Outsource security with care, conference attendees warn

Computerworld - When it comes to outsourcing security functions to a third-party, look before you leap. That was the advice of users and analysts at the Infosecurity Conference and Exhibition in New York last week.

Despite the apparent management benefits that can be gained by handing over security functions to service providers, companies are asking for trouble if they don't pay close attention to what they outsource, the terms and conditions of their contracts and to whom they outsource, said conference attendees.

"Most companies tend to outsource before they have thought through what they want," said Steve Hunt, an analyst at Cambridge, Mass.-based Giga Information Group Inc., during a conference session on the topic. "To some degree, all they are doing is surrendering their security [to service providers]."

The concerns come at a time when a growing number of corporations are looking to hand over security tasks to service providers. The market for managed security services is expected to top $17 billion by the end of 2004 as a result of a deepening skills shortage and the complexity of managing enterprise security environments, according to Framingham. Mass.-based IDC.

The focus of many outsourcing arrangements is usually on protecting against viruses, worms and malicious hackers, rather than on addressing business concerns such as financial loss or a compromise of customer privacy as a result of a security breach, Hunt said.

"The whole concept has been on building a security bubble around all of your IT assets," said Edward Carubis, CIO at New York City's Department of Health.

Most outsourced services are directed at building defenses such as firewalls and intrusion-detection services from the network perimeter in. Instead, the effort should be on "building out your defenses from the inside" by focusing on each information asset, Carubis explained.

It's also important to distinguish between tactical and strategic security functions when outsourcing, according to Susan Read-Miller, an analyst at eSecurity Online, a security services subsidiary of Ernst & Young LLP in Kansas City, Mo.

For instance, a firewall that functions as the last line of defense in front of a vital database is strategic, but a firewall at the outer perimeter of a network isn't and may be outsourced, Hunt said.

He suggested that companies pay attention to the following things when outsourcing their security functions:

• Outsource only the tactical and temporary tasks. Any security function that involves the protection of strategic assets needs to be kept in-house.
  
• Review all terms and conditions as well as service-level agreements. Try to avoid long-term contracts.
  
• Avoid conflicts of interest when signing up with service providers. For instance, don't let firewall services be handled by the same vendor that provides intrusion-monitoring services. Use separate vendors for vulnerability analysis and penetration testing.
  
• Use due diligence. For example, before forking out large sums of money for vulnerability assessments, be sure to take obvious steps such as patching software, ensuring strong passwords and closing open ports. Only then hire a vulnerability assessment service to find out if anything has been missed.
  
• Check the vendor. Ask for references, and make sure the company has a specific understanding and knowledge of your business.