Legal Insecurities Stymie Web Site Outsourcing Deal

Sign up to receive Security Resource Alerts

September 03, 2001 (Computerworld) -- My organization is changing rapidly these days. We're selling our key technology in several global markets, and we're looking for ways to improve the way we work. One avenue is through outsourcing.
After an internal debate about outsourcing our security monitoring work, we concluded that the time wasn't yet right. However, we are ready to outsource other technologies. These aren't core to our business, and they're expensive and difficult to do properly. One such technology is our outward-facing Web site.

THISWEEK'SLINKS Want to know which legal security issues might affect your organization? From HIPAA to the Gramm-Leach-Bliley Act, you’ll find the details in the Bethesda, Md.-based SANS Institute’s Information Security Reading Room. Look here for a useful collection of links about important legal security issues. SECURITY BOOKSHELF: Know Your Enemy, by Lance Spitzner, (Addison-Wesley, 2001) is an offshoot of the Honeynet Project and sets out to explain some of the knowledge the project leaders have gained from running a honeynet. Like a honeypot, a honeynet tries to trick an attacker into wasting time and revealing his hand by attacking a fake system. But a honeynet does this on a much larger scale: It appears to be a whole company online, complete with Web, e-mail and domain-name servers. Spitzner runs an excellent Web site, but the book is disappointing. The writing is stilted and highly repetitive. What’s worse, the book takes a fascinating and enthralling project and trivializes it to a simplistic technical write-up and then pads it out with pages and pages of filler. The project leaders obviously learned from many failures, but we never get to hear about them. Instead, we get the lessons learned in dry, technical prose. This book fails to capture their pioneering spirit and the risks they took to gather valuable knowledge. That’s a pity, because both the technical knowledge and the personal experience of running the Honeynet Project are fascinating.

It sounds like a very simple task, outsourcing a straightforward service. But the use of an outside vendor raises a range of security concerns that need to be addressed in service-level agreements (SLA) and legal contracts. Before we can deal with those problems, however, we have to select a supplier, which leads to more legal issues.
Before I specialized in security, my professional background was dark and mysterious. I used to be heavily involved in network provision to the academic community, and as part of this, I was once very senior in the world of domain-name services. This experience encouraged my naturally strong cynicism, as I could have domain-squatted on some now very high-value domains but instead kept the spirit of the early Internet and left them for others to profit from.
Years after leaving the academic world, I became a hard-nosed operations manager at a large retail Internet service provider. This experience has made me the Internet expert at several companies, including my current employer.
So not only am I reviewing the security of external providers as the security manager, but I'm also busy measuring them against our service requirements and helping in the design of the outsourced servers and network. Or I would be, if we and the service provider could agree on an appropriate nondisclosure agreement (NDA).
The providers won't tell us anything about their services unless a bit of paper is signed by both sides. This is ludicrous.
On their side, the suppliers are only telling us information that's freely available on their Web sites. I understand security and know the value of keeping quiet, but I also know that everyone gossips.
The financial services business is very incestuous - whatever the teams involved learn about one another will inevitably be discussed in bars and used on future projects. We all know this, yet, nonsensically, we all still demand the signed agreements.
I can only think that this requirement originated externally - do shareholders demand this sort of thing? Maybe the regulators investigate to ensure this kind of protection is in place. Or it could even be that this kind of documentation has become fashionable. Whatever the reason, if one side asks for it, you have to ask for one in return. It's part of the negotiation dance.
Unfortunately, we've managed to get into a tricky position. Our first project manager pulled some NDA agreements from somewhere and sent them to the suppliers. Then he left the company. Normally, that wouldn't delay a project, but he sent out the NDAs before getting them signed by our directors. When the NDAs came back with the suppliers' signatures, our legal team promptly rejected them, because they hadn't originated in the legal department.
So now we have a handful of annoyed vendors who, after signing the agreements we sent them, are wondering why we're now approaching them with a different set of documentation.
Financial services firms are under weird restrictions regarding their customer data, so we demand that everyone who receives our confidential information protect it forever. This is unreasonable, since I really don't think anyone is going to care what operating system we want for our Web servers.
Dances With Lawyers
Once we make it through the NDA minefield, we enter the twilight world of legal negotiations for the contracts and SLAs. A master of the field taught me a few tricks of commercial negotiations about which I feel confident, but the legal details just don't make sense.
On the commercial side, other than the list price nonsense, both sides seem to approach negotiations with good sense. One vendor's representatives quote a price, and we reach a consensus. We don't offend them by suggesting that we should get it for free, and they don't offend us by trying to rip us off. However, legal negotiations seem to begin with everyone doing their best to offend the opposing side.
The vendor wants to have our business but always proposes a laughable starting point. For example, it asks us to indemnify it from any losses for use of the service, while warranting nothing about the service. And then we respond with our opening position: We offer no indemnity and demand extreme and unrealistic warranties about the service. Starting with such unreasonable positions, it takes a long time to reach a mutual agreement.
Maybe the problem is that we bother to read and check these details; we regularly find typos and sections that just don't make sense because vendors have reversed the wording. Do they never correct their template, or are we the only people who check these things?
I realize that we all have to protect ourselves from unreasonable actions. I realize that the dance of legal negotiations has evolved into its current state, which works for the lawyers involved. But from a business perspective, assuming that everyone is going to be unreasonable while trying to behave unreasonably ourselves - and hoping we can get away with it - makes little sense.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"One presidential candidate publishes his views on technology and the other doesn't. But does it really matter?..." Read more... "My colleague Mike Elgan points out in his blog that..." Read more... Read more Government & Regulation posts or See all Blogs

Google gives away home-cooked Web application security scanner Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 More top stories...

Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500 Best Places to Work 2008 Storm botnet stages Fourth of July attacks

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Computerworld Executive Briefing: The Compliance Era Get this briefing free (a $195 value), for a limited time, courtesy of VeriSign. The new Computerworld report, The Compliance Era, explains why regulatory compliance has zoomed to the top of the IT agenda and shows how real-world IT executives are dealing with the storage, security and privacy challenges. Get this briefing free (a $195 value), for a limited time, courtesy of VeriSign. Download this executive briefing  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Web Security SaaS: The Next Generation of Web Security Download this whitepaper, free for a limited time, compliments of Webroot Software. (Source: Webroot Software) The Web is the new threat vector of choice for hackers and cybercriminals to distribute malware and perpetrate identity theft, financial fraud, and corporate espionage. This paper outlines the challenges facing many SMBs and provides solutions for overall security effectiveness and reducing the burden on IT departments. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Google gives away home-cooked Web application security scanner
• Microsoft trumpets security additions in upcoming IE8
• Apple cuts price of high-end SSD MacBook Air by $500
• More top stories 

Since You Asked A weekly storage column from storage analyst, Steve Duplessie of the Enterprise Strategy Group Click here to read the latest column by Steve Duplessie

Eliminate SPAM, Gain Productivity Learn all about the dangers and the costs of spam in all its forms – from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses – and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper now!  See more Whitepapers

The Spy Files For Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess, says Ira Winkler. Click here to read the latest column by Ira Winkler

Understand Messaging Archiving Email storage is growing at an average rate of 35% annually - three out of five decision makers cite the growth of messaging storage as their leading messaging-related problem. This Osterman Research white paper discusses the several reasons to implement a messaging archiving system and provide an overview of Sunbelt Software's offering focused squarely on the archiving space. Download this white paper now!