appia. “The reality is that internal issues are just as much of a potential issue when it comes to downtime, productivity loss and other metrics that are critical for SMBs. If a VAR can give them this kind of peace of mind, in a way that’s easy and affordable, that’s a real differentiator for the VAR and his Internet/VoIP offerings.”The solution functions through the AppiaSecure Server, hosted by Appia, and AppiaSecure gateways on each premise, single devices that store secure digital certificates that serve as customized permissions for each user. By utilizing only one device per site rather than several, AppiaSecure in theory offers network owners a security option that is more efficient and less costly than TCP/IP solutions, which operate as “default-open” and require multiple software applications to secure all points of vulnerability within a network.
Meanwhile, SecurityCoverage Inc. focuses on the managed security for the endpoint side of the equation, via reseller and affiliate revenue-sharing partnerships. “Network security is a critical need, but so is making sure the endpoints don’t become the weak link in your defense,” explains Robert O’Dell, president and CEO at SecurityCoverage. The company’s SecureIT offering is a fully managed computer virus and threat protection system that provides automated Microsoft patch updates that are fully tested prior to installation. SecureIT Plus builds upon the base security protection, including spyware threat detection and removal, Internet Explorer popup and ad blocking, hard drive optimization and maintenance.
“The difference between us and your typical store-bought Norton or McAfee software is that we are managed, meaning that we’re monitoring systems on an ongoing basis and can be proactive in making sure all is protected, without the customer needing to install or update software,” O’Dell says. “We are watching and can provide fixes in seconds or minutes as opposed to the hours that those other solutions take to update their signatures.”