132 ◾ Security Strategy: From Requirements to Reality
Service providers achieve profi tability by delivering commoditizing services to a large audi-
ence. e approach leaves little room for customization, especially when customer-specifi c security
requirements are involved. Nonetheless, it is your responsibility to prove that the contracted ser-
vice complies with your requirements. e simplest way to do this is to map your requirements to
the practices and audit requirements of the provider. For example, if your security policy requires
failed logons to be logged: (1) Does the provider log failed authentications? (2) Is this functionality
regularly audited to prove it works properly? (3) Can you get a copy of the audit report? (4) Can
you get a report of the logged events for compliance reporting purposes? Chances are the provider
already does all four things: e terminology may not be the same, and the methodology may be a
little diff erent, but the net result is the same: What they do meets your compliance requirements.
e only remaining caveat is whether or not you can get that information when you need it, and
that requirement should be part of your service-level agreement with your provider.
Summary
Defense-in-depth objectives for consumers of hosted services are focused on two things: the end-
user device and service provider contract management. Standard operating system and applica-
tion security controls are usually suffi cient to secure locally stored data, provided users are trained
in secure computer operations. Ensuring the security and compliance of information processed,
transferred, and stored by a service provider requires well-defi ned service-level requirements and a
consistent, thorough service contract management program.
Provider Scenario
e provider’s environment is an in-house enclave (it is an environment under the control of a
single authority) with an interesting twist. In addition to the in-house objectives, the provider
must include objectives for application, data transit, and data storage security. Application objec-
tives are required because the consumer is authorized direct access to the application and for
all practical purposes bypasses perimeter, network, and host protections. e provider must also
guard against unauthorized data exchanges (leakage) between service consumers and deal with
shared-risk threats from vulnerable (improperly secured) end-user systems. Finally, the providers
must be able to prove they are meeting their security Service Level Agreement (SLA).
Before discussing specifi c service provider security objectives, it’s important to diff erentiate
between the various types of services. is section discusses two principal service environments:
shared and dedicated. In a shared service environment, services are provided to customers through
a common set of resources. Customer data is processed, transported, and stored on systems that
are used by any number of other customers. Web conferencing is an example of a shared service.
Customers may have an individually assigned conference center, but they are using the same appli-
cation, network facilities, and storage all the other customers are using. By contrast, a dedicated
service provides a mixture of applications, networking, and storage services for a single customer.
Traditional hosting services are a good example; the systems at the service provider are primarily
an extension of the customer’s network that is operated and maintained by the service provider. In
a fully dedicated environment, the applications, networking, and storage involved are dedicated
to a single customer; they are not shared across multiple customers. e only thing that is shared
are support services (trouble ticketing, monitoring, backup, etc.). Fully dedicated environments
are not the norm; they are typically reserved for sensitive or high security applications, such as
fi nancial services and the military. Most dedicated services provide a dedicated application that
TAF-K11348-10-0301-C008.indd 132TAF-K11348-10-0301-C008.indd 132 8/18/10 3:08:40 PM8/18/10 3:08:40 PM