1、Benefits and Pitfalls of Outsourcing Security,Stan Kiyota, CISSP & CISM Senior Information Security Manager Booz Allen Hamilton, Inc.,Agenda,Outsourcing Definition Responsibility Keys for success Why? Who? What? Managed security service provider (MSSP) Definition Market trends, players Pros and cons
2、 of using an MSSP What to look for in an MSSP Key elements for managing outsourced security services Tips for successfully outsourcing security services,Defining “outsourcing”,Outsourcing: arrangement in which one company provides services for another company. These services are ones that usually ca
3、n be provided in-house but for one reason or another are not.,Audience Response,Raise your hand if you outsource some form of your IT services today.,Audience Response,Raise your hand if you outsource some form of your information security services today.,Outsourcing means you are still responsible,
4、You are responsible and held accountable; if something happens, responsibility rests with you. The outsourcing vendor should demand that you have an active role in management oversight.,These elements must come together for a successful outsource to occur,Business Policies &Legal Agreements,IT & Inf
5、ormation Security Policies,Service Level Agreements,Management Oversight,Your MSSP,Why outsource?,Cannot afford full-time info sec staff Cannot retain competent information security staff due to wages and market competition Have already outsourced other IT functions, why not information security ser
6、vices? Have already figured out that someone else can do it better, cheaper, faster than we can All of the above and more,Who outsources?,Businesses where IT security is not considered a core function of the business Commercial businesses up to $US1B in revenues; however, there are some multi-billio
7、n-dollar companies which have outsourced their entire IT functions to the likes of EDS and IBM Governments (Federal, State, Local),What services should I consider outsourcing?,Complete a business requirements analysis and determine the gaps between needs and capabilities. Determine what the business
8、 can support and what the labor market can bear. Ensure that your info sec architecture is complementary to the developing business plan for outsourcing. Document all services to be outsourced and policies, technologies, processes to support. Present a comprehensive business (not IT) plan for implem
9、enting managed security services.,What are “Managed Security Services” (MSS)?,Managed Security Services (MSS) offer onsite and remote monitoring and management of security services with 24x7 real-time monitoring, protection, escalation and response processes. Many of the managed services offered inc
10、lude: Firewalls intrusion detection systems (IDS) virtual private networks (VPNs) Routers antivirus/content checking periodic vulnerability or penetration studies/testing,Source: IDC,What is the market for Managed Security Services Providers (MSSP)?,Yankee, Forrester, Gartner, etc. have varied estim
11、ates of a $2B to $5B market for managed security services by 2005, to as much as $8B by 2008. Everyone is trying to play, but the vendor market is consolidating. MSSPs with 5 people are competing with companies with 50,000 employees.,Who are the players in the MSSP space?,TruSecure,LURHQ,In 2003, on
12、ly two firms were identified as leaders in Gartners North American MSSP Magic Quadrant,Source: The Gartner Group,Audience Response,Raise your hand if you use or have used one of those companies listed today.,Why should my company consider using managed security services?,Source: Unisys UK & IDC,What
13、 are the downsides of using managed security services?,Someone else has responsibilities you may not have direct control over. You dont build internal expertise and knowledge. Legal liabilities and ramifications if something happens may be limited. What happens if the provider goes out of business s
14、uddenly such as Salinas Group, Pilot Networks, Covad, Nettel, LMGT and others? What about Arthur Andersen?,What should I look for in an MSSP?,Sound, written confidentiality agreements (SLAs) Willingness to negotiate flexible contracts and terms One who provides resumes or qualifications of those act
15、ually doing the work One with expertise in the area you may outsource Flexibility to meet your business and IT needs Size and geography to meet your needs Financial viability of the company,Other crucial considerations in an MSSP,Do they have the size to do the job? Do they use sound technology & pr
16、ocesses? White hat or black hat? Are they a business partner today? SOC: More than one backup? Do they cover your security products?,Finally, are they truly qualified to do the job?,Are they ISO17799 or BS7799 compliant & certified? CISSPs? CISMs? CISAs? SSCPs? GIAC? CERT, IETF, FDIC, FFIEC, OCC, HI
17、PAA experienced?,Identifying the key elements of managing outsourced security services,How much should your vendor manage? Ownership, location, management over security devices and type What can you afford to do, and what can you not? Whats the role of policies and legal requirements? Outsourcing me
18、ans you are still responsible.,How much should your vendor manage?,You - not the vendor - should decide the level of the vendors involvement. You need to retain overall management responsibility of the effort. Size does matter the larger the outsourcing effort, the more management effort you will ne
19、ed to put in.,How much can you afford? What can you afford not to do?,You must retain control over strategies and policies. Managed services are most successful when outsourcers have control over entire segments e.g. firewalls, intrusion detection, etc. Do not let the providers technology expertise
20、sway your technology direction and requirements.,Whats the role of security policies and legal requirements?,First and foremost, you must have a complete set of IT and information security policies in place SLA: scope of activity and when; uptime; response time; activities after virus, hack, breach,
21、 incident, etc. A good vendor will not take a contract with you without these.Your business should have corporate policies on how outsourcing agreements are executed legally within your company.,Outsource only when,You retain control. You have properly negotiated legal and financial agreements. You
22、have business, IT and information security policies. You always retain the right-of-refusal for staff servicing your account. The vendor says they can do what you need, rather than saying they can do it all. You have SLAs that can be measured and rewarded (or penalized). You make sure the vendor wil
23、l be there for you.,Key outsourcing points,Remember: There is no one right provider IDC. Leverage relationships, but dont relinquish responsibilities. Bottom Line: Outsourcing information security requires you to have explicit trust in your vendor and the faith that they will always do the right thing on your behalf.,Thank you. Questions, comments?,