258 ◾ Security Strategy: From Requirements to Reality
Customer compliance, incident management, and contract management are based on trust ◾
(that the vendor is providing accurate and relevant information and proofs).
Parties are subject to shared risks. ◾
e primary attack scenarios in IT services outsourcing are based on shared risks. ese include
logical attacks against network connections and system interconnects between the parties. ey
also include attacks against provisioning, identity management, and support processes (i.e., social
engineering). ere is a secondary concern as well. Since the customer is ultimately responsible
for protecting the data entrusted to its care, any attack scenario against the provider represents a
potential liability.
Assuming the outsourcing arrangement does not permit customized security options, you only
have direct control over two security aspects of an outsourced service arrangement: data placement
and shared risks.
1. Data placement means you control what types of data will be handled by the provider either
by limiting the services used, restricting what data is transferred to the provider, or limiting
how the provider may use the data. Some services do not require storing data at the provider,
for example, Microsoft’s Offi ce Communications Server (OCS). OCS is an instant mes-
saging product that distributes messages over secure (e.g., SSL/TLS) connections. All OCS
message content is encrypted during transit, including any caching done by the message
servers; consequently, the risk of data disclosure is minimal. Web conferencing is similar.
Conference participants use secure (SSL/TLS) connections to access a conference session.
e content can only be accessed as long as the meeting exists. To prevent unauthorized dis-
closure, conference content is deleted immediately after the conference concludes (or after
a predefi ned period designated by the conference leader or coordinator). Once the content
expires, users can no longer access resources associated with the meeting, and the conference
system does not retain any of this content either. A third scenario is also possible; encrypt
the data before transferring it to the provider. One of Bill’s clients used Microsoft’s Rights
Management Server (RMS) to protect business sensitive documents. e documents were
stored on a SharePoint server for distribution and collaboration purposes. In this instance it
was a local implementation of SharePoint, but it could have just as easily been an outsourced
service because the content is encrypted. Figure 13.1 depicts the RMS workfl ow. Note how
RMS encrypts and decrypts content (data) at the end points; during transit and storage,
the data is AES (Advanced Encryption Standard) encrypted so that the risk of disclosure is
minimal. However, the cost associated with the RMS service will off set some of the original
outsourcing savings. e key to making this control work is a thorough understanding of
how the service handles data. Some providers are willing to supply this information, whereas
others are not, in which case you are better advised to walk away than risk a disclosure of
business-sensitive data.
e ability to restrict what data is transferred to the provider depends on what services
are being contracted and how the two computing environments are interconnected. Simple
IP address restrictions may be suffi cient in some instances—for example, a router ACL to
restrict all fi nance systems from using an outsourced backup solution. Other situations may
require application-level controls, such as a content monitoring tool. As the restrictions grow
in complexity, the cost of implementing and maintaining them starts to off set the original
cost savings objectives. e complexities in all likelihood will grow. Unless there is a par-
ticularly compelling reason for using this alternative, it should probably be avoided. Data
TAF-K11348-10-0301-C013.indd 258TAF-K11348-10-0301-C013.indd 258 8/18/10 3:12:25 PM8/18/10 3:12:25 PM