Many companies outsource some or all IT security responsibilities to a service provider. But IT managers who have been down this road say it's important to know what to outsource, what the conditions should be and how to set up the contract for a successful outcome.
Outsourcing IT security can work, many users say. Successful arrangements can lower security costs and make up for a lack of in-house expertise. Users disagree on some details, such as whether to use more than one managed security service provider (MSSP), but they also offer specific advice on dealing with liability issues, which services to outsource and how to hold vendors accountable.
"It's better to have one MSSP and to have done the due diligence to trust them -- and you are trusting them a lot," says Jeff Nigriny, chief security officer at Exostar LLC in Herndon, Va. Exostar, an online exchange for the aerospace and defense industries, outsources some IT security functions to TruSecure Corp. in Herndon.
"I like the idea of one neck to grab," says David MacLeod, chief information security officer at The Regence Group, a Portland, Ore.-based health insurance firm that outsources security to Counterpane Internet Security Inc. in Cupertino, Calif.
More Than One Basket
But not everyone thinks the single-vendor approach is best. Eric Ogren, an analyst at The Yankee Group in Boston, advocates using more than one outsourcer to provide checks and balances and even recommends switching vendors every few years. "It is never good to have all of your security eggs in one basket," he says.
And even though he works at a security services provider, Joel Pogar, security practice manager at Siemens Information and Communication Networks Inc. in Boca Raton, Fla., says it's a bad idea to hand over all the keys to one provider. He says that's like having "the wolf watching the henhouse."
Customers often pick only one security outsourcer to save money, Pogar says, because outsourcing more security functions to a single provider tends to cost less than paying several vendors for the same services.
Pogar says customers are so worried about keeping costs down that they often use the outsourcer that handles password management and patch upgrades to audit their own work. "I strongly object to that," he adds.
MSSP contracts strictly limit liability. "I don't think there is any liability with the outsourcer other than me yelling at them" for network security breaches or other problems, says Bob Breeden, special agent supervisor for the Florida Department of Law Enforcement in Tallahassee. Breeden uses TruSecure to provide alerts of a virus or new vulnerability.
"You won't get anybody to say they'll take responsibility if you have damages" from a security failure, adds Paul Prentice, manager of security and directory services at office furniture maker Steelcase Inc. in Grand Rapids, Mich. Steelcase outsources IT security to Ubizen Inc. in Reston, Va. The usual position of outsourcers, he says, "is more of, 'We'll work with you and provide monitoring and detection.' ... But that's the point where they draw the line."
Organizations do have alternatives beyond the limited liability that outsourcers offer, however. Nigriny says Exostar will get back no more than what it pays TruSecure for outsourcing should something go wrong in a given month. But he also has hacker's insurance to protect against losses in Exostar's internal network. And because he has outsourced to an MSSP, he receives a discount on that insurance, Nigriny says.
MacLeod agrees that an outsourcer's liability is limited, but he says his vendor was helpful when a problem came up. In 2001, Counterpane helped defend the credibility of Regence's security logs shortly after their outsourcing arrangement began, he says. Two Regence employees were fired for compromising the firm's network, and both filed wrongful termination claims. The former employees lost their cases partly because the security logs were accepted as evidence with the backing of Counterpane, he recalls.
To make up for liability limitations, Ogren suggests companies demand upfront that the outsourcer commit in the contract to reasonable staffing levels with qualified workers and to agreed-upon levels of responsiveness to security events.
Steelcase's Prentice says he scoured resumes of outsourcers' staffs in the selection process to help make up for the lack of legal accountability.
Who Handles What
Users and analysts say that outsourcing security duties such as the monitoring and management of firewalls and intrusion-detection systems (IDS) doesn't mean walking away from internal responsibilities. "You cannot outsource risk," says Ogren. "You should never outsource everything."
In a typical arrangement, the outsourcer should create guidelines for how involved the service should be, users say. In every case, they say the customer should initially maintain sign-off authority on security actions. Only when a security action becomes routine should the customer let the MSSP execute it without review.
Prentice warns against picking an outsourcer that sets up the decision-making process in a "very rigid and structured way." Steelcase and Ubizen have agreed on three levels of change control: standard, unusual and problematic. When changes are requested in the security infrastructure or policy that are labeled "problematic," Ubizen is saying, "You shouldn't do this because it will put you at risk." And at that point, Prentice is informed about the process. "I do get the ultimate sign-on with a security change, depending on the risk, and I decide what does this mean to the business," he says.
Deciding what to include in an outsourcing deal varies by organization. For example, at health insurer Regence, federal HIPAA requirements have led to an evaluation of what security tasks can be outsourced. "Because we are under HIPAA, I am the designated jailbird, so I'm not comfortable abdicating the protection of the electronic perimeter, our technology safeguards or administrative procedures," says MacLeod. "I'm not going to let somebody else do that." As a result, Counterpane monitors the perimeter but doesn't manage it without asking first.
Nigriny says no client in an outsourcing deal should ever give away security control of infrastructure pieces or anything of competitive advantage. "If you are an ASP and host applications, don't outsource security of those to an MSSP," he says.
Because security is a differentiating factor for Exostar, the company doesn't want to outsource security involving its online exchange to TruSecure. Instead, TruSecure provides monitoring, firewall and IDS management and maintenance for Exostar's corporate network but not its hosted applications. "The idea is that you want to carry out the management directives," Nigriny adds.
Earning Trust
Becky Autry, CIO at the U.S. Olympic Committee in Colorado Springs, says the outsourcing relationship can evolve, as the vendor proves its abilities. The USOC uses a broad spectrum of security services from AT&T Corp., partly because it's a small nonprofit and its IT staffers "wear a lot of hats," Autry says.
When the USOC started using AT&T in 2000, AT&T had to notify USOC staff before making any changes to network security, but AT&T now has the authority to make changes in the middle of the night without prior approval "if they see the potential for danger," says Autry.
Dan Klinger, manager of information security at Hershey Foods Corp. in Hershey, Pa., uses a Web-based auditing tool from Qualys Inc., in Redwood Shores, Calif., but no other services. "We want to hold onto most security in-house, since we know our environment best and how to prioritize our vulnerabilities," Klinger says. "I'm not close-minded to the concept of outsourcing security, but overall I'm very cautious."
Users and analysts say the best way to ensure accountability with an outsourcer is to set terms in the contract that dictate how often and for what purposes reporting will take place and to then study those reports carefully.
Kelly Kavanagh, an analyst at Gartner Inc., adds that asking for Web-based reporting tools is also desirable for the capability to periodically scan the network perimeter to ensure that outsourced devices are configured correctly.
Some users set up their own monitoring tools. For example, Regence's security logs are generated by its own systems, and Regence employees periodically review security events to see how Counterpane handled them. MacLeod has a five-person staff that does audit and compliance checking. "They are my friendly hackers," he says.
Souped-up Security
Stories in this report:
- Souped-Up Security
- Farming Out Security: How to Choose a Service Provider
- Security and QoS Unite
- Security Begins at Home (With Telecommuters)
- The Almanac: Networking