What security issues must be taken into consideration when you entrust parts of your business to others? Mark Mayne reports.
As businesses cut costs and optimise resources in a post-crunch world, outsourcing is becoming an increasingly attractive option.
Outsourcing any business function, from HR systems to security, can be a demanding, technical struggle, but IT security can add a layer of complexity. Before you sign the cheque and throw out your firewall and IPS/IDS boxes, take a look under the hood of outsourcing, the trends behind it and the issues that outsourcing IT security raises.
Cost savings are often touted as a key driver towards outsourcing, and many of the benefits are financial.
By default, outsourcing security functionality such as email scanning or web filtering will save many highly skilled, specialised and expensive man-hours in-house. Additionally, staff freed of a potentially time consuming, tedious task can then focus on business priorities, an area that is extremely hard to service externally.
Player Pate, managed security services marketing manager, IBM Internet Security Systems, said: “It's important that a business first understands why it is seeking to outsource a particular function. This allows an assessment of the business case, and an analysis of the objectives that the solution needs to be in line with.
“One common issue is that of expertise. IT security is an increasingly complex field, and many businesses have realised that they simply don't have the expertise in-house to deal with it. Most IT departments will see some kind of manpower saving if they outsource certain IT security functions, for example,” he says.
Choosing to pass on some of this caseload and specialist ability to a managed security service provider – MSSP – is an increasingly common step. The option to buy a ‘clean pipe' from an ISP has been in demand for some years, and is a growing, viable service, especially to combat the inexorable rise in spam, which now accounts for 96.5 per cent of all business email, according to Sophos. Also, web malware is seeing almost exponential year-on-year growth, making in-house tracking a near-impossible task.
Graham Jones, UK MD, Integralis, agrees: “Keeping up with the sheer throughput of online threats and email malware is a giant task, and encourages many to seek expert help. It's definitely an area of increasing maturity though – email security is now easy, web filtering is now done, too, although a few years ago this wasn't true. I anticipate we'll see firewalls go next, probably mid-to late next year, they're beginning to become a commodity that just needs to be there, there's not a massive amount of difference between the top players. IPS and IDS management will go the same way eventually, due to the sheer volume of false alerts that they generate. In some cases we'll also see two-factor ID management outsourced also – small law firms, for example, that need the technology but don't have the in-house expertise or time to manage this themselves.”
Compliance has been a huge driver for outsourcing. As regulations tighten in almost every sector, the number of specific compliance items on every CISOs list has grown exponentially. Oft-quoted regulations such as PCI DSS (Payment Card Industry Data Security Standard) have also created markets, for example with the recent specification for businesses to deploy either a Web Application Firewall (WAF) or conduct regular full-code inspections. This has resulted in burgeoning markets for WAF outsourcing and external application code reviews, as neither is a pleasant task for a small IT department to take on – especially on an ongoing basis.
Anand Kumar, practice head enterprise security services, Wipro, said: “It is important to evaluate whether the partners bring to the table transformational experience and capability and not just operations skills. This is because the security agenda for most customers is still incomplete and the domain itself is still evolving. Just because a business needs one skillset now, doesn't mean that another won't be needed in the future. Additionally, although offerings are frequently very modular, such as AV, IPS, IDS, most businesses will be seeking to solve an issue – such as PCI compliance – that combines many of these technologies.”
However, it's not just a case of choosing a provider, flicking the switch and focusing on something more pressing – the responsibility for monitoring the performance of your MSSP is critical. More importantly, any serious security failure – such as a data breach – will also be your responsibility. Retaining oversight and a measure of control is key to initial comfort levels, and to the ongoing health of the relationship.
Contracts are often where a new supplier shows their true colours, and this is where things begin to go wrong, says Gerhart Knecht, global security director and chief security officer, Unisys.
“A growing problem is that companies send security briefs that are unbelievable, with amazingly punitive service level agreements (SLAs) and extremely punitive timescales to solve any issue that may arise. The trouble is that these contracts have been drafted by lawyers, not security professionals. For the business seeking an outsourcing partner, if you know your contract is impossible to fulfil, and the provider doesn't push it back immediately with a detailed explanation of why, then assume they are not a good fit.”
“Another key problem with the outsourcing industry is that most companies don't know what to ask for in their security contact. Some are just impossible; some so easy they are a joke. A lot of the time I think good security officers are not being tough enough – they should not be afraid to ask for more – don't be afraid to base your contract on ISO 27000. If your provider is competent then he'll be familiar with these provisions and will already have the process in place. If he doesn't, then you know you're in trouble,” adds Knecht.
Enforcing the contract with your MSSP is down to SLAs, and just as the contract can cause issues, so can the wording of the agreements. Pate believes measurement is key. “You want to ask your MSSP how they are measuring your SLAs. How can you check to make sure they are being enforced? You also want to ask about performance-based metrics. Most MSSPs only provide SLAs for device monitoring and security event response times, not around protection. You want to be sure your MSSP can provide SLAs around the protection of your network infrastructure.”
The grey area of metrics is a key one here – gathering various feeds from monitoring devices and displaying them in a dashboard interface is a commonly-offered feature, but what exactly is it telling you, and does this really reflect your business risk analysis? Kumar has seen this before.
“The effective dashboard is the holy grail here, and about as obtainable. The issue of what to display on it is still open for debate – there can be very differing emphasis on risk in different organisations. Probably 70 per cent of the metrics are common, another 15 per cent are related to vertical sectors, but the final 15 per cent depend on the individual business – one size does not fit all.”
While the SLAs in place will provide the enforcement, it's vital that the original contract is correctly worded and researched. Although due diligence requires that various questions regarding process are asked, many fail to follow up on the answers, according to Knecht. “A lot of people in my experience go about this process in a very digital way – they ask the right questions, and the MSSP ticks the boxes: yes, yes, yes. However, I believe that the real solution is to use a much more analogue method – nothing here is black or white – it's all about shades of grey. The trouble is, a lot of contract questionnaires are very formulaic, and don't allow either party the space to accurately define what they're talking about.”
Although increasingly popular, outsourcing is far from a silver bullet for CISOs. “Of course, it doesn't always make sense to outsource. Some functions are simply not cost effective – desktop AV is a good example here. I've had to talk several smaller clients out of outsourcing AV wholesale – it often doesn't make financial sense for smaller businesses,” explains Pate.
The future certainly looks bright for the MSSPs, especially as other alternatives to in-house ownership, such as SaaS, gain traction. “Outsourcing will become increasingly important to businesses of all sizes,” says Jones. “It's maturing rapidly – 16 months ago it would have been seen as highly risky to outsource firewall functionality, but now it's much more accepted. I certainly see much more compliance-related measurement going on in the cloud, as well as full-featured compliance suites and risk dashboards becoming more common.”
As each security technology matures and becomes de rigueur, the advantages of outsourcing it to a reliable MSSP seem clear. However, badly handled outsourcing schemes can cause enormous damage, and clear, coherent planning is critical to the success of any IT security project. Cost savings can be made, but will prove extremely expensive if data security is compromised. The rise of the MSSP is set to be steady, but certain.
7 QUESTIONS YOU NEED TO ASK AN MSSP BEFORE APPOINTING THEM
1 What is their security expertise and reputation?
Check that your candidates not only offer the expertise you need today, but also have a broad range of products and services to enable them to grow with your business. Chopping and changing takes time, costs money and can lead to security flaws. Also, ensure your potential supplier is financially stable.
2 At what maturity levels are their controls?
While many due diligence reports consist of a box-ticking exercise, this isn't enough for security. Find out not only what controls are in place, but the specifics. Everybody has a policy on mobile media and portable storage devices, but what are the relevant controls, how are they implemented and what metrics are available?
3 What are the service level agreement terms?
Check the fine print extremely carefully, and don't be afraid to flag up any terms that either don't apply, or add new ones that you feel should be included. Beware of generic terms such as ‘best efforts' that can be easily avoided by the service provider.
4 What guarantees are in place?
In the event of a problem, what is covered by any guarantee offered? Hardware is usually included – but what else? Is data included? Some MSSPs offer cash compensation if specific events occur, such as a malware attack. But what does your chosen MSSP offer, and in what circumstances? Do these fit your business imperatives?
5 What service and support do they provide?
Check through staffing policies, ensure that they conform to the standards that you would expect, and that they are sufficient to provide the cover promised. Also, request confirmation of processes and procedures in place, and check the fine print. Check that security operations centre standards and capabilities are up to scratch.
6 Do they provide online access to service data and metrics?
Ask to see their proposed control interfaces and dashboard – how flexible are they to your business needs? Check what metrics they use, and what they monitor – are these the most important things to your company? Ask the MSSP for regular reports on updates, spam stopped, or vulnerabilities. Hold quarterly review meetings to go over service or security issues.
7 Does the service conform to the requirements of ISO 27000?
ISO 27000 stipulates that third party service agreements should be regularly checked, and compliance monitored. If your chosen MSSP doesn't conform, find out why – fast.
CASE STUDY: HALCROW
Halcrow is an international engineering firm working on infrastructure development projects across sectors including transportation, water, maritime and property.
It operates in more than 70 countries, employing a total of 7,500 people. Due to its global presence, the internet is business-critical, due to the use of web-based mapping tools for site research. Instant Messenger (IM) is used by employees to communicate with international offices.
The business originally relied on a patchwork of local software and hardware to monitor web connectivity, but discovered that the combination was not business-efficient.
“We had a couple of attacks that came through the Middle East,” says Neil Innes, MIS architecture, Halcrow. “They were web-based vectors and although the impact of the attacks was not widespread, they made us sit up and take note.”
Halcrow needed a solution to provide real-time protection from malware and unwanted content, could be easily and rapidly deployed, and would eliminate the burden of web security from IT staff.
It began a full-blown research process into the solutions available. “We began at the beginning, and took a look across the spectrum of what was available, both software and hardware. It became rapidly apparent that hardware would not suit our distributed business footprint,” says Innes.
After considerable testing of a variety of solutions from different vendors, the company chose ScanSafe's managed email scanning service. “We decided it was better to go for someone else's service so that we can spend time doing other things that add value to our business rather than going through the pain of providing our own content filtering service, and judging by the previous solution, it was a pain”, says Innes.
The decision to outsource was taken gradually, with the business migrating email first, then adding web filtering once trust was built. “We took things pretty carefully,” adds Innes. “It took a long time – at least two years – to get comfortable with outsourcing the whole range of functionality.”
Compliance was a big driver, according to Innes, but one of the greatest benefits was the in-house time saving. “Our security manager is saving two days of administration time per investigation. At the current rate of 50 investigations a year, this results in an estimated potential saving of more than 100 days of senior admin time a year. We've also found that administration of the web content filtering service can now be handled by more junior staff, freeing up time of senior IT admin staff and resulting in a lower cost of ownership.”
Rollout speed was important, says Innes, as the branch offices could have turned deployment into a logistical nightmare. “Implementation was simply a case of installing software in each branch – it could have been done in hours flat. However, we were much more conservative than that, and spent days testing at each location before going live.”