253
Chapter 13
Hire a Hessian (Outsourcing)
He is at this time transporting large armies of foreign mercenaries to complete the
works of death, desolation and tyranny…totally unworthy the head of a civilized
nation.
omas Je erson
Declaration of Independence
Introduction
In early 1776, King George III of England hired 20,000 soldiers from his German brethren to
help suppress the growing rebellion in the American colonies.  e majority of these troops were
supplied by Friedrich II ruler of Hesse-Cassel in northern Germany, hence the name Hessians.  e
Hessians represented about one-third of King George’s troops in the Americas. Outsourcing the
war to foreigners had its benefi ts; being able to keep a reserve force in England to protect against
his French nemesis Louis XVI was one. It also had its drawbacks; for one, it gave the American
leadership a powerful propaganda tool to in ame patriotic passions.
Outsourcing portions of IT operations is a fairly standard practice in most companies today.
A study conducted by RTI International shows the fi nancial sector leading the charge with 100%
of the participants outsourcing something, followed by manufacturing with 83%, then small
business and healthcare with 67%. IT outsourcing has its benefi ts and its drawbacks. We defi ne
outsourcing as a contractual agreement between two organizations by which one organization
pays the other to conduct certain activities on its behalf.
In terms of o ensive or defensive objectives, outsourcing is fairly neutral. Its possible to hire
out just about any activity, including off ensive maneuvers such as cyberwarfare and competitive
intelligence.  e more common scenario is outsourcing defensive objectives. Security may be a
major concern when one is outsourcing, but it is seldom the primary objective of the practice.  e
three most common objectives of the outsourcing of services are cost savings, business focus, and
productivity. Risk mitigation is a distant fourth. By offl oading commodity services, companies
are able to focus on their core strengths and key business initiatives. Productivity is gained from
TAF-K11348-10-0301-C013.indd 253TAF-K11348-10-0301-C013.indd 253 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
254Security Strategy: From Requirements to Reality
access to the latest technologies and business tools available. Collaboration and business intel-
ligence tools, once too costly for small and medium companies to implement, are now delivered
as cost-eff ective services. Provider expertise and contractual obligations can also serve to reduce
business risks, but these are often countermanded by risks inherent to outsourcing in general.  e
degree to which outsourcing can help a business achieve these objectives depends largely on the
sensitivity or value of the data involved, and on the legal and regulatory requirements the business
is subject to.
From a security perspective, outsourcing supports the principles of economy, redundancy, and
preparedness through lower control and personnel costs, high reliability, and provider expertise.
Outsourcing may also improve coverage by forcing the enterprise onto a common application plat-
form. However, if your strategy is dependent on excellence in observation and response timeliness,
outsourcing may not be a good tactic to use. Once your data is out of your direct control, it is much
harder to observe how it is being used. Furthermore, your responses become wholly dependent on
provider noti cations, which may not be generated in a timely manner.  ese and other factors,
such as shared infrastructure, introduce new business risks that must be accounted for.
In this chapter we will examine the use of this tactic from two security perspectives. First, we
will examine the security aspects of outsourcing IT services in general—that is, how to deal with
security requirements for data that is transferred, processed, and stored by an outsourced provider.
Second, we will address requirements that are speci c to the outsourcing of security services, such
as penetration testing, security monitoring, and facility security.
Security in the Outsourcing of IT Services
Let’s begin by de ning the diff erent outsourcing solutions used in today’s IT environments.  ese
fall into two major divisions: fully hosted and hybrid. A fully hosted environment, as the name
implies, means the customer has no in-house IT; all services are delivered to the consumer (end
user) through a networked connection. Microsoft’s Business Productivity Online Standard Suite
(BPOS) is an example of this type of service. BPOS provides e-mail, instant messaging, Web con-
ferencing, and collaboration services via the Internet; no in-house systems (other than end-user
laptops or PCs) are required.
Hybrid environments employ some in-house and some hosted systems. e solutions can be
characterized by the systems’ level of integration. We have classi ed these as follows:
1. UncoupledServices where the consumer initiates a connection usually across a public
network for the purpose of pushing data to the provider (e.g., updating a hosted website).
2. Loosely coupled—Similar to uncoupled, except that once the consumer is connected the
provider may request the consumer take a specifi c action (e.g., update the client software),
but the provider cannot initiate that action. Web-based e-mail is a good example of this type
of service.
3. Fully coupled—Services delivered through a dedicated connection (e.g., a VPN) that allows
either party to initiate an action (i.e., a connection or data transfer). e connection is bi-
directional; the consumer can push and pull information, and so can the provider. A good
example is an application with a federated identity. Federated identity is the use of a userID
in one security realm to securely access systems and data in another security realm. e end
user initiates a connection to the service; the service initiates a connection to the customer’s
authentication service to verify the user’s permissions.
TAF-K11348-10-0301-C013.indd 254TAF-K11348-10-0301-C013.indd 254 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
Hire a Hessian (Outsourcing)255
4. Fully integratedServices that are characterized by full-time dedicated connections and
bi-directional data exchanges that can be initiated by either party. An example is a hosted
backend database server that regularly queries the customer’s authentication server and other
services such as DNS, Time, and WINS.
Outsourcing ProsBene ts
e primary benefi t of using outsourced services is cost savings. Service providers can deliver com-
modity services such as e-mail, instant messaging, and Web conferencing at a lower per user cost
than the equivalent in-house service. Savings result from lower equipment, personnel, recruiting,
operations, and support costs. Customers also benefi t from higher reliability (availability), fault
tolerance, no-cost technology transitions (always on the latest release of software), and the security
expertise of the provider’s sta . Other security-related benefi ts can be realized by the transition to
services. For example, the transition may require infrastructure changes that benefi t other secu-
rity functions.  ese include the consolidation of user identities and the convergence of Active
Directory domains. Getting all users on a common platform and having the ability to securely
extend services to partners are two other potential benefi ts.
Outsourcing commodity services allows companies to focus on their core business and busi-
ness initiatives instead of expending resources on the supervision and management of routine
tasks, including some help desk and security-related functions. Some modest risk reductions
can result from the provider’s contractual obligations, high availability, Business Continuity and
Disaster Recovery capabilities, and security management expertise, as well as transitional changes
to security-related infrastructure services.  ese benefi ts apply to both fully hosted and hybrid
environments.
SIDEBAR: LEVERAGING TECHNOLOGY TRANSITIONS
Major technology transitions are one of the hardest things for IT departments to accomplish. Moving from one
version of an operating system to the next, or from one version of MS Of ce to the next, often requires months of
preparation and even more time to roll everything out. Such was the case of one organization that wanted to transi-
tion to Microsoft Online Services. The company had been struggling for years with an Active Directory that had over
20 different domains and hundreds of domain trusts. The IT department had an ongoing consolidation project that
had made little progress in the past year; that changed when the CEO decided to go online. The transition required
a consolidated domain structure, so the Online migration team went to work solving the problem. Five months
later, the company was not only saving money on e-mail, instant messaging, conferencing, and collaboration tools,
but it also had an expertly designed and implemented Active Directory to help it manage its in-house computing
resources. The cost? Less than what was budgeted for the original consolidation project.
Outsource ConsChallenges
Outsourcing can provide some modest risk reduction, but it also has a number of inherent security
risks that must be considered.  e rst is the security of the data transferred, stored, and processed
by the provider. Once the data leaves your control, your ability to observe how it is handled or
used is lost. Your ability to detect and respond to security violations concerning that data becomes
wholly dependent on the provider’s noti cation process, which may or may not be done in a timely
manner. However, your liability for the proper management of the data has not changed. You are still
the owner of the data, and you are still the party that is ultimately responsible for its protection.
You cannot transfer this responsibility to the provider, nor is the provider likely to accept it.
Service providers achieve profi tability by delivering commoditized services to a large audience.
e approach leaves little room for customization, especially when it comes to customer-speci c
TAF-K11348-10-0301-C013.indd 255TAF-K11348-10-0301-C013.indd 255 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
256Security Strategy: From Requirements to Reality
security requirements. Provider security is, for all practical purposes, a “one size fi ts all” solu-
tion. You either accept the provider’s security management practices and controls or you dont.
It becomes your responsibility to ensure that the provider complies with your requirements. For
some services this can be a straightforward exercise; for example, a service like Instant Messenger
that does not store data at the provider is limited to network attack scenarios. For services such
as e-mail that store large quantities of data at the provider, the task is more di cult. e best
strategy is to take your requirements and map them to the practices and audit measures of the
provider.  is may require some translation of terms, but chances are the provider already meets
the vast majority of your requirements. If there are any gaps, there are two possibilities for resolv-
ing the disparity:  e vendor can add the requirement to their standard practices or you can accept
the risk.
Service providers also introduce new threats to data con dentiality and integrity from unau-
thorized staff accesses, data leakage across customer boundaries, commingling of data in help desk
and other support systems, data exports to test/staging systems, and poor media transport or dis-
posal practices. Compliance is another issue. You are responsible to prove compliance to all appli-
cable laws and regulations. When you outsource services, the process now involves the provider
on two fronts. First, whether or not the provider’s practices meet your compliance requirements,
and second, can they can supply you with the information you need to prove compliance within a
reasonable time frame. It is also possible that your organization will be subject to additional stat-
utes and regulations based on where the provider stores your data and what international borders
it crosses during transfers and processing.
ese challenges apply equally to fully hosted and hybrid environments. However, hybrid
environments have some additional challenges as a result of shared risk. Systems that cross connect
company and provider computing enclaves have a certain level of trust extended to them. It is pos-
sible that one or more of the systems involved in these connections will develop a vulnerability that
exposes the other systems to potential attack.  e simple example is a worm infecting a customer
laptop. Because the provider’s e-mail server trusts that laptop, it becomes a potential target for the
worm to exploit.  e simplest way to address shared risk is to limit inbound and outbound tra c
to very specifi c services and systems.  is works fi ne for connections classi ed as uncoupled and
loosely coupled, but it can become very challenging for fully coupled and fully integrated environ-
ments.  ese may be better served by application-based fi rewalls.
Outsourcing presents a number of challenges that may make certain services unsuitable for the
processing and storage of sensitive/high-value data. Services such as Instant Messenger and Web
conferencing that do not store data at the provider have the fewest issues, e-mail and collaboration
services the most. Acquiring the necessary information to prove compliance can also be a chal-
lenge, and in some instances the storage location and the movement of data across international
boundaries may increase compliance requirements. In addition, shared-risk issues resulting from
the cross connection of customer and provider systems must be mitigated.  e provider’s standard
security management practices and controls will usually su ce; the challenge is reconciling the
diff erences in grammar and terminology between the parties.
Success Factors and Lessons Learned
e success of outsourcing IT services, from a security perspective, comes down to compliance. Are
you continuing to meet your legal, regulatory, and business information security requirements, and
can you prove it? For this tactic to have been successful, the answer to this question must be “yes.
Getting to yes requires a well-executed vetting process and excellence in contract management.
TAF-K11348-10-0301-C013.indd 256TAF-K11348-10-0301-C013.indd 256 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
Hire a Hessian (Outsourcing)257
Setting your strategy and objectives up front is the fi rst priority. Your outsourcing decisions
must be tied to the businesss mission, strategic direction, and core competencies. e next
most important factor is to get executive sponsorship and stakeholder involvement. Getting
executive management support for outsourcing is usually not
diffi cult because of the potential cost savings. In fact, the execu-
tives are often the initiators of outsourcing e orts, which at times
makes it diffi cult to get them to step back when security objec-
tives cannot be met. Nonetheless, the input from executives and
key stakeholders is critical to the planning and vetting portions
of the process.  e third major success factor is good engagement and governance processes
(i.e., Excellence in Service Provider Management). is includes frequent evaluations and face-
to-face interaction, especially in the fi rst year of engagement. Manfred Immitzer, CIO of
Nokia Siemens Networks, suggests that companies “do even more due diligence on IT
outsourcing.
During the vetting process, make sure to do a good job of mapping your security require-
ments to the provider’s security practices and audit requirements. Ensure that the provider can
supply you with all the information you need to prove your compliance with legal, regulatory,
and business security requirements. Also make sure the time lines for the delivery of this infor-
mation are established and agreed upon (get them into the contract if possible). Make sure to
fully evaluate the provider’s incident management process and establish reasonable time lines
for incident response, resolution, and noti cations. Data breaches warrant near-time noti ca-
tion, but you should be able to get a monthly report of all the incidents a ecting your services
as well.
Outsourcing is a business process that takes some time to mature. Expect the fi rst year to
require a lot of hands-on management as expectations, outcomes, and schedules are clari ed.
Using the outsourcing tactic successfully will depend on your ability to properly vet the provider’s
security practices and controls against your requirements and reconcile the di erences. If this can-
not be accomplished, this may not be the right vendor, or outsourcing may not be the right tactic
for your organization. Once engaged, active monitoring and the oversight of a good management
team (governance body) will help ensure that security, cost, and operational effi ciency goals are
achieved. (Also see Chapter 7.)
Outsourcing Control Objectives
is section makes a number of assumptions about the level of services being contracted, includ-
ing geographical, equipment, and connection redundancy, vendor expertise, and coverage. Some
of these attributes may not be present, nor do they necessarily have to be present in all out-
sourcing solutions. You should select those attributes and control objectives best suited to your
circumstances.
Security in IT services outsourcing has the follow attributes:
Services have high availability because of redundancy (equipment, connection, site, etc.),
sta expertise, and monitoring coverage.
Services conform to security standards and comply with applicable legal, regulatory, and
industry requirements.
e provider has a limited liability; the customer is subject to liabilities for provider security
failures.
Overall, outsourcing is a viable and sus-
tainable strategy for companies, as long
as their objectives are clear.
Matthew Ricks
Sun Microsystems
TAF-K11348-10-0301-C013.indd 257TAF-K11348-10-0301-C013.indd 257 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset