Outsourcing information security
- 28 January, 2010 07:24
The need to keep information secure is not a recent development. To satisfy this need, most organisations construct a list of security requirements based on common sense. This has proven fairly effective with simple and well understood media such as pen and paper. As information management (and its security) has become more complex in nature, the likelihood of a gap in that common sense list of requirements has increased.
The relative decrease in common understanding of how an organisation's information is recorded, manipulated, stored and erased makes it difficult to identify a complete set of security requirements to protect it. The unfamiliar territory and undesirable complexity often results in a fairly typical human response -- make it someone else's problem.
Effective outsourcing: An introduction
Effective outsourcing of any business function requires that said function is defined, appraised and its inputs/outputs established. Using this information an organisation can approach the market and clearly specify the scope of what it needs and what deliverables are expected. Understanding the value of the function facilitates the cost/benefit analysis. Said analysis should justify the outsourcing and take into account the cost of selecting the better provider.
Defining all attributes in monetary terms is difficult, but if this could be done any business function should net a positive return and the best provider of that function is the one (internal or external) that provides the highest positive return.Well defined by Wikipedia, "Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction".
Given information systems are increasingly of a technical nature, the solution that protects them often involves technical security products such as antivirus, firewalls and intrusion detection; or technical security services such as security event management, penetration testing and incident response. While products and services can be a significant component in an organisation's security solution, they alone should not be what defines it.
Buying something that "does" security, is like buying something that does food preparation. You may be lucky and stumble across the one tool that meets all your needs, but most people would like more influence over what they have for dinner than, "I bought a fork".
The domain of information security is the aggregate of subsets of all other domains. It arises from the need to have controls in place that ensure all domains operate correctly. It is empowered through governing documents such as policies, standards and guidelines; and is funded ideally through an organisation's executive committee.
Often (particularly in smaller companies) security is instead funded indirectly by the department under which it resides. Due to the nature of the information security domain, it is extremely difficult to outsource.
Outsourcing components of information security is achievable, but often there is a significant gap between the intent of an outsourcing and what it results in. As information systems have become more technical in nature, the number of ways in which they can operate incorrectly has increased. The methods for detecting incorrect operation require more specialist knowledge and thus are less widely understood.
If George writes down a request for product on a purchase order and signs it, most recognise the order is as good as the signature and so require that it be validated by a witness or prior knowledge. (Not to mention the common law supporting correct practice).
If, however, George emails a purchase order number, most will not appreciate that email can be forged unless signed using a valid asymmetric cipher and a key of appropriate length, validated by a PKI hierarchy of suitable repute. If a malicious party is controlling George's PC, there certainly isn't a courtroom that will be able to review all of George's countermeasures and decide whether he is to blame or not for the fake purchase order. (Risking inconsistencies and flawed reasoning in common law).
In short the appropriateness of information security practices are harder for the masses to understand. (Adequate legislation would simply provide another authority no one understands.) As with all other domains, businesses need to decide what is their suitable level of investment in information security.
Factors that contribute to such decisions include legal obligations, cost/benefit analysis, risk analysis and less tangible benefits such as ethical obligations. Unfortunately, applying each of these factors to technology requires an understanding of the technology and the operational practices that support it. A person with this level of understanding is rarely empowered with significant delegated financial authority.
To allow delegated financial authorities to effectively fund information security without having to understand the underpinning technology, relevant factors are often translated into commonly understood currency such as risk and money. This translation is however often incomplete and always requires further interpretation.
It is very difficult to place a dollar value on publishing an advisories page on your website to decrease the possibility of a phishing attack. If risk analysis is used then the likelihood of a phishing attack is largely irrelevant as the impact could be the total loss of all information assets (Impact = "Catastrophic") and thus the risk rating is "Extreme" for all but the rarest of events.With such a hobbled method for decision making and an apparent risk to the business, it is commonplace to take the view that it is better to do something rather than nothing.
Firewalls are purchased and IDS installed at great expense. A lot of the countermeasures purchased may meet an obvious requirement to the trained engineer, but the level of investment is often not balanced. In the interests of doing something an appliance may be purchased. The level of risk may warrant a significant allocation of funds, but it often isn't achievable to distribute those funds across all desirable initiatives. Initiatives can be complex in themselves or the impact of them difficult to grasp (for example the advisories page).
Delivering an appliance gives the business something tangible for its money and doesn't require further explanation. The appliances demonstrates that something is being done and gives a line item on a budget demonstrating that the business is addressing security. All organisations at one time or another need to reduce costs or at the very least review expenditure. Information security is not exempt from this (and nor should it be) so a delegated financial authority once again looks at the line item for the appliance that was purchased to "do security".
Due diligence requires that cheaper alternatives such as outsourcing be considered. Often outsourcing appears a cheaper alternative to said appliance and so is selected as the path forward.Information about what justified the appliance in the first place is incomplete and the additional controls [potentially] required to outsource its function aren't quantified. And so a cheaper, rounder peg is used to fill an ill defined square hole. It is of little surprise that information and information systems are not well protected in a lot of organisations.
Outsourcing: Two cents worth
The justification given for outsourcing is often cited as being financial. This is no surprise, as ultimately most company decisions are based on building or conserving finances. A slightly more detailed view is that an organisation will outsource a function for the following reasons:
- The outsourcer can do it better for the same cost.
- The outsourcer can do it the same for a lower cost.
- The outsourcer can't do it as well, but does it at a lower cost.
Just because you can outsource something, doesn't mean that you should. Sometimes it is better to keep certain functions in house. Examples of areas that should not be outsourced include:
- Anything deemed to be "core business" should remain in-house to ensure intellectual property is constantly growing. If a desktop services provider outsources it's desktop services, it makes sense for their customers to buy of their outsource partner rather than them.
- Anything perceived to be "core business". Perception isreality and to ensure good standing in the marketplace anorganisation must address it.
Examples of outsourcing security
"Security as a Service" is the utopia intended to address the woes of organisations that do not want to be involved at all. Outsourcers promise to take care of information security and often deliver it in the form of a managed firewall and antivirus. The quality of the service is often validated by references from other customers and potentially a site visit. Existing customers praise to the outsourcer for a flawless service backed up with monthly reporting -- in colour. Closer examination however demonstrates the model is flawed.
In such an arrangement, the outsourcer is discouraged from reporting any issue. Why degrade your reputation when it is unlikely that your customers (who have abandoned any internal resource) will be any the wiser. With no trusted resource there is no way to validate any findings (or lack thereof) through testing or an educated review.Security operations are a common area to outsource. The scope is often difficult to define and a dedicated team is often not warranted.
A third party is contracted to process security events from devices such as firewalls, IDS appliances, generic network equipment and infrastructure. The third party is relied on to process (de-duplicate, reconcile and interpret) the events and call attention to any issues. Few however check to see that the provider is providing as promised. Typically, the outsourcer in this case has a central operations room with lots of monitors displaying plenty of monitoring output. Oversubscribed staff attempt to process the barrage of alerts, but focus primarily on the top three to five customers listed on a whiteboard in the corner.
If you aren't on the whiteboard, nobody is looking after your gear. Buying a solution is a way in which security is often inadvertently outsourced.As already mentioned security is a part of all other domains and thus it follows that there is a security component to all solutions. As with security operations, a lack of demand from customers has meant that most integrators do not well cater for security in their solutions. A company trying to outsource it's WAN is likely to purchase private circuits off a telecommunications company.
There is little incentive to go to the expense of dedicated circuits and the WAN may be bundled as part of a package. Typically this means that all inter-branch network security (which often includes telephony) has been outsourced to the telecommunications provider. Assuming that the provider experiences no human error of technical complications, the WAN by design is likely to be insecure. Telcos rarely employ anything more than the inherent nature of multiplexing technologies (for example MPLS, ATM, Ethernet trunking) to divide customers traffic. They, like any other large entity, are susceptible to social engineering that could lead to the unauthorised connection of two customers' networks. Telecommunications providers also have the difficult task of physically protecting their network from attack.
I recently observed a cellular provider's roadside cabinet was labelled with their name and the name of the vendor who supplied the equipment within it. The cabinet was likely monitored, but its physical defence consisted of a padlock holding fast a cheap latch that a small hammer could likely circumvent. Penetration testing is a specialist service that is quite rightly outsourced in a lot of cases. It is a complex service and there is significant value in it being done independently. It also produces a deliverable in the form of a report making justifying it easier.
We must remember however that it isn't the whole picture. Penetration testing can't consider operational practices that may introduce new vulnerabilities as quickly as the old ones are removed. There often isn't evidence that the individual completing testing is adequately skilled to do so, nor is their proof that the majority of vulnerabilities present were discovered. Unfortunately, the reality is most people who commission penetration testing would be satisfied with the doctored report from a freeware scanning tool.
Standards can provide great assistance in improving the security posture of a company. An organisation that relies solely on standards to assure security is, however, likely to experience a gap as is often demonstrated by companies seeking PCI compliance. The PCI standard is intended to be a bare minimum of requirements for protecting cardholder data. It is not intended to be the target state for modern organisations' security programs.
It has become common place for companies running PCI compliance projects to aim to meet the bare minimum of requirements. As much as possible is de-scoped to reduce the cost of the project - a reasonable approach only if there is something else picking up the security shortfall. Some attempt to outsource all payment card functions so they don't need to even meet the minimum requirements.
This report is not intended to comment on PCI, however the author has witnessed the provisioning of a new e-commerce site where card processing was outsourced to avoid troublesome encryption and authentication management. While I am sure it was technically PCI compliant that simply meant customers money was taken securely and effectively. The woeful security in the main site made it trivial to change the deliver address after purchasing, manipulate product prices and monitor what other customers were doing.
All organisations should have at least one appointed security role. While the person holding the role may not be dedicated to security, training should be provided to ensure a calculated level of skill. Any contracting of third parties to provide support services should be managed by that security role. Outsourcing security in its entirety is not viable.
To retain a level of assurance that security is being delivered as intended, a (relative) security specialist needs to define the checks and balances.Outsourcing security operations is achievable, but there is an overhead that needs to be taken into account. The operational tasks should be by design and not whatever the service provider can manage. Concessions may be made for a preferred supplier, but ensuring the target state for security operations is defined makes it possible to quantify the concessions and if necessary compensate elsewhere.
When a turnkey solution is being purchased from an integrator, it should be assumed that security has not been considered until proven otherwise. It is not to say that integrators are negligent, but their business focus is delivering what was requested for the lowest price. Typically, the security in a solution will not berequired to deliver the end user function and is consequently easily cut without complaint.
An independent party, whether internal or external, should be engaged to review the solution and ensure any risks it introduces are understood and formally accepted by the business prior to deployment.
Regardless of the security function being outsourced, testing should be an ongoing assurance measure. Operational teams should be subject to social engineering attempts and mock incidents, ensuring their response is appropriate. Known vulnerabilities should be built into applications before commencing penetration testing to ensure they are reported on. Testing is of course required even when security is wholly sourced from within, but does not need to include testing the competence of the outsourcer as competence of internal staff should already be well understood.
The major issue with outsourcing aspects of information security is that while intent may remain the same, assurance is greatly reduced. This is best illustrated by considering the two extreme cases.
In an organisation with a complete internal security capability, there would be an independent security group who reports to the highest levels of management if not the board.
Among other things the group acts as a watchdog, providing assurance that the health of different areas of the business is being reported correctly and completely. The network team should highlight security issues (among others) and the security team should ensure this happens. Security staff are contractually bound as individuals and given incentive through their remuneration to perform the tasks completely and correctly.
In an organisation where information security is wholly outsourced, everything is one step further away. The contract is with a limited liability company with unknown recruitment strategies and who potentially subcontract a number of functions. There is typically limited opportunity to evaluate the individuals doing the work even if they can be identified. The incentives given to the outsourcer's staff are unknown and may contradict the intent of the function being outsourced.
The security of any business area that doesn't have controls providing assurance is low. While having good assurance controls around the integrity of an outsource agreement is possible, the controls are typically more expensive than if the function was sourced from within. This is one of the overheads of effective outsourcing.
There is one major caveat that needs to be taken into account: People need to care about security. It sounds obvious, but this is often the largest influence on the quality of security services. Toyota does not put jacuzzis in its Hiluxs, because their customer base doesn't demand it. I am sure if you asked any Hilux owner if they wanted their truck to have a jacuzzi (with no cost or loss of function) they would welcome the feature. There is nothing like having a hot soak in the back country after a day of fencing. End users need to demand security and not simply accept the "brochureware".
They need to demand proof (assurance) that what they are getting is secure. When this happens companies will take note and react to the market demand. Company management also need to take responsibility if for no other reason than due to an ethical obligation. Management should demand more than a monthly pie chart and take an interest in the security of their organisation. When signing outsourcing agreements, security should be considered before signing on the dotted line.
Components of security can be delivered effectively by outsource partners, but it takes more than hoping for the best. Outsourcing security components, like any other business decision, should consider the whole impact. One needs to complete due diligence, the risks need to be managed, mitigations implemented and of course assurance controls built in. While it is easy to blame security firms for the distressing state of most companies, the reality is the blame lies a lot closer. Individuals need to demand security from suppliers and take responsibility for delivering it in the areas they control.
Simon Burson is an information security consultant. He has delivered policies, operating models, architectures and solutions in both internal and customer facing security roles. Email him at firstname.lastname@example.org