Virtual security

The centerpiece of AT&T's strategy to build security into the network--dubbed "in-the-cloud" security services--is a concept that's gotten increasing attention over the past couple of years. Right now, as CSOs are all too aware, most companies purchase and manage (or outsource the management of) a slew of security devices, from antivirus software to firewalls to intrusion detection and prevention systems. With an in-the-cloud setup, however, many of these tasks can be handled using a virtual device administered by an MSSP. It's basically a software-as-a-service model, with monthly service fees replacing product, installation and maintenance costs. Gartner projects that as early as 2008, 30 percent of managed security service revenue could come from services delivered in the cloud.

Telecom companies aren't the only ones pushing for this model. Antispam companies such as MessageLabs and Postini have adopted it, as have pure-play MSSPs such as Perimeter eSecurity and VigilantMinds (which recently merged with another MSSP, Solutionary). "Think of us like the water utility," says Brad Miller, CEO of Perimeter

eSecurity, a US$24 million, venture-capital-backed company, that used to call itself Perimeter Internetworking. "You could have one big water utility that cleans the water, or every house could have its own water filter. Which way is more efficient?" Obviously, Miller thinks the former.

A security company like Perimeter eSecurity has to either partner with telecom companies (which it does), or convince direct customers to route all their Internet traffic first to Perimeter and then back to their enterprise (which it also does). Telecom companies, on the other hand, need only to get permission from existing customers to filter the traffic that they're already handling anyway. Rather than evaluating a brand-new contract, the CIO, and perhaps CSO, are just looking at making changes to a service-level agreement and pricing for bandwidth.

Although not everything can be handled at the network level, AT&T currently offers several services in the cloud. First, there's the network-based firewall, which can be accessed and configured through a Web portal and eliminates the need for a perimeter-based firewall. Second, there's defense against DoS attacks. With this setup, when a customer's Web traffic reaches a certain threshold, AT&T diverts the traffic to scrubbers that filter out the bad traffic and direct the good to the company's website. Third, there's e-mail security, where AT&T uses third-party software to filter out viruses and spam--typically at least 80 percent of a company's inbound e-mail traffic.

A similar Web security service screens incoming Web and instant-message traffic for malware. Finally, a family of services called Internet Protect notifies customers of unusual Internet activity--the junk on the screens at AT&T's network operations center--and makes recommendations. For instance, if technicians see early indications of a new worm, they may suggest that a customer temporarily block traffic to the affected port. Right now, most of AT&T's security customers still favor handling things the old-fashioned way, by turning over the management of what's known in industry lingo as customer premises equipment (CPE), such as firewalls.