As telecom service providers pursue new data revenue streams, one of the hottest areas has been managed security services. The appeal is obvious — more businesses are depending on the Internet and data networks for core operations, and with the threats to those networks from multiple sources constantly growing, the demand for security seems limitless.

But the move into managed security also puts telecom service providers into direct competition with established players in the field — including ISS, VeriSign and Symantec — and challenges them to prove their capability in a critical new field. The response from many, especially from major players such as AT&T and MCI, has been to expand the reach of their managed security offerings to create a service differentiated in scope and functionality from what pure-play security companies can provide. Instead of offering a managed firewall service or intrusion protection, for example, some service providers are offering, or planning to offer, a soup-to-nuts security service that encompasses everything a business customer does.

“All network service providers are faced with a similar dilemma,” said Michael Luby, research program manager with Stratecast Partners, a division of Frost & Sullivan. “Their core transport businesses are being marginalized, and they need to add additional layers of services that either complement traditional transport services such that they can create differentiation or provide opportunities to get into a deeper relationship with the enterprise customer and get beyond the demarcation point between the WAN and the LAN.”

“The real question is, can you operationalize [managed security] and make money,” he added. “Much of what they are doing is going up against companies that buy secure products and manage them on their own. They have to make the enterprise feel confident that they can do a better job and save the enterprise money, as well as protect their privacy. And they are competing not only against the major security companies but against value-added resellers that sell equipment and provide service. There is plenty of competition.”

The service providers most active in managed security argue, however, that their position as network operators not only puts them in the perfect place to help companies prevent network problems from denial of service attacks, spyware, viruses, worms and more, but also gives them a unique expertise and a perspective that they can tailor to customers.

“We are able to collect not only data from the traditional network inside the enterprise but also from our backbone on the WAN, and we can correlate that information to form a holistic model,” said Chris Sharp, vice president of MCI NetSec Security Services, which recently expanded its “Core to Cloud” strategy with expanded proactive security. “We see a lot of the traditional security providers putting a firewall at their [network operations center], and they don't have the other side of the equation, which is collecting intelligence from the network so they can be proactive in collecting intelligence.

“We are constantly monitoring the segments of our IP network to be able to present information to our customers in the context of their business.”

Although MCI jumped headfirst into security services with its acquisition of NetSec, other major players have taken a home-grown approach, as AT&T did, or have partnered with security service companies, as WilTel did with CounterPane.

“Our services are created internally in [AT&T] Labs' organization,” said Stan Quintana, AT&T vice president of managed services. “For the most part, we utilize internally just about every service we bring to market — we eat our own cooking, so to speak. The services we bring to market are not just point solutions, they are integrated into what we classify as a security process.”

The move to make security a process or holistic is becoming increasingly important because points of entry to enterprise networks are proliferating rapidly such that simply providing a clean pipe into a corporate customer or a set of services between the customer and the Internet isn't enough.

“A lot of telecom providers are saying they can secure everything through clean pipes,” said Grant Geyer, vice president of Global Managed Services for Symantec, which both competes and partners with telecom service providers on managed security services. “The reality of the situation is, you can secure the pipes all you want, but a rogue access device can corrupt the corporate network anyway. You have to go back to basics. Clean pipes may be a part of an overall strategy but what is just as important is being able to patch and provide antivirus, managed security and basic services.”

There is universal agreement that wireless access devices — whether they are BlueTooth-enabled, BlackBerrys or other PDAs, or even wireless-enabled laptops — present a new generation of security issues. Whether the issue is a careless employee or deliberate malfeasance, the access method has now changed dramatically.

“We are seeing a tremendous shift with security in the marketplace,” said Bob Schroeder, director of product management for managed security for Qwest. “Attacks are a lot more complex — we have a lot more different ways to get into networks. That's why security needs to be multi-dimensional — that is a big deal.”

And that is also why service providers that want to do comprehensive managed security are taking a layered approach to protection, said Ralph Santitoro, director of security services for Nortel Networks.

“There has to be a layered defense,” he said. “The managed security service is one piece, but the enterprise has to do something as well. With mobile devices, you have another way for threats to come in, and you have to address that with another form of managed security service. Different service providers are in different phases of looking at all of these services.”

The deployment of multi-service edge devices is actually enabling service providers to bundle security, including firewall, anti-virus and intrusion protection/detection services into a premises-based system that provides a link between the LAN and WAN services, said Jeff Kauffman, product manager for Lucent Technologies' Managed Security Services.

“Multi-service edge devices do increase the opportunity for the provider to have a higher value proposition to their enterprise customers,” he said. “But it does take a lot more training from the staff and understanding of systems as they are implemented into the network.”

As enterprises converge their voice services onto IP, however, that introduces another wild card, said Mike McAndrews, vice president of IP services for WilTel.

“Voice over IP has vulnerabilities,” he said. “We are working hard now with our partners to get a handle on what those challenges will be.”

There is also a healthy sense of skepticism from the managed security industry that telecom companies will be able to pull off a comprehensive security play, unless they carefully segment the market. Targeting the largest enterprises could be problematic, according to some industry experts, while others say moving down market has its own pitfalls.

“Telecom service providers say they are offering comprehensive services, but it's what we call ‘all hat, no cattle,’” said Brad Miller, CEO of Perimeter Internetworking, which developed its own Security in the Cloud services that it sells to financial institutions and to service providers such as NuVox. “The amount of invested capital is multiples of the revenue being generated. There is no one in the Fortune 500 who hasn't heard of managed security. Everyone who is going to make the decision to outsource their managed security has had that opportunity.”

Miller believes the real market opportunity lies in the small and medium-sized businesses (SMB).

“The SMB market is looking for a full-service provider,” he said. “Those customers would much rather have a broad solution that addresses many problems rather than a deep solution. They need a complete answer with a good firewall, good intrusion detection — good across the board as opposed to the very best intrusion system sold by itself. We haven't seen anything we consider to be comprehensive for this market.”

Serving the SMB market will require a very different level of support, said Throop Wilder, co-founder and vice president of marketing for Crossbeam Systems, which builds high-performance security services switches for the full-range of security offerings, including intrusion detection, firewalls and virtual private networks. It counts BellSouth and Telefonica among its 25 carrier customers.

“One of the big issues for companies trying to deliver service in the cloud is that security requires a lot of tweaking,” he said. “Typically, companies start out in managed firewall services and then get us into the operationalizing of that and then start rolling out additional services. Are the services virtualizable? That's where the industry is still in its infancy.”

Wilder sees service providers finding more success serving what he calls a middle tier of larger companies that are interested in outsourcing security, given the right solution.

At the small business level, “it's still early, and the support model isn't well-understood,” he said. “When something goes wrong with customer 85,362 — do you have the capability to troubleshoot services like intrusion protection and firewall that aren't simple connectivity offerings?”

He thinks another year of maturity will enable service providers to develop a SMB model, and in the meantime, they can be generating revenues from the larger firms. Telefonica, for instance, is selling secure medical record delivery for hospitals, without trying to break down the individual services that such a service requires, Wilder said.

“They are going up to where they can generate the highest value adds,” he said.

Given the billions of dollars at stake, competition at all levels of the security market will only intensify in the coming years, said analyst Luby.

“I believe they can do it all,” he said. “It's always a matter of evolution and how much investment they are going to make. And it's establishing credibility. They need to operationalize it, continue to build their expertise in personnel and systems to do that and, over time, build credibility with their enterprise or potential enterprise customers.”

The service providers that succeed will be those that figure out how to offer the highest possible degree of customization for each enterprise while still maintaining a profit margin, he added.

“Every enterprise situation is unique, so managed security services will be customized,” Luby said. “The challenge is, can you build operational efficiencies so you can offer that level of customization and make money for yourself?”

But if service providers don't become the primary purveyors of security for IP networks, the proliferation of networked devices and services is likely to overwhelm less pervasive approaches, said AT&T's Quintana.

“Today, we have 107 power devices in the IP domain,” he said. “Over the next five to seven years or so, the consumer electronics industry, RFID in retail, manufacturing, PDAs, you name it — we will be at 1012 power or more in IP devices. They are going to far outnumber what we are dealing with today. If you can't scale your security solution, an IP network will be quickly overwhelmed.”