258 ◾ Security Strategy: From Requirements to Reality
Customer compliance, incident management, and contract management are based on trust ◾
(that the vendor is providing accurate and relevant information and proofs).
Parties are subject to shared risks. ◾
e primary attack scenarios in IT services outsourcing are based on shared risks. ese include
logical attacks against network connections and system interconnects between the parties. ey
also include attacks against provisioning, identity management, and support processes (i.e., social
engineering). ere is a secondary concern as well. Since the customer is ultimately responsible
for protecting the data entrusted to its care, any attack scenario against the provider represents a
potential liability.
Assuming the outsourcing arrangement does not permit customized security options, you only
have direct control over two security aspects of an outsourced service arrangement: data placement
and shared risks.
1. Data placement means you control what types of data will be handled by the provider either
by limiting the services used, restricting what data is transferred to the provider, or limiting
how the provider may use the data. Some services do not require storing data at the provider,
for example, Microsoft’s Offi ce Communications Server (OCS). OCS is an instant mes-
saging product that distributes messages over secure (e.g., SSL/TLS) connections. All OCS
message content is encrypted during transit, including any caching done by the message
servers; consequently, the risk of data disclosure is minimal. Web conferencing is similar.
Conference participants use secure (SSL/TLS) connections to access a conference session.
e content can only be accessed as long as the meeting exists. To prevent unauthorized dis-
closure, conference content is deleted immediately after the conference concludes (or after
a predefi ned period designated by the conference leader or coordinator). Once the content
expires, users can no longer access resources associated with the meeting, and the conference
system does not retain any of this content either. A third scenario is also possible; encrypt
the data before transferring it to the provider. One of Bill’s clients used Microsoft’s Rights
Management Server (RMS) to protect business sensitive documents. e documents were
stored on a SharePoint server for distribution and collaboration purposes. In this instance it
was a local implementation of SharePoint, but it could have just as easily been an outsourced
service because the content is encrypted. Figure 13.1 depicts the RMS workfl ow. Note how
RMS encrypts and decrypts content (data) at the end points; during transit and storage,
the data is AES (Advanced Encryption Standard) encrypted so that the risk of disclosure is
minimal. However, the cost associated with the RMS service will off set some of the original
outsourcing savings. e key to making this control work is a thorough understanding of
how the service handles data. Some providers are willing to supply this information, whereas
others are not, in which case you are better advised to walk away than risk a disclosure of
business-sensitive data.
e ability to restrict what data is transferred to the provider depends on what services
are being contracted and how the two computing environments are interconnected. Simple
IP address restrictions may be suffi cient in some instances—for example, a router ACL to
restrict all fi nance systems from using an outsourced backup solution. Other situations may
require application-level controls, such as a content monitoring tool. As the restrictions grow
in complexity, the cost of implementing and maintaining them starts to off set the original
cost savings objectives. e complexities in all likelihood will grow. Unless there is a par-
ticularly compelling reason for using this alternative, it should probably be avoided. Data
TAF-K11348-10-0301-C013.indd 258TAF-K11348-10-0301-C013.indd 258 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
Hire a Hessian (Outsourcing) ◾ 259
placement can also help mitigate unexpected compliance liabilities based on data location
and international transfers by restricting where the provider may store and process informa-
tion. Most service providers, especially global providers, have features that allow the con-
sumer to designate where data is stored and processed.
2. Shared risks at the network level are usually mitigated with encryption. S-tunnel (SSL) is com-
mon for uncoupled and loosely coupled connections, IPSec for VPNs, and link encryption
devices for dedicated connections. Assuming standard host security controls (i.e., antivirus,
patches, etc.) are in place, the shared risk that must be mitigated at the host level is unse-
cured trust. Service/port restrictions on system interconnects are the most common controls
for this mitigation. Fully integrated environments may require the use of application- based
fi rewalls or similar content-based fi ltering technologies. An explicit requestor verifi cation
process and staff training are the best ways to mitigate social engineering and other process-
based attacks.
Some outsourcing arrangements may allow you (usually for an additional cost) to implement
other direct controls over information security. For example, you might implement system man-
agement agents that report security-related information if you are only outsourcing rack space or
server management.
Eff ective outsourcing of IT services requires good data placement control and shared-risk miti-
gation. Table 13.1 maps these controls to specifi c security baselines. e type (hard or soft) is used
to denote the type of metric used for each control. Soft indicates a procedure-based control, while
hard denotes a technology-based (i.e., automated) control. Both imply that the metric could be
either one or a combination of both.
Because it isn’t possible to observe the provider’s actions, the remaining attributes (i.e., avail-
ability, compliance, liability, etc.) are based on trust, that is, contractual obligations and vendor
performance monitoring. e two control objectives are:
1. Excellence in contracting
2. Excellence in service provider management (see Chapter 7)
1. Author obtains a RMS certificate
AuthN server
Database server
RMS server
2 - Author 5 - Recipient
3
4
2. Author creates documents and
assigns rights
3. Author distributes RMS encrypted
document
4. Recipient opens file and RMS agent
validates the user’s rights
5. Application renders file
Figure 13.1 Rights Management Service (RMS) workfl ow.
TAF-K11348-10-0301-C013.indd 259TAF-K11348-10-0301-C013.indd 259 8/18/10 3:12:25 PM8/18/10 3:12:25 PM
260 ◾ Security Strategy: From Requirements to Reality
Table 13.1 Control Objectives of Outsourcing of IT Services
Type Risk and Requirements
Data Placement
Limited services Soft Only use services that do not store or only store data for a short
duration at the provider to prevent disclosure from a provider
security breach.
Restricted
transfer
Hard Block certain types of information from being transferred to the
service provider to prevent disclosure from a provider security
breach.
Restricted use Soft Set data storage and processing locations to prevent inadvertent
statutory or regulatory compliance liabilities.
Encrypt local Hard Encrypt all data before transferring it to the provider to prevent
disclosure from a provider security breach.
Host Shared Risk
Standard
measures
Soft Ensure that systems meet DMZ (externally exposed) security
standards, including but not limited to patches, permissions,
anti-malware, log on restrictions, and the like.
Unsecured trusts Hard Restrict trusts to specifi c addresses (hosts), protocols, services
(ports), and/or content.
Network Shared Risk
Standard
measures
Both Ensure that local communication nodes meet current security
requirements including, but not limited to, an approved version
of software/fi rmware, up-to-date patches, secure log on, anti-
DoS confi guration, and so on.
Passive
wiretapping
Hard
Both
Encrypt data in transit to prevent eavesdropping. Use secure key
distribution to thwart man-in-the-middle attacks.
Data insertion Hard Encrypt data in transit to prevent data alterations.
Node
impersonation
Hard Encrypt data in transit to prevent disclosure when traversing a
counterfeit node.
End-point
impersonation
Hard Encrypt data using end-point authentications (i.e., TLS) to prevent
disclosure when connected to a counterfeit end point.
Process Shared Risk
Standard
measures
Soft
Soft
Soft
Soft
Excellence in operations
- Written identity management procedures
- Mandatory change control procedures
- Properly trained and supervised staff
- Suffi cient resources to adequately manage identity provisioning
Unauthorized
account
Soft Implement explicit requestor validation for all account requests
related to interconnected system.
Unauthorized
system
Soft Encrypt data in transit to prevent disclosure when traversing a
counterfeit node or host system.
TAF-K11348-10-0301-C013.indd 260TAF-K11348-10-0301-C013.indd 260 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
Hire a Hessian (Outsourcing) ◾ 261
e following actions are recommended to facilitate the secure outsourcing of IT services:
1. Review any existing policies and procedures the organization has for outsourced services of
any kind (e.g., janitorial services) to get an understanding of the company’s expectations and
requirements.
2. Review existing security and operations policies and procedures to identify applicable
requirements and fi nd areas where policies and procedures will need to be updated to sup-
port outsourcing.
3. Garner the support and participation of key stakeholders. Get their help defi ning the objec-
tives for this outsourcing solution. Solicit their help fi lling the policies and procedure gaps
identifi ed above and fi nally, get their inputs to and reviews of the transition plan. Make
sure you involve legal personnel as early as possible, for they are crucial to the contracting
process; also make sure to involve HR if the outsourcing will result in any layoff s.
4. Build the processes you will need for vetting potential providers and managing contracted
providers (engagement process).
5. Prepare the materials (forms, questionnaires, surveys, etc.) required for the vetting, contract-
ing, and engagement processes.
Security in the Outsourcing of Security Services
We outsource things that have one of three characteristics: they’re complex, impor-
tant, or distasteful. Computer security is all three.
Bruce Schneier
All the elements, attributes, and control objectives identifi ed in the previous section are also appli-
cable to the outsourcing of security services. Consequently, this section will only address attributes
that are unique to this type of outsourcing.
Commonly Outsourced Services
Let’s begin by identifying the types of security services that are commonly outsourced. From most
to least common they are:
1. Security auditing
2. Penetration testing, vulnerability assessment
3. System and facility monitoring
4. Consulting
5. Incident support
6. System management/administration
7. Se cur it y offi cers
Security Auditing
Compliance with legal, regulatory, and industry requirements makes third-party security audits
mandatory for most businesses. Statutes such as Sarbanes-Oxley (SOX) and industry require-
ments such as the Payment Card Industry (PCI) security standards require companies to hire
TAF-K11348-10-0301-C013.indd 261TAF-K11348-10-0301-C013.indd 261 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
262 ◾ Security Strategy: From Requirements to Reality
external auditors to verify compliance. Companies also rely on external audits for security certifi -
cations (compliance with generally accepted security standards and practices) and to meet specifi c
customer security expectations. Audits are typically conducted on an annual or bi-annual basis.
Penetration Testing, Vulnerability Assessment
Companies frequently hire external parties to look for security fl aws in their products or services.
ese include design and architecture reviews, code reviews, and security testing. e assessments
are frequently mandated by the company’s risk management or internal audit function as part of
“due diligence” in managing enterprise risk. Penetration testing is typically performed just prior
to the system going into production and periodically thereafter to ensure that changes to the
system have not weakened the system’s security profi le. One could view penetration testing as a
mock hacker attack, in that the penetration testing team attempts to compromise system security
controls using the same techniques and attack scenarios the system will be subject to in its produc-
tion environment.
Systems Monitoring
e two types of services off ered in the systems arena are typically performed by a managed
security service provider or MSSP. e MSSP may off er other services (e.g., consulting, pen-
etration testing services), but the core business is system monitoring. e fi rst type of service
is automated vulnerability monitoring/scanning. e monitoring company continuously scans
systems in the customer’s environment for the presence of vulnerabilities. e simplest version
of this service just scans systems exposed to the Internet via the Internet. More sophisticated
versions use dedicated connections or appliances to scan a larger contingency of systems. e
QualsysGuard (Qualsys, Inc.) service is an example of this type of monitoring. Qualsys main-
tains an up-to-date database of vulnerabilities and threats. It uses this database to assess client
systems and report security states. e service includes comprehensive reports on vulnerabilities,
threats, and potential impacts.
e second type of system monitoring uses automated assessment. e MSSP collects security-
related information from multiple systems and analyzes it for malicious or unauthorized activity.
e information may be provided by software agents installed on the monitored systems, by appli-
ances attached to the network or gleaned from system logs and audit trails. BT Managed Security
Solutions (formerly Counterpane Internet Security) is an example of this type of service. BT
gathers log information from security devices and evaluates the information in real time against
a comprehensive rule set to detect and generate responses to malicious or potentially malicious
activities.
Facilities Monitoring
Remote facility monitoring includes 24/365 intrusion detection and control, video surveillance,
electronic access control, and GPS asset tracking services. Most organizations off ering these ser-
vices are facility management fi rms that off er maintenance, moving, and many other services
including safety-related monitoring such as fi re and smoke detection, power failures, overheating,
and fl ooding. Services can range from simple surveillance to complex interactive access control
management. For example, a credit card company Bill worked with used an outsourced service
to remotely manage their data center mantraps. When entering a data center, you step into the
TAF-K11348-10-0301-C013.indd 262TAF-K11348-10-0301-C013.indd 262 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.