Benefits%20and%20Pitfalls%20of%20Outsourcing%20Security

1
Benefits and Pitfalls of Outsourcing Security

• Stan Kiyota, CISSP CISM
• Senior Information Security Manager
• Booz Allen Hamilton, Inc.

2
Agenda

• Outsourcing
• Definition
• Responsibility
• Keys for success
• Why?
• Who?
• What?
• Managed security service provider (MSSP)
• Definition
• Market trends, players
• Pros and cons of using an MSSP
• What to look for in an MSSP
• Key elements for managing outsourced security
  services
• Tips for successfully outsourcing security
  services

3
Defining outsourcing

• Outsourcing arrangement in which one company
  provides services for another company.
• These services are ones that usually can be
  provided in-house but for one reason or another
  are not.

4
Audience Response

• Raise your hand if you outsource some form of
  your IT services today.

5
Audience Response

• Raise your hand if you outsource some form of
  your information security services today.

6
Outsourcing means you are still responsible

• You are responsible and held accountable if
  something happens, responsibility rests with you.
• The outsourcing vendor should demand that you
  have an active role in management oversight.

7
These elements must come together for a
successful outsource to occur
Service Level Agreements
Management Oversight
Your MSSP
Business Policies Legal Agreements
IT Information Security Policies
8
Why outsource?

• Cannot afford full-time info sec staff
• Cannot retain competent information security
  staff due to wages and market competition
• Have already outsourced other IT functions, why
  not information security services?
• Have already figured out that someone else can do
  it better, cheaper, faster than we can
• All of the above and more

9
Who outsources?

• Businesses where IT security is not considered a
  core function of the business
• Commercial businesses up to US1B in revenues
  however, there are some multi-billion-dollar
  companies which have outsourced their entire IT
  functions to the likes of EDS and IBM
• Governments (Federal, State, Local)

10
What services should I consider outsourcing?

• Complete a business requirements analysis and
  determine the gaps between needs and
  capabilities.
• Determine what the business can support and what
  the labor market can bear.
• Ensure that your info sec architecture is
  complementary to the developing business plan for
  outsourcing.
• Document all services to be outsourced and
  policies, technologies, processes to support.
• Present a comprehensive business (not IT) plan
  for implementing managed security services.

11
What are Managed Security Services (MSS)?

• Managed Security Services (MSS) offer onsite and
  remote monitoring and management of security
  services with 24x7 real-time monitoring,
  protection, escalation and response processes.
• Many of the managed services offered include
• Firewalls
• intrusion detection systems (IDS)
• virtual private networks (VPNs)
• Routers
• antivirus/content checking
• periodic vulnerability or penetration
  studies/testing

Source IDC
12
What is the market for Managed Security Services
Providers (MSSP)?

• Yankee, Forrester, Gartner, etc. have varied
  estimates of a 2B to 5B market for managed
  security services by 2005, to as much as 8B by
  2008.
• Everyone is trying to play, but the vendor market
  is consolidating.
• MSSPs with 5 people are competing with companies
  with 50,000 employees.

13
Who are the players in the MSSP space?
TruSecure
LURHQ
14
In 2003, only two firms were identified as
leaders in Gartners North American MSSP Magic
Quadrant
Source The Gartner Group
15
Audience Response

• Raise your hand if you use or have used one of
  those companies listed today.

16
Why should my company consider using managed
security services?
Strengths Weaknesses Opportunities Threats
FOCUS - frees internal IT staff from operational tasks SKILLS The MSSP is responsible for providing the needed skills EFFICIENCY MSSP is more efficient then you are at providing the services STABLE COSTS consistent costs for product provided GENERIC - Lack of customization to your needs POLICIES MSSP still needs you to maintain IT security policies COMPLACENCY - Can give end-users false sense of security Allows customers to focus on core business while dedicated security professionals manage security elements Ability to keep up with security and technology changes without slowing business End-users can promote stronger brand value by publicizing their efforts to be secure Perceived increase in vulnerability because of outside provider handling security elements
Source Unisys UK IDC
17
What are the downsides of using managed security
services?

• Someone else has responsibilities you may not
  have direct control over.
• You dont build internal expertise and knowledge.
• Legal liabilities and ramifications if something
  happens may be limited.
• What happens if the provider goes out of
  business suddenly such as Salinas Group, Pilot
  Networks, Covad, Nettel, LMGT and others?
• What about Arthur Andersen?

18
What should I look for in an MSSP?

• Sound, written confidentiality agreements (SLAs)
• Willingness to negotiate flexible contracts and
  terms
• One who provides resumes or qualifications of
  those actually doing the work
• One with expertise in the area you may outsource
• Flexibility to meet your business and IT needs
• Size and geography to meet your needs
• Financial viability of the company

19
Other crucial considerations in an MSSP

• Do they have the size to do the job?
• Do they use sound technology processes?
• White hat or black hat?
• Are they a business partner today?
• SOC More than one backup?
• Do they cover your security products?

20
Finally, are they truly qualified to do the job?

• Are they ISO17799 or BS7799 compliant
  certified?
• CISSPs? CISMs? CISAs? SSCPs? GIAC?
• CERT, IETF, FDIC, FFIEC, OCC, HIPAA experienced?

21
Identifying the key elements of managing
outsourced security services

• How much should your vendor manage?
• Ownership, location, management over security
  devices and type
• What can you afford to do, and what can you not?
• Whats the role of policies and legal
  requirements?
• Outsourcing means you are still responsible.

22
How much should your vendor manage?

• You -- not the vendor -- should decide the level
  of the vendors involvement.
• You need to retain overall management
  responsibility of the effort.
• Size does matter the larger the outsourcing
  effort, the more management effort you will need
  to put in.

23
How much can you afford? What can you afford not
to do?

• You must retain control over strategies and
  policies.
• Managed services are most successful when
  outsourcers have control over entire segments ?
  e.g. firewalls, intrusion detection, etc.
• Do not let the providers technology expertise
  sway your technology direction and requirements.

24
Whats the role of security policies and legal
requirements?

• First and foremost, you must have a complete set
  of IT and information security policies in place
• SLA scope of activity and when uptime response
  time activities after virus, hack, breach,
  incident, etc.
• A good vendor will not take a contract with you
  without these.
• Your business should have corporate policies on
  how outsourcing agreements are executed legally
  within your company.

25
Outsource only when

• You retain control.
• You have properly negotiated legal and financial
  agreements.
• You have business, IT and information security
  policies.
• You always retain the right-of-refusal for staff
  servicing your account.
• The vendor says they can do what you need, rather
  than saying they can do it all.
• You have SLAs that can be measured and rewarded
  (or penalized).
• You make sure the vendor will be there for you.

26
Key outsourcing points

• Remember There is no one right provider IDC.
• Leverage relationships, but dont relinquish
  responsibilities.
• Bottom Line Outsourcing information security
  requires you to have explicit trust in your
  vendor and the faith that they will always do the
  right thing on your behalf.

27
Thank you.Questions, comments?