Outsourcing Information Security

The need to keep information secure is not a recent development.

To satisfy this need, most organisations construct a list of security requirements based on common sense. This has proven fairly effective with simple and well understood media such as pen and paper. As information management (and its security) has become more complex in nature, the likelihood of a gap in that common sense list of requirements has increased. The relative decrease in common understanding of how an organisation's information is recorded, manipulated, stored and erased makes it difficult to identify a complete set of security requirements to protect it. The unfamiliar territory and undesirable complexity often results in a fairly typical human response -- make it someone else's problem.

Effective outsourcing: An introduction

Effective outsourcing of any business function requires that said function is defined, appraised and its inputs/outputs established.

Using this information an organisation can approach the market and clearly specify the scope of what it needs and what deliverables are expected. Understanding the value of the function facilitates the cost/benefit analysis. Said analysis should justify the outsourcing and take into account the cost of selecting the better provider.

Defining all attributes in monetary terms is difficult, but if this could be done any business function should net a positive return and the best provider of that function is the one (internal or external) that provides the highest positive return.

Well defined by Wikipedia, "Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction".

Given information systems are increasingly of a technical nature, the solution that protects them often involves technical security products such as antivirus, firewalls and intrusion detection; or technical security services such as security event management, penetration testing and incident response. While products and services can be a significant component in an organisation's security solution, they alone should not be what defines it.

Buying something that "does" security, is like buying something that does food preparation. You may be lucky and stumble across the one tool that meets all your needs, but most people would like more influence over what they have for dinner than, "I bought a fork".

The problem

The domain of information security is the aggregate of subsets of all other domains. It arises from the need to have controls in place that ensure all domains operate correctly. It is empowered through governing documents such as policies, standards and guidelines; and is funded ideally through an organisation's executive committee. Often (particularly in smaller companies) security is instead funded indirectly by the department under which it resides. Due to the nature of the information security domain, it is extremely difficult to outsource.

Outsourcing components of information security is achievable, but often there is a significant gap between the intent of an outsourcing and what it results in.

As information systems have become more technical in nature, the number of ways in which they can operate incorrectly has increased. The methods for detecting incorrect operation require more specialist knowledge and thus are less widely understood. If George writes down a request for product on a purchase order and signs it, most recognise the order is as good as the signature and so require that it be validated by a witness or prior knowledge.

(Not to mention the common law supporting correct practice) If, however, George emails a purchase order number, most will not appreciate that email can be forged unless signed using a valid asymmetric cipher and a key of appropriate length, validated by a PKI hierarchy of suitable repute. If a malicious party is controlling George's PC, there certainly isn't a courtroom that will be able to review all of George's countermeasures and decide whether he is to blame or not for the fake purchase order. (Risking inconsistencies and flawed reasoning in common law) In short the appropriateness of information security practices are harder for the masses to understand. (Adequate legislation would simply provide another authority no one understands.) As with all other domains, businesses need to decide what is their suitable level of investment in information security.

Factors that contribute to such decisions include legal obligations, cost/benefit analysis, risk analysis and less tangible benefits such as ethical obligations. Unfortunately, applying each of these factors to technology requires an understanding of the technology and the operational practices that support it. A person with this level of understanding is rarely empowered with significant delegated financial authority.

To allow delegated financial authorities to effectively fund information security without having to understand the underpinning technology, relevant factors are often translated into commonly understood currency such as risk and money. This translation is however often incomplete and always requires further interpretation. It is very difficult to place a dollar value on publishing an advisories page on your website to decrease the possibility of a phishing attack. If risk analysis is used then the likelihood of a phishing attack is largely irrelevant as the impact could be the total loss of all information assets (Impact = "Catastrophic") and thus the risk rating is "Extreme" for all but the rarest of events.

With such a hobbled method for decision making and an apparent risk to the business, it is commonplace to take the view that it is better to do something rather than nothing. Firewalls are purchased and IDS installed at great expense. A lot of the countermeasures purchased may meet an obvious requirement to the trained engineer, but the level of investment is often not balanced. In the interests of doing something an appliance may be purchased. The level of risk may warrant a significant allocation of funds, but it often isn't achievable to distribute those funds across all desirable initiatives. Initiatives can be complex in themselves or the impact of them difficult to grasp (for example the advisories page). Delivering an appliance gives the business something tangible for its money and doesn't require further explanation. The appliances demonstrates that something is being done and gives a line item on a budget demonstrating that the business is addressing security.

All organisations at one time or another need to reduce costs or at the very least review expenditure. Information security is not exempt from this (and nor should it be) so a delegated financial authority once again looks at the line item for the appliance that was purchased to "do security". Due diligence requires that cheaper alternatives such as outsourcing be considered. Often outsourcing appears a cheaper alternative to said appliance and so is selected as the path forward.

Information about what justified the appliance in the first place is incomplete and the additional controls [potentially] required to outsource its function aren't quantified. And so a cheaper, rounder peg is used to fill an ill defined square hole. It is of little surprise that information and information systems are not well protected in a lot of organisations.

Outsourcing: Two cents worth

The justification given for outsourcing is often cited as being financial. This is no surprise, as ultimately most company decisions are based on building or conserving finances. A slightly more detailed view is that an organisation will outsource a function for the following reasons:

• The outsourcer can do it better for the same cost.

• The outsourcer can do it the same for a lower cost.

• The outsourcer can't do it as well, but does it at a lower cost.

Just because you can outsource something, doesn't mean that you should. Sometimes it is better to keep certain functions in house. Examples of areas that should not be outsourced include:

• Anything deemed to be "core business" should remain in-house to ensure intellectual property is constantly growing. If a desktop services provider outsources it's desktop services, it makes sense for their customers to buy of their outsource partner rather than them.

• Anything perceived to be "core business". Perception is reality and to ensure good standing in the marketplace an organisation must address it.

Examples of outsourcing security

"Security as a Service" is the utopia intended to address the woes of organisations that do not want to be involved at all.

Outsourcers promise to take care of information security and often deliver it in the form of a managed firewall and antivirus. The quality of the service is often validated by references from other customers and potentially a site visit. Existing customers praise to the outsourcer for a flawless service backed up with monthly reporting -- in colour. Closer examination however demonstrates the model is flawed. In such an arrangement, the outsourcer is discouraged from reporting any issue. Why degrade your reputation when it is unlikely that your customers (who have abandoned any internal resource) will be any the wiser. With no trusted resource there is no way to validate any findings (or lack thereof) through testing or an educated review.

Security operations are a common area to outsource. The scope is often difficult to define and a dedicated team is often not warranted. A third party is contracted to process security events from devices such as firewalls, IDS appliances, generic network equipment and infrastructure. The third party is relied on to process (de-duplicate, reconcile and interpret) the events and call attention to any issues. Few however check to see that the provider is providing as promised. Typically, the outsourcer in this case has a central operations room with lots of monitors displaying plenty of monitoring output. Oversubscribed staff attempt to process the barrage of alerts, but focus primarily on the top three to five customers listed on a whiteboard in the corner. If you aren't on the whiteboard, nobody is looking after your gear. Buying a solution is a way in which security is often inadvertently outsourced.

As already mentioned security is a part of all other domains and thus it follows that there is a security component to all solutions. As with security operations, a lack of demand from customers has meant that most integrators do not well cater for security in their solutions. A company trying to outsource it's WAN is likely to purchase private circuits off a telecommunications company. There is little incentive to go to the expense of dedicated circuits and the WAN may be bundled as part of a package. Typically this means that all inter-branch network security (which often includes telephony) has been outsourced to the telecommunications provider. Assuming that the provider experiences no human error of technical complications, the WAN by design is likely to be insecure.

Telcos rarely employ anything more than the inherent nature of multiplexing technologies (for example MPLS, ATM, Ethernet trunking) to divide customers traffic. They, like any other large entity, are susceptible to social engineering that could lead to the unauthorised connection of two customers' networks.

Telecommunications providers also have the difficult task of physically protecting their network from attack. I recently observed a cellular provider's roadside cabinet was labelled with their name and the name of the vendor who supplied the equipment within it. The cabinet was likely monitored, but its physical defence consisted of a padlock holding fast a cheap latch that a small hammer could likely circumvent.

Penetration testing is a specialist service that is quite rightly outsourced in a lot of cases. It is a complex service and there is significant value in it being done independently. It also produces a deliverable in the form of a report making justifying it easier. We must remember however that it isn't the whole picture. Penetration testing can't consider operational practices that may introduce new vulnerabilities as quickly as the old ones are removed. There often isn't evidence that the individual completing testing is adequately skilled to do so, nor is their proof that the majority of vulnerabilities present were discovered. Unfortunately, the reality is most people who commission penetration testing would be satisfied with the doctored report from a freeware scanning tool.

Related:
1 2 Page 1
Page 1 of 2
Get the best of CIO ... delivered. Sign up for our FREE email newsletters!