Farming Out Security: How to Choose a Service Provider
Outsourcing IT security functions can succeed if you choose the right services and ask the right questions.
Computerworld - Many companies outsource some or all IT security responsibilities to a service provider. But IT managers who have been down this road say it's important to know what to outsource, what the conditions should be and how to set up the contract for a successful outcome.
Outsourcing IT security can work, many users say. Successful arrangements can lower security costs and make up for a lack of in-house expertise. Users disagree on some details, such as whether to use more than one managed security service provider (MSSP), but they also offer specific advice on dealing with liability issues, which services to outsource and how to hold vendors accountable.
"It's better to have one MSSP and to have done the due diligence to trust them -- and you are trusting them a lot," says Jeff Nigriny, chief security officer at Exostar LLC in Herndon, Va. Exostar, an online exchange for the aerospace and defense industries, outsources some IT security functions to TruSecure Corp. in Herndon.
"I like the idea of one neck to grab," says David MacLeod, chief information security officer at The Regence Group, a Portland, Ore.-based health insurance firm that outsources security to Counterpane Internet Security Inc. in Cupertino, Calif.
More Than One Basket
But not everyone thinks the single-vendor approach is best. Eric Ogren, an analyst at The Yankee Group in Boston, advocates using more than one outsourcer to provide checks and balances and even recommends switching vendors every few years. "It is never good to have all of your security eggs in one basket," he says.
And even though he works at a security services provider, Joel Pogar, security practice manager at Siemens Information and Communication Networks Inc. in Boca Raton, Fla., says it's a bad idea to hand over all the keys to one provider. He says that's like having "the wolf watching the henhouse."
Customers often pick only one security outsourcer to save money, Pogar says, because outsourcing more security functions to a single provider tends to cost less than paying several vendors for the same services.
Pogar says customers are so worried about keeping costs down that they often use the outsourcer that handles password management and patch upgrades to audit their own work. "I strongly object to that," he adds.
MSSP contracts strictly limit liability. "I don't think there is any liability with the outsourcer other than me yelling at them" for network security breaches or other problems, says Bob Breeden, special agent supervisor for the Florida Department of Law Enforcement in Tallahassee. Breeden uses TruSecure to provide alerts of a virus or new vulnerability.
"You won't get anybody to say they'll take responsibility if you have damages" from a security failure, adds Paul Prentice, manager of security and directory services at office furniture maker Steelcase Inc. in Grand Rapids, Mich. Steelcase outsources IT security to Ubizen Inc. in Reston, Va. The usual position of outsourcers, he says, "is more of, 'We'll work with you and provide monitoring and detection.' ... But that's the point where they draw the line."
Organizations do have alternatives beyond the limited liability that outsourcers offer, however. Nigriny says Exostar will get back no more than what it pays TruSecure for outsourcing should something go wrong in a given month. But he also has hacker's insurance to protect against losses in Exostar's internal network. And because he has outsourced to an MSSP, he receives a discount on that insurance, Nigriny says.
MacLeod agrees that an outsourcer's liability is limited, but he says his vendor was helpful when a problem came up. In 2001, Counterpane helped defend the credibility of Regence's security logs shortly after their outsourcing arrangement began, he says. Two Regence employees were fired for compromising the firm's network, and both filed wrongful termination claims. The former employees lost their cases partly because the security logs were accepted as evidence with the backing of Counterpane, he recalls.
To make up for liability limitations, Ogren suggests companies demand upfront that the outsourcer commit in the contract to reasonable staffing levels with qualified workers and to agreed-upon levels of responsiveness to security events.
Steelcase's Prentice says he scoured resumes of outsourcers' staffs in the selection process to help make up for the lack of legal accountability.
Who Handles What
Users and analysts say that outsourcing security duties such as the monitoring and management of firewalls and intrusion-detection systems (IDS) doesn't mean walking away from internal responsibilities. "You cannot outsource risk," says Ogren. "You should never outsource everything."
In a typical arrangement, the outsourcer should create guidelines for how involved the service should be, users say. In every case, they say the customer should initially maintain sign-off authority on security actions. Only when a security action becomes routine should the customer let the MSSP execute it without review.
Prentice warns against picking an outsourcer that sets up the decision-making process in a "very rigid and structured way." Steelcase and Ubizen have agreed on three levels of change control: standard, unusual and problematic. When changes are requested in the security infrastructure or policy that are labeled "problematic," Ubizen is saying, "You shouldn't do this because it will put you at risk." And at that point, Prentice is informed about the process. "I do get the ultimate sign-on with a security change, depending on the risk, and I decide what does this mean to the business," he says.
Deciding what to include in an outsourcing deal varies by organization. For example, at health insurer Regence, federal HIPAA requirements have led to an evaluation of what security tasks can be outsourced. "Because we are under HIPAA, I am the designated jailbird, so I'm not comfortable abdicating the protection of the electronic perimeter, our technology safeguards or administrative procedures," says MacLeod. "I'm not going to let somebody else do that." As a result, Counterpane monitors the perimeter but doesn't manage it without asking first.
Nigriny says no client in an outsourcing deal should ever give away security control of infrastructure pieces or anything of competitive advantage. "If you are an ASP and host applications, don't outsource security of those to an MSSP," he says.
Because security is a differentiating factor for Exostar, the company doesn't want to outsource security involving its online exchange to TruSecure. Instead, TruSecure provides monitoring, firewall and IDS management and maintenance for Exostar's corporate network but not its hosted applications. "The idea is that you want to carry out the management directives," Nigriny adds.
Becky Autry, CIO at the U.S. Olympic Committee in Colorado Springs, says the outsourcing relationship can evolve, as the vendor proves its abilities. The USOC uses a broad spectrum of security services from AT&T Corp., partly because it's a small nonprofit and its IT staffers "wear a lot of hats," Autry says.
When the USOC started using AT&T in 2000, AT&T had to notify USOC staff before making any changes to network security, but AT&T now has the authority to make changes in the middle of the night without prior approval "if they see the potential for danger," says Autry.
Dan Klinger, manager of information security at Hershey Foods Corp. in Hershey, Pa., uses a Web-based auditing tool from Qualys Inc., in Redwood Shores, Calif., but no other services. "We want to hold onto most security in-house, since we know our environment best and how to prioritize our vulnerabilities," Klinger says. "I'm not close-minded to the concept of outsourcing security, but overall I'm very cautious."
Users and analysts say the best way to ensure accountability with an outsourcer is to set terms in the contract that dictate how often and for what purposes reporting will take place and to then study those reports carefully.
Kelly Kavanagh, an analyst at Gartner Inc., adds that asking for Web-based reporting tools is also desirable for the capability to periodically scan the network perimeter to ensure that outsourced devices are configured correctly.
Some users set up their own monitoring tools. For example, Regence's security logs are generated by its own systems, and Regence employees periodically review security events to see how Counterpane handled them. MacLeod has a five-person staff that does audit and compliance checking. "They are my friendly hackers," he says.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Need to Replace MS Threat Management Gateway? Read this article to learn how F5's Secure Web Gateway solution provides a full set of features that can help you successfully migrate...
- The Shortfall of Network Load Balancing Applications running across networks encounter a wide range of performance, security, and availability challenges as IT department strive to deliver fast, secure access...
- Leave No App Behind with Software Defined Application Services F5 Software Defined Application Services (SDAS) is the next-generation model for delivering application services that enables service injection, consumption, automation, and orchestration across...
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Networking White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!
- Securing Mobility, From Device to Network
- The Shortfall of Network Load Balancing
- Five Key Issues for DNS - The Next Network Management Challenge
- The ADC's Role in the New Network Infrastructure
- Reducing Expenses Starts with the Programming Skills of Operations Groups
- Accelerating the Delivery Microsoft Office 365
- Who does NSS Labs "Recommend" for NGFW?
- Four Little-Known Ways WAN Optimization Can Benefit Your Organization
- Path Selection Infographic
- Four Little-Known Ways WAN Optimization Can Benefit Your Organization
- Need to Replace MS Threat Management Gateway?
- Leave No App Behind with Software Defined Application Services
- Architecting the Network of the Future
- DNS Challenges in a Changing Landscape
- Clearing the Network Hurdle to Cloud Deployment
- Virtually Delivered High Performance 3D Graphics
- Improving Business Value of WAN Optimization
- IDC ROI Infographic
- How WAN Optimization Helps Enterprises Reduce Costs
- Riverbed Optimization System: Technical Overview