Earlier, my colleague Eyle wrote (in Dutch only) about the Firewall pilot in which we are investigating technologies that can be used to make Firewall-as-a-Service possible. But what exactly are the needs of the institutions with respect to such a service? To answer this question, we carried out research among MBO institutions and are also going to test this in the case of HBO institutions.
We initially visited 8 institutions. From these discussions we can conclude that there are different needs for a Firewall-as-a-Service service. The outsourcing strategy of the institutions plays an important role here. Based on the 8 interviews we can roughly distinguish three variants of this service:
An institution that would like to outsource everything would prefer to have a Firewall in which the responsibility for management, security advice and a translation thereof lies with SURF. Here, there is a need for a Managed Firewall.
Institutions that are open to outsourcing, but do not necessarily have a clear strategy for doing so, usually decide on a case-by-case basis whether to purchase a service from SURF. The Firewall service must then offer sufficient added value and should not be more expensive than their current solution. They see the added value in management and the ability to flexibly scale up capacity and functionality. They also want SURF’s security advice, but they do want to retain control of the security policies and their implementation. They say: “We receive a lot of security advice from market parties but do not know whether we can trust them”. As far as policy is concerned, these institutions want to be at the helm themselves, because there are many dependencies on their internal network, services, and applications in which SURF does not currently play a role. A Basic Firewall, a ‘first line of defense’, can offer a solution here. Another use case we have heard is the desire to off-load some of the functionality or capacity of an institutional firewall to a SURF Firewall.
There are also institutions that would like to continue to do everything themselves, including setting up and managing a Firewall. They have security expertise and administrators in-house. A Do-it-Yourself (DIY) Firewall offers a solution for these institutions. They can set up and manage these themselves, and at the same time they are free of the procurement burden and vendor lock-in. A DIY Firewall could allow them to access pay-per-use utility models.
We also surveyed what institutions understood by ‘secure internet’. The common denominator is that this is filtered internet that stops existing and potential threats. But how and to what extent the filtering should take place, and who carries out control over it, varies from one institution to another.
In order to be able to make a reliable statement about the wishes and needs of (all) institutions, a broader study was needed. That is why we used the insights from this qualitative research in a quantitative study, a survey, among (initially) the MBO institutions, the sector from which the question of Firewall as a Service originated. The aim of this research was to gain insight into which service variant is most promising and, if there is sufficient interest for a (possible) new service.
The most important results of the research within the MBO sector:
- 25 respondents (out of 43) completed the survey.
- 88% of the respondents do not want to do everything themselves when it comes to firewalling.
- 41% experience the tendering process as a burden when outsourcing firewalling.
- 73% want the operational management of the firewall to be a part of the outsourcing.
- 68% wants to be able to flexibly scale-up capacity when outsourcing.
- 81% wants to be able to flexibly scale-up functionality when outsourcing.
- Only 18% would like to do software updates themselves in case of outsourcing.
- Only 10% wants to bring and use their own licenses in case of outsourcing.
- 78% finds it important to determine the policy themselves.
- 68% would like to outsource with particular attention to secure internet.
Basic Firewall most promising
As a result of the interviews, our expectation was that most MBO institutions would like to be completely relieved of their worries. However, the results of the survey show that they still want to keep control over matters such as security policy. That is why we expect the Basic Firewall to be the most promising in the mbo sector at the moment. They are happy to leave the implementation of this to SURF. Secure Internet is an important aspect which needs attention in this respect and can be included in the future development process of this service.
How to proceed now?
Using the insights from this study, we want to test whether the needs in higher professional education (HBO) and then the other sectors are comparable to those in senior secondary vocational education (MBO), or whether they are completely different. In the meantime, we will continue with the pilot in order to investigate which technology is the most suitable for building and designing a Firewall-as-a-Service service
Do you want to know more about Firewall-as-a-Service or do you have ideas and wishes about what the service should look like? Or are you an interested party from another sector, such as a university, research institute or a healthcare institution? Please contact me at email@example.com