Global Site
Breadcrumb navigation
How to Choose a Security Solution
NEC Security BlogFeb 9, 2024
In this blog, the topics are the features and selection criteria of various options for implementing security measures, including built-in functions, in-house development, free tools, commercial products, and cloud services, etc.
Security measures are implemented to address the risks to information assets that should be protected and exist in the information systems. These risks are directly related to the leakage or unauthorized modification of information assets, but from a business management perspective, these risks lead to suspension of operations, loss of credibility, legal action, etc. The response strategy for these risks can be categorized as avoidance, mitigation/reduction, transfer, and acceptance. Especially when a mitigation approach is adopted to reduce the magnitude of the risk, introduction of security measures becomes the option. However, implementing security measures can involve significant costs such as product purchase and operating costs, so it is essential to deal with and reduce risks depending on the situation while preventing insufficient or excessive countermeasures. In addition, many security features, such as encryption and access control, are provided as software implementations. At this time, there are various ways to introduce security features, including built-in functions, in-house development, free tools, commercial products, cloud service, etc. These options may seem similar because they are software, but there are advantages and disadvantages due to the characteristics of the introduction method. Even within the company, we sometimes see decisions such as "This security measure will be abandoned because of budget", "Choose a free tool because the introduction cost is low", or "Let’s just simply choose a high-performance commercial product," but are they the most appropriate and cost-effective choice?
Therefore, in this article, I will mainly focus on the perspective of cost-effectiveness and explain the features of each method such as built-in functions, in-house development, free tools, commercial products, and cloud services as ways to introduce security features using software. Please note that this blog is not intended to recommend any specific technical fields or product, but rather focus on a general perspective of the options available when considering the introduction of security features using software.
Table of Contents
Built-in Functions
In order to meet the primary functional requirements, information systems are composed of each physical device or a combination of software and services running on it. These components can be OS (operating system), middleware, applications, etc., and they often include useful built-in security features. Security features such as password policy settings and encryption functions can be expected to be enabled at low cost by prepared commands and configuration operations without the introduction of additional software. Therefore, built-in security features tend to be cost-effective and a good starting approach. On the other hand, required level of features may not be provided in some cases, so if the required functionality is not available, the approaches of incorporating additional software components into the system, which will be discussed later, can be considered.
In-house Development
If it is difficult to take measures only with built-in features, it is required to prepare dedicated components (tools, services, etc.) with security features in some ways. One of the approaches to do this is to create new in-house features that are needed internally. While this approach has the great advantages of being able to develop flexibly regardless of functional or non-functional requirements, ensuring transparency of specifications, and accumulating knowledge within the company, it tends to require a lot of time and effort in terms of capital investment, human resource development, and operating costs. Hence, in-house development can be expected to have a higher return on investment if it prioritizes features related to the company's competitive advantage. Therefore, this approach may be reasonable if there are specific needs for security requirements or when developing features to be used as part of own services or products. However, in general, it is important to note that the objective of introducing security features is to protect the information assets of an information system and the cost-effectiveness of in-house production may not always be justified.
Commercial Products
There are two main ways to outsource security features: by introducing security products provided by other companies and by utilizing free software or OSS which will be described later. Commercial products can vary in terms of features and licensing models, but they are generally highly functional and come with maintenance and support services. In addition to the ability to protect information systems, it is also attractive to be able to obtain professional support even in the event of a product failure. In particular, security products and vendors that provide security services have accumulated technical capabilities and expertise, and introducing commercial products may provide a higher level of effectiveness compared to starting from scratch in-house. However, since the initial investment such as the purchase cost of the product is relatively high, commercial products might have excessive functions for systems that are difficult to secure a budget or that do not need high security requirements. Additionally, commercial products tend to have limited functional enhancements and difficulty in solving problems in-house because the internal specifications are not disclosed.
Free Tools
Free software and OSS are basically available at no cost although there are restrictions such as prohibition of commercial use depending on the type of license. The fact that the cost of introduction itself can be saved is a major advantage compared to commercial products. The functionality and quality rely on the community of developers, but in some cases, it is sufficiently ensured by improvements and tests by many engineers. In addition, the source code of OSS is publicly available, so it is quite possible to make changes for functional enhancements as necessary.
One thing to note about free tools is that, unlike commercial products, they are not supported by vendors. This means it is necessary to fully introduce, operate, and manage the tool in-house, so it may cost a lot of money including human resource training if the organizations do not have the necessary expertise themselves.
Cloud Services
In recent years, there has been an option to use security features provided as a cloud service. Such services basically have the same characteristics as cloud services. The advantage is that infrastructure management is not required when introducing the service, and it is easy to reduce the usage cost due to the pay-as-you-go system (depending on the license type of the service, there are cases where it is not pay-as-you-go). Furthermore, cloud services provided by the same cloud service provider have a high affinity with each other and tend to be suitable for shortening introduction time and integrated management.
On the other hand, there are some considerations to keep in mind when using cloud services. For example, the access needs to be connected via the Internet and the laws and regulations must be considered depending on the region where the data is stored. In addition, in order to use the service appropriately, it is necessary to understand the shared responsibility model. Even if many management areas are the responsibility of cloud service providers, neglecting management in the range entrusted to users can result in ineffective functioning and can also become a security defect. For example, access to the management console can affect not only operations to the security service itself, but also connected internal systems via the network, so authentication and authorization functions provided to the user must be properly managed. In addition, in some cases, the setting of specific monitoring policies is entrusted to the user side for services that monitor systems in operation. If these aspects are overlooked before introduction, there may be unexpected risks and costs.
Fully Managed Services
This is a little different from the approaches I have outlined so far, but I would like to touch on fully managed services as a related service. As mentioned earlier, the introducing and managing security features can involve a considerable amount of human resources and operational costs. Fully managed services are not limited to commercial products and free tools, but also allow organizations to outsource the operation and maintenance work that is originally done within the organization. This can be an effective option when it is difficult to have enough human resources within your organization or when there is a lack of expertise in using tools.
However, due to their comprehensive support contents, it is important to note that fully managed services may come with a higher cost and knowledge will not be accumulated within the organization from a medium to long-term perspective.
While many fully managed services are bundled with commercial products or cloud services, depending on the OSS provider, there are cases where a certain amount of support is provided on a paid basis.
Summary
In this blog, I focused on the methods of introducing security features using software and explained the advantages and disadvantages. When considering introduction, it is easy to focus on the features of the tool and the initial cost, but there are other factors to consider as well. These factors are essential components of estimating the cost-effectiveness in advance. In case where budgets are generous or high security features are required, introduction of commercial products may be an option. In this case, it is important to verify those products provide desired features and support and do not include excessive functions. On the other hand, if the budget is limited, it may be possible to introduce the alternative countermeasures such as built-in functions, OSS, and cloud services, rather than abandoning the introduction of security measures. Of course, the importance of the information assets being handled and the required security features can vary, and there may be other considerations such as the balance with multi-layered defense and compatibility with the development target information system. The viewpoints mentioned above should not be the only factors considered when selecting security features, but they can be one of the useful perspectives when evaluating methods of introducing security features.
Profile

Kota Morimoto
Security Engineering Center, Security Implementation Technology Architecture Group
He promotes the NEC Group's secure development and operation.