Security: Inviting Threat?

Customers and outsourcing suppliers who engaged in the
outsourcing boom three to five years ago are now facing significant security
challenges. Particularly, the last 18 months have seen a shift in the perception
of the security issues that face networking infrastructures. For the first time,
networking products have made it to the SANS Top 0 vulnerability list, with
Cisco's IOS getting specific attention. In the past, there was very little
attention paid to the possibility of security vulnerabilities in network
infrastructure equipment being exploited. The demonstration given at BlackHat
symposium in 005 has also contributed to the new perception of network
infrastructure as being subject to security issues previously only dealt with in
relation to servers and desktop computing resources. The research firm Gartner
recommends that enterprises that run Cisco IOS pay close attention to IOS
vulnerabilities, treat them seriously, and follow the guidelines within
advisories to upgrade to a newer version of software at the earliest possible
opportunity.

In the event of buffer/heap/stack overflow vulnerability
exploitation, Gartner recommends that enterprises take immediate action to
shield their network by implementing a layered defense, including network-based
intrusion prevention technologies, to block exploits while executing normal
test-and-patch deployment processes. The sheer amount of Cisco equipment
installed, the many versions of IOS involved, the difficulties of upgrading IOS
and the IOS vulnerabilities already out there or yet to be discovered present a
major challenge to network administrators and security professionals. This is an
aspect that needs to be reflected in outsource contracts, or if handled
in-house, the amount of effort required should be recognized and planned for.

Security Shift

All these developments resulted in widespread realization that traditional
firewall and antivirus technologies, as covered in original outsourcing
contracts, were not able to withstand emerging threats such as self-replicating
worms, port 5 (mail), port 80 (Web), PP exploits and spyware, amongst others.
And to compound the external threat, internal IT assets that were infected were
infecting other internal assets.

A detection and response strategy within the perimeter was now
required to supplement the ailing protection strategy. Many enterprises were
also not aware that their insurance policies did not provide cover against
malicious code attacks. Other companies who tried to buy coverage found there
were few policies being written that protected against digital attacks.

The security industry experienced a very busy year in 2004.
There was much piloting and testing of IPS and other appliances to solve
specific problems. During this exploratory phase, a key issue for outsourcers
and their customers was the question of who was going to take responsibility for
paying for the implementation of the technology once they were satisfied with
the tests/results.

The biggest error made by organizations and outsourcers was that
they thought that deploying this technology would solve their issues. What they
did not realize was that they were only solving particular issues, in much the
same way as they had done when they invested in firewalls, VPNs and antivirus
software. While IPS appliances, application firewalls, host-IPS, desktop
firewalls and IDS were being installed, no one considered the fact that security
needed to be a holistic process involving people, process and technology.

Outsourcing contracts were modified to include the provision and
management of additional security hardware at strategic points within the
network. These measures repeated the mistakes of the past. They catered for
short-term challenges, but did not make provision for long-term issues.

Outsourcing Security

In response to growing concerns about security and the ever increasing
complexity of the management of these newly installed point devices, many
companies turned to the same companies who managed their existing network
infrastructure, or to the emerging band of managed security service providers.
This seemed the logical response for any company seeking to offload the
complexities of security management and to alleviate the need for highly-priced
technical talent.

The problem was that most of the contracts contained clauses in
the fine print absolving the service provider of liability and accountability
for security incidents. Many such contracts promised little more than
notification of events, which could not be confirmed as false positives. This
level of service put the onus on the customer to respond to and resolve the
incidents reported. In many cases, this caused extreme distress to unprepared
clients in their hour of need, especially when these same service providers were
able to assist in the incident response for additional hourly fees.

Outsourcing security has been a hot topic of debate for some
time. There is a strong argument for both sides and no sign of consensus on the
horizon. The facts are simple, yet overwhelming for many and include the
following:

• Addressing security and IT risk is not optional.

• Legislation and liability are driving security to the top of
  CIOs' priority lists.

• There is a real awareness of the problem in bridging the gap
  between business people and the technologists.

• Technology is ever changing; therefore security is a moving
  target.

• Good security resources are difficult to find, and costly to
  hire and retain.

• Outsourcing security does not transfer accountability or
  liability to the service provider.

Regardless of whether organizations choose to outsource or go
in-house for security, the challenge lies in getting executive support and
alignment between the business units and the security function. At worst, these
relationships are adversarial and conflict between groups results in a decrease
in productivity. At best, the security officer understands the business and is
able to communicate the threats to business operations clearly and show that
effective risk management actually enables the business.

Many enterprises make the mistake of outsourcing their security
as part of a generic outsourcing agreement before obtaining this alignment. The
outsourcing then leads to a false sense of security or a 'tick in the box'.

Recommendations

Organizations that simply cannot afford the investment in resources need to
be sure of the services that they are buying and specifically what exclusions
are in their outsource contract. Frequently, outsourcers offer low bids to
secure the business and then try to make up for it in change or out-of-scope
orders.

It is a fact that organizations will need to continuously adapt
their security practices to suit the ever changing environment. Threats,
vulnerabilities and mitigation procedures have changed dramatically over the
years and organizations must be able to adapt their contract and the underlying
security architectures used to keep pace.

If organizations have questions about the service level
commitments or the verbiage in the contract, they should consult a trusted
advisor. A technology partner, independent auditor or legal counsel can help
them navigate the complexities. For international and multinational
organizations, it is important to seek advice on compliance requirements in
every individual country in which the organization is conducting business, and
to find out how their service provider is addressing those requirements. Once
organizations understand what the outsourcer intends to do, they need to figure
out how to fill the gaps.

Considerations

Organizations should consider the following points when outsourcing security
(either in its entirety or as part of a bigger infrastructure outsource
contract):

• Note that compliance is the responsibility of the company,
  not the outsourcer.

• How does the service organization's purchase enable them
  to better manage risk?

• What are the terms of the agreement? Check SLAs, limitations
  and exclusions. Organizations need to know exactly what they are getting for
  their investment.

• Be prepared to respond when incidents occur-this means
  that organisations need an incident response plan and someone to deal with
  the response. The contractor must support post-incident review.

• Verify that the outsourcer is compliant with all relevant
  legislation and verify the security procedures and best practices deployed
  by the service provider.

• Define security-related roles and responsibilities clearly
  and completely and specify clear security objectives in the SLA for
  integrity, confidentiality, availability, accountability and use control.

• Appoint a security officer, even if it is initially in a
  secondary role. The security officer should have a direct reporting line to
  an executive who is empowered to address tough questions and make decisions
  that impact the risk exposure of the company.

• Retain the ability to monitor and audit the outsourcer's
  environment to independently verify fulfillment of all the objectives and
  expectations.

• Ensure contract terms are flexible enough to allow for
  changes in a rapidly changing threat landscape, and to avoid being blocked
  by the organizational walls that outsourcing erects and the difficulty of
  anticipating all the contingencies in a contract.

• Measure contractor performance through security metrics such
  as number of incidents, time taken to respond to incidents, best practices,
  benchmarking, etc.

• Even if an organization is using best practices frameworks
  such as the ITIL or CoBIT for SLAs, do not rely on these for security - use
  security specific frameworks such as ISO 17799: 005.

• Customers need to try and include infrastructure
  "Security Assurance Level Agreements" with their standard SLAs in
  outsourcing contracts in the future, and minimize the number of people
  managing the network components.

• The outsourcers' goal is to lock down and standardize to
  gain efficiencies and then sweat the assets. This is diametrically opposed
  to the adaptive nature required by modern day secure infrastructures.

Choosing a Partner

As applications such as Telephony, PP and Microsoft Live Messaging rapidly
converge onto the network infrastructure, security becomes more complex and
important. In addition, the industry is faced with strong convergence of
networks, systems and security management as companies like Microsoft and Cisco
embed more security functionality into their OSS and networking fabrics.

Network access control and other integrity architectures are
emerging to take their place in the self-defending network of the future, which
means configuration, identity and asset management are going to play larger
roles in future managed, secure infrastructure. Also, infrastructure components
themselves are subject to security vulnerabilities. Now the proactive 'Assurance'
management of those devices themselves becomes as important as managing
standalone firewalls and IDSs. This implies that enhanced configuration,
security and patching management are going to play increasingly important roles
in infrastructure management.

All this means is that careful deliberation needs to be given to
the partners used in outsourcing contracts. Organizations cannot have a
situation where multiple parties manage the same devices to achieve their
respective goals. This can defeat security objectives because too many people
are involved.

Many MSSPs will insist on full device control to provide their
services. This scenario was suitable for standalone

Firewalls and IDS/IPSs, but will need consideration when the
Firewall/IDS/IPS functionality becomes embedded into standard routers. The
question of who will then manage the router bits and who will manage the
security bits in that device becomes an issue.

Just as applications are converging onto the network, and
security is converging into the network and applications/OS, outsourcing
functions will converge. Customers will increasingly seek out systems
integrators and outsourcers who have skills in network management, desktop and
branch office life-cycle management, systems management and configuration
management, in addition to world-class security expertise. This may very well
spell the demise of the boutique security shop or niche-managed security
services player, over time.

Manish Sethi, head,
Security Solutions, Datacraft India