The risk and threats that companies face in protecting confidential
information is making them look for outside expertise in managing security.
Hacking incidents, losing data in transit, storing transaction data in violation
of company policy, money laundering - all of these form a witches brew of
vulnerabilities that can easily lead to losses in millions of dollars in the
form of lawsuits, regulatory actions, and reputation damage.
It's no wonder then that managed-security service providers are stepping
forward to relieve corporate information-security officers of the burden of
protecting sensitive data. Obtaining security services on an outsourced or
offshore basis, or both, demands an understanding of what such services are, as
well as the ability to subject a company's security policies, technology, and
standards to objective scrutiny by a third party. Since data are the crown
jewels of most enterprises, they have to look carefully before entrusting their
protection to an outside party.
Management and Monitoring
Security management encompasses fault management, including notification
when a security device ceases to function and periodic reports on the
operational status of security devices; configuration management, which covers
security device application and operating system modifications and upgrades; and
performance management, which includes statistics on speed and efficiency of
networks, identification of network bottlenecks, and logging data generated by
security devices.
Security monitoring includes data collection-for example, the process of
collecting and transforming security-device data, data mining, including
cross-correlation of data across different devices and domains; security-event
correlation, by which signs of malicious activity are grouped by logical
criteria, enabling analysts to navigate millions of lines of code for clues
about threat vectors; and expert response, ranging from simple notifications to
alerting law-enforcement agencies.
Security Engagement
“This type of protection doesn't come easy or cheap. Providers of
outsourced IT-infrastructure services must maintain tight controls over access
to sensitive data and programs, as well as ensure that each client's data is
kept separate from others. Getting security officers to accept the idea of a
shared infrastructure for security services can be a formidable hurdle.
Initially, customers may insist on having dedicated resources, but will
gravitate toward shared resources for economy and in order to take advantage of
the latest technologies,” says Nick Sharma, global head, Infrastructure
Management Services, Satyam Computer Services.
Sharma further adds that infrastructure services, including security, make up
a small percentage of Satyam's business, which is heavily based on software
development. However, they represent the “next wave” of outsourced services
for Satyam and other global service providers.
“An engagement begins with a detailed security audit, which provides the
foundation for creating a security architecture,” he says. This requires
different forms of experts: Those proficient in understanding and interpreting
the security aspects of laws and regulations such as Sarbanes-Oxley,
Gramm-Leach-Bliley and HIPAA, as well as technologists skilled at engineering a
secure network, making threat assessments and developing business-continuity
plans.
Financial-services companies- whose business is risk management-are in
the forefront of the move toward managed-security services. As the threat of
computer-initiated attacks increases, and as regulators put more pressure on
financial institutions to shore up their information assets, financial
institutions are turning toward outsourcing their information-security functions
to third-party processors.
“The outsourcing of information security makes sense to organizations that
have a highly developed concept of risk,” says Prosenjeet Banerjee, VP and
head of Information Security, HCL Technologies.
Banks are being driven to ink managed-security deals as they seek to restore
their reputation for integrity, which have been sullied by disclosures of theft
or loss of sensitive customer information, including credit card and
social-security numbers.
If that weren't enough, there's the burden of laws and regulations that
have banks struggling to avoid being choked by red tape. The U.S.A. Patriot Act,
under its “know your customer rules,” requires banks to authenticate the
identities of new customers and ensure that personal information is secure. The
Sarbanes-Oxley law requires banks to implement access controls to data and
computer programs that contain sensitive information. And Basel II, the new
regulatory capital regime that takes effect next year, requires that banks
monitor operational risks, including computer breaches.
The Business Case
The business case for outsourcing information security is a sound one -
experts say. Managed-security services is one of the fastest growing market
segments in the security marketplace, according to Gartner. Gartner reports that
as of 2005, 60% of enterprises were outsourcing the monitoring of at least one
network boundary security technology. According to IDC, as of 2004, security
services was a $16.5 bn industry with a CAGR of 35%.
In a managed-security deal, the organization shares information-security risk
and business risk with the managed-services provider. Such deals provide access
to a range of security services and to skilled staff whose full-time job is
security.
RESPITE Some of the
Internet-access
Virus-alert
Network-intrusion
Host-intrusion
Incident |
According to the CERT Coordination Center of Carnegie Mellon University, such
services may include network- boundary protection (including managed services
for firewalls, intrusion-detection systems and virtual-private networks);
security monitoring; incident management (including emergency response and
forensic analysis); vulnerability assessment and penetration testing; anti-virus
and content-filtering services; information-security risk assessments; data
archiving and restoration, and on-site consulting.
The cost of a managed-security service is typically less than hiring
in-house, full-time security experts. For example, a managed-security provider
can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps)
Internet gateway for about $75,000 a year, excluding hardware. Replicating these
actions within the organization produces similar hardware costs, plus at least
$240,000 in annual compensation to hire three full-time specialists.
A shortage of qualified information-security personnel puts tremendous
pressure on IT departments to recruit, train, compensate, and retain critical
staff. The cost of in-house network-security specialists can be prohibitive. In
an outsourcing deal, the costs to hire, train, and retain highly skilled staff
becomes the service provider's responsibility.
A managed-security provider can offer an independent perspective on the
security posture of an organization and help maintain a system of checks and
balances with in-house personnel. It can, thus provide an integrated, more
coherent solution, thereby eliminating redundant effort, hardware, and software.
Risk Mitigation
In deciding to retain an MSSP, an organization needs to treat the potential
action as a risk mitigation sharing decision. When weighing the risks, banks
need to consider issues such as trust, dependence, and ownership.
Establishing a good working relationship and building trust between a client
and service provider is critical in deciding whether to outsource security
services. Any service provider has access to sensitive client information and
details about the client's security posture and vulnerabilities. The
intentional or inadvertent public release of such information can be extremely
damaging to the client. A signed confidentiality agreement enacted in the later
stages of contract negotiations can help mitigate this risk.
An organization can become operationally dependent on a single service
provider. One risk-mitigation approach is to outsource to multiple providers,
but this comes with additional cost and management oversight responsibilities.
An organization needs to carefully examine the provider's proposal to
understand whether it uses subcontractors and how they work.
A client retains ownership and responsibility for the secure operation of its
infrastructure and the protection of its critical assets regardless of the scope
of services provided by a service provider. Risk-mitigation approaches include
making information security the primary responsibility for one or more staff
members and managers, and conducting regular user-security awareness and
training sessions.
The shared operational environment used by many service providers to service
multiple clients poses more risks than an in-house environment. Sharing a
data-transmission capability (such as a common network) or a processing
environment (such as a general-purpose server) across multiple clients can
increase the likelihood of one organization having access to the sensitive
information of another.
Initiating a managed-security services relationship may require a complex
transition of people, processes, hardware, software, and other assets from the
client to the provider or from one provider to another, all of which may
introduce new risks. IT and business environments may require new interfaces,
approaches, and expectations for service delivery.
The CERT Coordination Center provides a list of best practices for engaging
managed-security service providers. They are intended primarily for those
responsible for the selection and day-to-day overview of outsourced
managed-security services. This may include the chief information officer, chief
financial officer, contracting/purchasing manager, information technology
manager, chief security officer, and technical staff (system and network
administrators).
To knowledgeably select, engage, manage, and terminate service provider
relationships and the services they provide, CERT recommends a three-step
approach: Engaging an MSSP; managing the relationship with an MSSP; and
terminating an MSSP. The first practice in engaging a service provider provides
guidance for a Request for Proposal (RFP). The RFP establishes the client's
requirements that need to be addressed in a provider's proposal. The second
practice describes guidelines for evaluating a provider's proposal beyond
those implied by the RFP guidelines. The third practice provides content
guidance for a Service-level Agreement (SLA). The SLA is one part of the
contract between the client and provider. It addresses some of the RFP
requirements.
Managing the relationship with a service provider includes guidelines for
establishing a new provider relationship or transitioning from in-house services
to provider-supplied services or transitioning from one provider to another. The
second practice in this area addresses the ongoing client/provider relationship.
Finally, there are guidelines to consider using when an organization
terminates a relationship with a service provider, whether at the end of a
contract or for some other reason.
By Steven Marlin in New York, USA
vadmail@dqindia.com
Republished with permission from Global Services
(www.globalservicesmedia.com)