Farming Out Security: How to Choose a Service Provider
Outsourcing IT security functions can succeed if you choose the right services and ask the right questions.
Computerworld - Many companies outsource some or all IT security responsibilities to a service provider. But IT managers who have been down this road say it's important to know what to outsource, what the conditions should be and how to set up the contract for a successful outcome.
Outsourcing IT security can work, many users say. Successful arrangements can lower security costs and make up for a lack of in-house expertise. Users disagree on some details, such as whether to use more than one managed security service provider (MSSP), but they also offer specific advice on dealing with liability issues, which services to outsource and how to hold vendors accountable.
"It's better to have one MSSP and to have done the due diligence to trust them -- and you are trusting them a lot," says Jeff Nigriny, chief security officer at Exostar LLC in Herndon, Va. Exostar, an online exchange for the aerospace and defense industries, outsources some IT security functions to TruSecure Corp. in Herndon.
"I like the idea of one neck to grab," says David MacLeod, chief information security officer at The Regence Group, a Portland, Ore.-based health insurance firm that outsources security to Counterpane Internet Security Inc. in Cupertino, Calif.
More Than One Basket
But not everyone thinks the single-vendor approach is best. Eric Ogren, an analyst at The Yankee Group in Boston, advocates using more than one outsourcer to provide checks and balances and even recommends switching vendors every few years. "It is never good to have all of your security eggs in one basket," he says.
And even though he works at a security services provider, Joel Pogar, security practice manager at Siemens Information and Communication Networks Inc. in Boca Raton, Fla., says it's a bad idea to hand over all the keys to one provider. He says that's like having "the wolf watching the henhouse."
Customers often pick only one security outsourcer to save money, Pogar says, because outsourcing more security functions to a single provider tends to cost less than paying several vendors for the same services.
Pogar says customers are so worried about keeping costs down that they often use the outsourcer that handles password management and patch upgrades to audit their own work. "I strongly object to that," he adds.
MSSP contracts strictly limit liability. "I don't think there is any liability with the outsourcer other than me yelling at them" for network security breaches or other problems, says Bob Breeden, special agent supervisor for the Florida Department of Law Enforcement in Tallahassee. Breeden uses TruSecure to provide alerts of a virus or new vulnerability.
"You won't get anybody to say they'll take responsibility if you have damages" from a security failure, adds Paul Prentice, manager of security and directory services at office furniture maker Steelcase Inc. in Grand Rapids, Mich. Steelcase outsources IT security to Ubizen Inc. in Reston, Va. The usual position of outsourcers, he says, "is more of, 'We'll work with you and provide monitoring and detection.' ... But that's the point where they draw the line."
Organizations do have alternatives beyond the limited liability that outsourcers offer, however. Nigriny says Exostar will get back no more than what it pays TruSecure for outsourcing should something go wrong in a given month. But he also has hacker's insurance to protect against losses in Exostar's internal network. And because he has outsourced to an MSSP, he receives a discount on that insurance, Nigriny says.
MacLeod agrees that an outsourcer's liability is limited, but he says his vendor was helpful when a problem came up. In 2001, Counterpane helped defend the credibility of Regence's security logs shortly after their outsourcing arrangement began, he says. Two Regence employees were fired for compromising the firm's network, and both filed wrongful termination claims. The former employees lost their cases partly because the security logs were accepted as evidence with the backing of Counterpane, he recalls.
To make up for liability limitations, Ogren suggests companies demand upfront that the outsourcer commit in the contract to reasonable staffing levels with qualified workers and to agreed-upon levels of responsiveness to security events.
Steelcase's Prentice says he scoured resumes of outsourcers' staffs in the selection process to help make up for the lack of legal accountability.
Who Handles What
Users and analysts say that outsourcing security duties such as the monitoring and management of firewalls and intrusion-detection systems (IDS) doesn't mean walking away from internal responsibilities. "You cannot outsource risk," says Ogren. "You should never outsource everything."
In a typical arrangement, the outsourcer should create guidelines for how involved the service should be, users say. In every case, they say the customer should initially maintain sign-off authority on security actions. Only when a security action becomes routine should the customer let the MSSP execute it without review.
Prentice warns against picking an outsourcer that sets up the decision-making process in a "very rigid and structured way." Steelcase and Ubizen have agreed on three levels of change control: standard, unusual and problematic. When changes are requested in the security infrastructure or policy that are labeled "problematic," Ubizen is saying, "You shouldn't do this because it will put you at risk." And at that point, Prentice is informed about the process. "I do get the ultimate sign-on with a security change, depending on the risk, and I decide what does this mean to the business," he says.
Deciding what to include in an outsourcing deal varies by organization. For example, at health insurer Regence, federal HIPAA requirements have led to an evaluation of what security tasks can be outsourced. "Because we are under HIPAA, I am the designated jailbird, so I'm not comfortable abdicating the protection of the electronic perimeter, our technology safeguards or administrative procedures," says MacLeod. "I'm not going to let somebody else do that." As a result, Counterpane monitors the perimeter but doesn't manage it without asking first.
Nigriny says no client in an outsourcing deal should ever give away security control of infrastructure pieces or anything of competitive advantage. "If you are an ASP and host applications, don't outsource security of those to an MSSP," he says.
Because security is a differentiating factor for Exostar, the company doesn't want to outsource security involving its online exchange to TruSecure. Instead, TruSecure provides monitoring, firewall and IDS management and maintenance for Exostar's corporate network but not its hosted applications. "The idea is that you want to carry out the management directives," Nigriny adds.
Becky Autry, CIO at the U.S. Olympic Committee in Colorado Springs, says the outsourcing relationship can evolve, as the vendor proves its abilities. The USOC uses a broad spectrum of security services from AT&T Corp., partly because it's a small nonprofit and its IT staffers "wear a lot of hats," Autry says.
When the USOC started using AT&T in 2000, AT&T had to notify USOC staff before making any changes to network security, but AT&T now has the authority to make changes in the middle of the night without prior approval "if they see the potential for danger," says Autry.
Dan Klinger, manager of information security at Hershey Foods Corp. in Hershey, Pa., uses a Web-based auditing tool from Qualys Inc., in Redwood Shores, Calif., but no other services. "We want to hold onto most security in-house, since we know our environment best and how to prioritize our vulnerabilities," Klinger says. "I'm not close-minded to the concept of outsourcing security, but overall I'm very cautious."
Users and analysts say the best way to ensure accountability with an outsourcer is to set terms in the contract that dictate how often and for what purposes reporting will take place and to then study those reports carefully.
Kelly Kavanagh, an analyst at Gartner Inc., adds that asking for Web-based reporting tools is also desirable for the capability to periodically scan the network perimeter to ensure that outsourced devices are configured correctly.
Some users set up their own monitoring tools. For example, Regence's security logs are generated by its own systems, and Regence employees periodically review security events to see how Counterpane handled them. MacLeod has a five-person staff that does audit and compliance checking. "They are my friendly hackers," he says.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard
- The Critical Role of Support in Your Enterprise Mobility Management Strategy
- Protection for Every Enterprise: How BlackBerry Security Works
- Using VM Archiving to Solve VM Sprawl
- Face Time Anytime
- Hands-on with Google's new "Chromebox for meetings"
- Video drives engagement
- How to Meet Cyber Monday Network Demands
- Keep Your Network Available, Efficient and Secure
- Is it Time for a Network Makeover?
- Defense Throughout the Vulnerability Life Cycle
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works
- Secure, Centralized, Simple: Multi-platform EMM
- Hedge Your Bets
- Alert Logic: Leader in Forrester Wave evaluation of emerging MSSPs
- Video moves into IT's sweet spot
- It's Who You Know: CDW + HP Networking
- Lessons to Learn from an 802.11n Upgrade
- VCE Forms Foundation for New Cloud Service Provider
- How to Achieve Network Nirvana