Risk And Rewards

VoicenData Bureau
New Update

The risk and threats that companies face in protecting confidential

information is making them look for outside expertise in managing security.

Hacking incidents, losing data in transit, storing transaction data in violation

of company policy, money laundering - all of these form a witches brew of

vulnerabilities that can easily lead to losses in millions of dollars in the

form of lawsuits, regulatory actions, and reputation damage.


It's no wonder then that managed-security service providers are stepping

forward to relieve corporate information-security officers of the burden of

protecting sensitive data. Obtaining security services on an outsourced or

offshore basis, or both, demands an understanding of what such services are, as

well as the ability to subject a company's security policies, technology, and

standards to objective scrutiny by a third party. Since data are the crown

jewels of most enterprises, they have to look carefully before entrusting their

protection to an outside party.

Management and Monitoring

Security management encompasses fault management, including notification

when a security device ceases to function and periodic reports on the

operational status of security devices; configuration management, which covers

security device application and operating system modifications and upgrades; and

performance management, which includes statistics on speed and efficiency of

networks, identification of network bottlenecks, and logging data generated by

security devices.

Security monitoring includes data collection-for example, the process of

collecting and transforming security-device data, data mining, including

cross-correlation of data across different devices and domains; security-event

correlation, by which signs of malicious activity are grouped by logical

criteria, enabling analysts to navigate millions of lines of code for clues

about threat vectors; and expert response, ranging from simple notifications to

alerting law-enforcement agencies.


Security Engagement

“This type of protection doesn't come easy or cheap. Providers of

outsourced IT-infrastructure services must maintain tight controls over access

to sensitive data and programs, as well as ensure that each client's data is

kept separate from others. Getting security officers to accept the idea of a

shared infrastructure for security services can be a formidable hurdle.

Initially, customers may insist on having dedicated resources, but will

gravitate toward shared resources for economy and in order to take advantage of

the latest technologies,” says Nick Sharma, global head, Infrastructure

Management Services, Satyam Computer Services.

Sharma further adds that infrastructure services, including security, make up

a small percentage of Satyam's business, which is heavily based on software

development. However, they represent the “next wave” of outsourced services

for Satyam and other global service providers.

“An engagement begins with a detailed security audit, which provides the

foundation for creating a security architecture,” he says. This requires

different forms of experts: Those proficient in understanding and interpreting

the security aspects of laws and regulations such as Sarbanes-Oxley,

Gramm-Leach-Bliley and HIPAA, as well as technologists skilled at engineering a

secure network, making threat assessments and developing business-continuity



Financial-services companies- whose business is risk management-are in

the forefront of the move toward managed-security services. As the threat of

computer-initiated attacks increases, and as regulators put more pressure on

financial institutions to shore up their information assets, financial

institutions are turning toward outsourcing their information-security functions

to third-party processors.

“The outsourcing of information security makes sense to organizations that

have a highly developed concept of risk,” says Prosenjeet Banerjee, VP and

head of Information Security, HCL Technologies.

Banks are being driven to ink managed-security deals as they seek to restore

their reputation for integrity, which have been sullied by disclosures of theft

or loss of sensitive customer information, including credit card and

social-security numbers.


If that weren't enough, there's the burden of laws and regulations that

have banks struggling to avoid being choked by red tape. The U.S.A. Patriot Act,

under its “know your customer rules,” requires banks to authenticate the

identities of new customers and ensure that personal information is secure. The

Sarbanes-Oxley law requires banks to implement access controls to data and

computer programs that contain sensitive information. And Basel II, the new

regulatory capital regime that takes effect next year, requires that banks

monitor operational risks, including computer breaches.

The Business Case

The business case for outsourcing information security is a sound one -

experts say. Managed-security services is one of the fastest growing market

segments in the security marketplace, according to Gartner. Gartner reports that

as of 2005, 60% of enterprises were outsourcing the monitoring of at least one

network boundary security technology. According to IDC, as of 2004, security

services was a $16.5 bn industry with a CAGR of 35%.

In a managed-security deal, the organization shares information-security risk

and business risk with the managed-services provider. Such deals provide access

to a range of security services and to skilled staff whose full-time job is





Managed-security services include ongoing security management, hardware,
software and applications needed to shield a hosting environment and

sizeable network from attack 24x7. Such services provide the highest

levels of protection and proactive response, in the event a suspicious

threat or actual intrusion is detected. They involve teams of experts who

continuously monitor activity in real time, and provide alerts and

warnings when the situation warrants.

Some of the

managed-security services include:

Managed, dedicated and virtual firewall services:

configuration and management of either a dedicated firewall device in a

hosted environment, with a choice of hardware and high-availability

configuration or a virtual firewall service, which offers the same

customization capabilities as a traditional dedicated firewall service,

without the traditional infrastructure. Customers pay only for the

committed bandwidth used to access the service, and the service can be

deployed or expanded in a matter of days.


firewall services:

firewall is designed to protect Internet-facing applications. Customers

share a redundant firewall configuration with other customers and gain the

protection of a high-availability managed firewall at an affordable cost.


Virus-alert services

provide news about viruses and related threats through e-mails, quarterly

newsletters and optional pager alerts. They provide a one-stop source for

information and support needed for quick response - freeing staff from

combing through journals and news sources to uncover the latest word on

security threats.



detection helps detect malicious probes, scans or attacks with 24x7

monitoring of the Internet traffic flowing through a network. It is

designed to identify and correct network vulnerabilities before systems

are compromised. It includes installation and management of the intrusion

sensor, logging and event analysis and recommended security enhancements.



detection provides detailed and relevant information regarding security

attacks against web servers. The service detects suspicious activity in a

server's operating system, application and related processes,

identifying what the attacker did, the commands that were run, the files

that were opened and the system calls that were executed.


Incident management

provides help when a security breach or serious threat is discovered. From

incident detection to timely closure, security consultants can provide

technical and procedural assistance, incident investigation and recurrence


According to the CERT Coordination Center of Carnegie Mellon University, such

services may include network- boundary protection (including managed services

for firewalls, intrusion-detection systems and virtual-private networks);

security monitoring; incident management (including emergency response and

forensic analysis); vulnerability assessment and penetration testing; anti-virus

and content-filtering services; information-security risk assessments; data

archiving and restoration, and on-site consulting.

The cost of a managed-security service is typically less than hiring

in-house, full-time security experts. For example, a managed-security provider

can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps)

Internet gateway for about $75,000 a year, excluding hardware. Replicating these

actions within the organization produces similar hardware costs, plus at least

$240,000 in annual compensation to hire three full-time specialists.


A shortage of qualified information-security personnel puts tremendous

pressure on IT departments to recruit, train, compensate, and retain critical

staff. The cost of in-house network-security specialists can be prohibitive. In

an outsourcing deal, the costs to hire, train, and retain highly skilled staff

becomes the service provider's responsibility.

A managed-security provider can offer an independent perspective on the

security posture of an organization and help maintain a system of checks and

balances with in-house personnel. It can, thus provide an integrated, more

coherent solution, thereby eliminating redundant effort, hardware, and software.

Risk Mitigation

In deciding to retain an MSSP, an organization needs to treat the potential

action as a risk mitigation sharing decision. When weighing the risks, banks

need to consider issues such as trust, dependence, and ownership.


Establishing a good working relationship and building trust between a client

and service provider is critical in deciding whether to outsource security

services. Any service provider has access to sensitive client information and

details about the client's security posture and vulnerabilities. The

intentional or inadvertent public release of such information can be extremely

damaging to the client. A signed confidentiality agreement enacted in the later

stages of contract negotiations can help mitigate this risk.

An organization can become operationally dependent on a single service

provider. One risk-mitigation approach is to outsource to multiple providers,

but this comes with additional cost and management oversight responsibilities.

An organization needs to carefully examine the provider's proposal to

understand whether it uses subcontractors and how they work.

A client retains ownership and responsibility for the secure operation of its

infrastructure and the protection of its critical assets regardless of the scope

of services provided by a service provider. Risk-mitigation approaches include

making information security the primary responsibility for one or more staff

members and managers, and conducting regular user-security awareness and

training sessions.

The shared operational environment used by many service providers to service

multiple clients poses more risks than an in-house environment. Sharing a

data-transmission capability (such as a common network) or a processing

environment (such as a general-purpose server) across multiple clients can

increase the likelihood of one organization having access to the sensitive

information of another.

Initiating a managed-security services relationship may require a complex

transition of people, processes, hardware, software, and other assets from the

client to the provider or from one provider to another, all of which may

introduce new risks. IT and business environments may require new interfaces,

approaches, and expectations for service delivery.

The CERT Coordination Center provides a list of best practices for engaging

managed-security service providers. They are intended primarily for those

responsible for the selection and day-to-day overview of outsourced

managed-security services. This may include the chief information officer, chief

financial officer, contracting/purchasing manager, information technology

manager, chief security officer, and technical staff (system and network


To knowledgeably select, engage, manage, and terminate service provider

relationships and the services they provide, CERT recommends a three-step

approach: Engaging an MSSP; managing the relationship with an MSSP; and

terminating an MSSP. The first practice in engaging a service provider provides

guidance for a Request for Proposal (RFP). The RFP establishes the client's

requirements that need to be addressed in a provider's proposal. The second

practice describes guidelines for evaluating a provider's proposal beyond

those implied by the RFP guidelines. The third practice provides content

guidance for a Service-level Agreement (SLA). The SLA is one part of the

contract between the client and provider. It addresses some of the RFP


Managing the relationship with a service provider includes guidelines for

establishing a new provider relationship or transitioning from in-house services

to provider-supplied services or transitioning from one provider to another. The

second practice in this area addresses the ongoing client/provider relationship.

Finally, there are guidelines to consider using when an organization

terminates a relationship with a service provider, whether at the end of a

contract or for some other reason.

By Steven Marlin in New York, USA

Republished with permission from Global Services