Expand Your Broadband Portfolio: 
Partner with a managed security provider

By Lisa Phifer
Core Competence, Inc.

Much has been written about the security risks associated with always-on broadband technology. In 2Q 2000, IDC estimated that just 1.9M of 10.8M business Internet connections were protected by firewalls. The majority of broadband lines serve those least prepared to implement complex security measures: small-to-medium businesses, telecommuters, and home businesses. Increasingly, these customers are looking to CLECs and DLECs to complement broadband access with value-added security services.

IDC projects a $9B managed security services market out there, just waiting to be tapped. But CLECs and DLECs already have plenty on their plate. Between scrambling for capital from tight-fisted investors, fighting off fierce competition in low-margin markets, and slashing expenses to reduce burn rate, who has time to build a broadband security offering from scratch?

Spectrum DSL CTO John Virgolino put it succinctly: "We're a broadband provider, and we wanted to continue to focus on that, but we know that security is very important to our customers. We wanted to find a partner to provide security for our customers, 24x7, without requiring us to do a lot of the work." And so, Spectrum DSL joined DefendNet Solutions' channel partner program.

Offering Security With Minimal Investment
Today, a growing number of managed Internet security providers stand ready to help DLECs deliver secure broadband services. Companies like ISS Managed Security Services, MyCIO.com, RipTech, Telenisus, and DefendNet take care of the security grunt work for broadband providers. They supply firewalls, VPN devices, anti-virus software, content filters, and/or intrusion detection. They provision and remotely monitor these security solutions 24x7 from a well-appointed (usually redundant) Security Operations Center (SOC). Many offer penetration testing and incident response services, backed by an expert staff. And of course, regular usage and incident reports.

And what role do the DLECs play? They lead the security provider to the broadband customer. While the specifics of each partner program differ, the overall approach is common: the DLEC sells the security service, and takes a cut of the recurring fees charged for security services. According to DefendNet co-founder Vincent Giordano, "Channel partners of course want value for offering our service. We can offer them a 30% return, which we think is very significant."

The Business Case
CLECs want to deploy value-added services to increase profitability without spending a lot of money - and they want to do it today. "Everyone in the CLEC business really has to offer value-added services - it's just a matter of who gets to market with them first," said Giordano.

"There's also been a lot of turbulence in this market, and many CLECs are distracted by more pressing issues," said Giordano. "The CLECs who aren't distracted don't want to spend a lot of money on technology they aren't really sure about. They can't afford to spend critically important capital that's badly needed elsewhere."

DefendNet's answer is a four-product security suite, based on customer premises equipment:

1. SecureInternet-100 ($249/month) protects 10-50 nodes with an ICSA-certified firewall, monitored 24x7.

2. SecureInternet-250 ($499/month) covers 50-250 node networks, adding web filtering and vulnerability assessment services.

3. SecureInternet-500 ($999/month) is geared for larger networks, with options for virus protection, load balancing, high availability. All three SecureInternet services can be upgraded with VPN options.

4. Managed Anti-Virus is also available on its own for $249/month.

Channel partners deliver these services, bundled or a la carte, as private label offerings. DefendNet provides training during service launch, followed by sales/marketing and customer support thereafter. DefendNet pockets 70% of each monthly fee; the remainder falls through directly to the partner's bottom line.

According to DefendNet, partners can offer service in as little as one month with zero capital investment. Or roll your own and spend over $2M on software, hardware, and operations staff to deliver service nine months down the road. A compelling business case with plenty of margin.

What DLECs Are Saying
Ionex Telecommunications delivers business-grade broadband services in 14 states today, from Texas to Minnesota to Montana. According to Giordano, Ionex snapped DefendNet's offering directly into its program. "Security is a natural add-on to bandwidth offerings."

Phillip Curtis, Ionex Data Products Director, elaborated. "DefendNet contacted us because we were a data CLEC that might want to offer some type of managed security service. It didn't take much for me to jump all over this opportunity because one of our gaps was managed security," said Curtis. Ionex DSL services are geared to the small-to-medium business, primarily those with 3-24 access lines per location, although some customers exceed 100 lines. "For Ionex to be a fully-integrated solutions provider, we needed to provide our customers the ability to secure their links, and to have those security services managed remotely," said Curtis.

Ionex is now evaluating candidates for DefendNet's services. "Our customers in banking and real estate have many branch offices that tie into headquarters," said Curtis. "Given the nature of the data exchanged between these offices, customers have a strong need to protect these links with firewall and intrusion detection services. With a managed security offering, these links can be proactively managed, 24x7. VPN is another value-added service that we'll be able to offer, providing an added measure of security for remote access."

Ionex chose to partner because, "With DefendNet, we can provide security in more areas than we'd be able to address on our own. Speed to market is another consideration. And, by partnering, we're better able to focus on our own core offering: next generation voice over DSL services," said Curtis.

Challenges thus far? According to Curtis, "DefendNet is geared to customers with 10+ locations. We need a solution that can address all of our target markets. We're working with DefendNet to put together more cost-effective entry-level managed security for companies with fewer than 10 locations."

Tapping The Low-End Market
In fact, DefendNet recently announced a suite of network-based offerings, based on Nortel's Shasta Broadband Service Node. According to Giordano, "If you cut it by cost, customers who want to pay $200-$100/month for security really have to deploy a network-based solution. At that price, it's just not effective to deliver a service by touching the customer's network. You've got to deliver this service from the head-end."

Available in 1Q01, network-based features will be comparable with existing CPE-based offerings. "But, because you don't need to touch the customer's network, you can save a lot of money," said Giordano. "We're already making good profit at $250 with CPE; costs will be significantly less with network-based services. Customers want to buy security as an option with their DSL - they're willing to pay a step-up for security, but not double or triple the cost."

DefendNet is pursuing two deployment models. "First, we can install Shasta at the partner's data center. The partner has dedicated use and they pay us to manage it for them," said Giordano. "Second, we can provide virtual services to channel partners by deploying Shasta at a peering point like Exodus." In this case, there are two hops: one from customer to POP, a second from the POP to the Shasta. The second hop can either be tunneled with CPE, or ride over a private circuit.

According to Giordano, Florida Digital Networks and Exodus are involved in network-based trials now. "We're in very initial phases of deployment. We've gone through alpha and are now in beta with Exodus. Florida Digital is just now starting; the network-based solution is a great fit for their market."

Giordano expects network-based services to attack a customer base with that can't be reached with CPE. "In an installed base, this gives you a way to go back and capture a significant market share with value-added services. We think it's a good solution for price-conscious buyers. By offering CPE and network-based services, we've got both ends of the spectrum covered."

Making DSL More Marketable
According to Spectrum DSL's Virgolino, "The Nortel approach is an intriguing idea. We're researching the viability of this. If it's something we can integrate with DSL aggregation, that's certainly interesting from a scale point of view."

Spectrum offers DSL, T1/T3, dial, and hosting services in the NY metro area. "We're finding there's a lot of emphasis on security with always-on services. We want to make sure that our customers are protected," said Virgolino. "DefendNet lets us put an appliance on site to protect DSL access, and also lets us offer anti-virus. We're looking to take advantage of other services in the future - IDS for medium-to-large customers, a lower-end solution for smaller companies (5 and under)."

Virgolino notes that some broadband providers are recommending personal firewall software. "Security experts are saying that personal firewalls are OK, but not enough," said Virgolino. "The closer we can get to offering true firewall and VPN services, the more value we'll add. Security is more important than many people think, and our ability to offer secure broadband services puts us ahead of the competition."

Creating Partnerships
To expand into new markets, providers are aggressively courting many different types of partners: security consultants, systems integrators, ISPs, ASPs, and carriers. ISS partners include Ameritech, BellSouth Business Internet Services, Embratel, Qwest Communications International, and Globix. Telenisus partners include tier one IP broadband network service provider NetRail. In December, DefendNet announced yet another DLEC partner: IP Communications. And the list goes on.

Entering into a channel partner relationship is not something any carrier should take lightly. According to Virgolino, "Some providers like the try-and-buy approach, but we don't follow that philosophy. We're looking to get into voice services, and we don't want to go back to our data customers as say 'Never mind, we're not going to offer security anymore." We felt our relationship with DefendNet was strong enough to go ahead with customer deployment. Our provisioning, technical support, and accounting teams have worked to get themselves integrated. Now it's just a matter of selling."

Lisa is vice president of Core Competence, a network consulting firm located in Chester Springs, PA.  She has been involved in OSS design and development for local and inter-exchange carriers for nearly a decade.