Print Page      Email Page
Back to Article List

Vendor Analysis: Interliant's Security Vulnerability Assessment
By Laura Taylor
January 14, 2002

A security vulnerability assessment service is a risk management process. Interliant's security vulnerability assessment service enables its clients to understand what risks their online transaction systems and network infrastructure face. Relevant Technologies has taken an in-depth look at Interliant's security vulnerability assessment service to find out what their tactical strategy is in helping organizations minimize risk, how this strategy evolved, and what IT decision makers can expect to gain from using their services.

As businesses continue to put their critical systems, data, and applications online, the importance of security and privacy become increasingly critical. Financial loss is only one of the many online losses a company can fall victim to. A Security Vulnerability Assessment (SVA) has become a crucial service to any company with valuable online data or infrastructure connected to the Internet.

Product Background
Interliant is a leading global application service provider (ASP), and, according to Gartner Group, is the third largest ASP in North America. With the purchase of Triumph Technologies in November of 1999, Interliant became a leading provider of security and managed security services. According to Giga Information Group, security outsourcing services are growing at a rate of 35% compared to 25% for other corporate information technology outsourcing services. Security vulnerability assessment services are just one segment of the security outsourcing marketing. Interliant's INIT Security Vulnerability Assessment (ISVA) service has matured significantly in the last few years, and continues to be one of its most popular security outsourced services.

Interliant's ISVA service does a lot more than evaluate the security of a website or perimeter network. Physical access controls of the facilities are reviewed, as well as both the hardware and software configurations of the firewall. The firewall rules, the router access lists, and the security of individual hosts are reviewed and tested for potential security exposures. If virtual private networks (VPNs) and authentication systems are in place, these are tested to see if they are configured correctly and are protecting the infrastructure as expected. Remote access systems and passwords are also tested for weaknesses and exploitability.

It is important to note that a security vulnerability assessment service gives you the security posture of your network for a single snapshot in time. In order to understand the appropriate corrective action to take to secure the exposures, you need this security snapshot in order to formulate your security agenda going forward.

Allowing inappropriate access to your backend systems, or exposing your customers’ credit card numbers, could prove costly and lead to resource depleting litigation. Since your infrastructure changes daily, Relevant Technologies recommends businesses with highly sensitive and confidential corporate and customer information perform a third-party security vulnerability assessment once a quarter.

In addition to quarterly assessments, Relevant recommends that internet-based penetration tests be performed on a monthly basis. Interliant's ISVA service offers best-practice penetration testing capabilities that are able to substantially mitigate future security exposures. Other significant contenders in the SVA market that compete with Interliant include @Stake, TruSecure, and Predictive Systems. With the security market approaching $6 billion USD a year and growing at a rate of about $2 billion USD for the foreseeable future, Relevant Technologies expects Interliant to be able to grow and sustain its ISVA service in spite of the competitive landscape.

Table 1: Corporate Information
Company Name : Interliant
Service Name : INIT Security Vulnerability Assessment Service
Service Scope : Small to large sized businesses
Industry Focus : Internet, Technology, Financial sectors
Key Features : Risk management, Security remediation, Consolidated reports, Security roadmap, Report card
Number of Employees : 1000+
Contact Information : 781-756-3700
Financials : NASDAQ: INIT
2000 Total Revenues: $158 million
1st Quarter 00 Revenues: $26.9 million
1st Quarter 01 Revenues: $39.6 million
2nd Quarter 00 Revenues: $38.6 million
2nd Quarter 01 Revenues: $31.2 million

Service Strategy and Trajectory
Interliant's security services serve global organizations that have local networks in varying locations. Interliant assists organizations of all sizes with security vulnerability assessments in order to:
  • Protect revenue streams Safeguard customer and corporate information
  • Reduce site outages and performance problems
  • Test responsiveness of intrusion detection systems
  • Create secure and seamless information access
  • Prevent or deter denial of service attacks
  • Meet customer contractual obligations
  • Prevent unauthorized financial transactions
  • Risk mitigation in mergers and acquisitions
  • Understand corporate risks to meet SEC criteria
  • Protect infrastructure against cavalier engineers
  • Help organizations gain competitive advantage
  • Build customer loyalty
  • Assist in setting security IT agendas
  • Enable corrective action
  • Assist organizations in qualifying for Information Protection Insurance
Having a security vulnerability assessment done by an independent and outside authority shows that an organization has taken due diligence and objectivity in working towards a secure infrastructure.

Interliant performs this service directly and has considerable success doing so. As a result, Interliant’s SVAis not available through any reseller channel, and we expect that a channel strategy will not be necessary for future positioning.

Product Strengths
Interliant has a proprietary formula for identifying an organization's level of risk. By applying this formula to an organization's network infrastructure, it is possible to calculate a numerical statistic from which an organization can base future security assessments. For carrier-class organizations, this means that Interliant can measure the risk of a group of networks, or measure the security of different divisions, assign a risk exposure grade, and find out which networks or corporate divisions are creating the greatest exposure for a company. Once a risk grade has been applied to different divisions in an organization, if the same methodology is used consistently, trends can be noted.

Interliant does not rely on any one particular vendor or network-scanning tool to assess a client's web site or network. They use multiple assessment tools, some commercial, some open source, and some home-grown, which all have strengths in different areas. Their experience has shown that one tool will not accurately identify all vulnerabilities. Additionally, they make use of protocol analyzers, intrusion detection sensors, and port listeners if the situation warrants it.

Since all scanning tools turn up false positives from time to time, the first thing Interliant does is to confirm a detected vulnerability. If the customer requests it, they can further exploit the vulnerability, and penetrate the customer's network, if further verification is required. However, once vulnerability is verified, Interliant's primary concern is always to resolve the exposure as soon as possible in order to help their clients minimize risk.

Product Challenges
As the security vulnerability assessment market grows, so does the number of ASPs that offer competing services. Currently, other ASPs that offer security vulnerability assessment services include Exodus, Genuity, and Digex.

Aside from the ASP competitors, other reputable security vulnerability assessment services are being conducted from consulting firms like Ernst & Young, Foundstone, IBM, Netigy, and Vigilinx. Some of the security services provided by these other vendors do not have the years of refinement that Interliant's security services offer, however, it should be noted that these vendors are competing for the same customer base that Interliant is targeting.

With many of their competitors having large customer bases distributed nationally and internationally, there will be significant challenges for market share in this segment. Interliant will need to expand their regional strength to other cities on the East Coast, like New York, and Washington, D.C., in order to create a more national presence. Replicating their focus on security to other major markets, and hiring new staff to ramp up these strategic geographic locations, will increase Interliant's ability to remain competitive.

Vendor Recommendations
In order to leverage the growing need and market for security vulnerability services, Interliant will need to step up its marketing campaign in order gain name recognition in the security service provider category. Interliant's strength in security comes from its years of experience and being well entrenched in the New England market. The necessity to communicate to a multi-national market its depth of expertise is critical to Interliant's success. Partnerships and strategic alliances will increase Interliant's ability to obtain a national presence.

There remains considerable disparity between best and worst-practice security vulnerability assessment services today. Interliant's service is well-defined, and has withstood the scrutiny of many years of customer implementations. The challenge for Interliant will be to educate the market of their expert capabilities. With sufficient marketing resources, Interliant will be able to more clearly differentiate itself as a premiere leader in a competitive landscape.

User Recommendations
Outsourcing an organization's security vulnerability service is a reasonable solution, and is often more cost-effective than doing it in-house. The costs associated with performing a security vulnerability assessment include a substantial investment in scanning and penetration tools, and often times multiple tools are required to do a thorough job. As well, knowledgeable security staff resources are required, and it may not make sense from a cost perspective for some companies to have a person dedicated for this task alone. Finding knowledgeable security employees is difficult, and, once found, they are expensive to keep on board. Leveraging the skills and resources from Interliant shows that an organization is taking steps to improve its security posture, and safeguard their customer data and networks.

Most of the vendors offering security vulnerability assessment services are technically competent to address technical risks, but are not knowledgeable in regards to the business impact of their actions. Unlike other security service providers, Interliant, through its unique risk management formula, is able to align technical risks with business risks, and come up with an approach that balances technical security with appropriate countermeasures and a comprehensive conclusive report. Interliant's final security vulnerability assessment report includes an executive summary, a report card, security profiling, vulnerability findings, a topology and infrastructure review, a summary of recommendations, and a security roadmap to use moving forward.

Measuring risk is critical to the long-term success of most organizations with moderate to large-sized budgets. Businesses have a limited amount of resources, and eliminating high-risk exposures can prevent a total collapse of a corporate infrastructure moving forward. Understanding the relationship of security risks to other areas within the organization can act as a starting point for a corporate-wide risk management framework.

By using Interliant's security vulnerability assessment service you are purchasing a proven pre-defined service. With impressive capabilities and references, this service is ideal for businesses and organizations of all sizes that are not able to justify dedicated in-house resources to develop specialized technical security auditing capabilities.

DHTML Menu By Milonic JavaScript