Wednesday, October 12, 2005

FEATURE:Outsourcing = bad security?


Chapter 1 - The good old days
Chapter 2 - The scope creep
Chapter 3 - The rude awakening
Chapter 4 - Knee jerk reactions
Chapter 5 - False sense of security
Chapter 6 - Caveat Emptor
Chapter 7 - Making a choice

NOTE : This was turned into a 5 page feature story on ITSecurity Magazine. See here for details or to download the PDF.


I have engaged with many customers who signed outsourcing contracts between 3 and 5 years ago and have observed some common traits that are now yielding significant challenges for these customers and the outsouring suppliers alike.

When these contracts were signed, information security was not a big issue. It just was not on the radar. There was no onerous legislation, nor were there debilitating virus outbreaks, and globally destructive self-replicating worms were not even dreamt of. Spyware sounded like something from a science fiction novel, and we were not faced with a proliferation of mobile communications technologies or devices. If you told someone then that 850 million people were going to be using instant messaging and peer-to-peer protocols to drown your network with private chats and share music, movie and porn downloads, you would have dismissed them as alarmist or out of touch with reality. In those days, we could count the number of entry points into our relatively simple networks on one hand. The focus was on cost cutting, efficiency, connectivity service levels and agility. Information security was a simple equation : "Security=Firewalls + Antivirus = IT Dept"

I have personally reviewed a number of these contracts coming up for renewal and Info Security was buried among all the legalese and traditional service options as a vague one-liner, normally something to do with maintenance of firewalls and AV. In fact for all intents and purposes, information security as we know it today was OUT OF SCOPE of the contract.

The reason for this is that prior to the advent of the Internet, email and e-commerce, the closed nature of corporate networks made security a relatively easy affair. The classic security defence model revolved around defending a “trusted” internal network from the “untrusted” outside (everything else). The demarcation line between these two zones of trust was called the “perimeter”, and security products such as firewalls, VPN’s etc were implemented on the perimeter to enforce the trust differentials. A demilitarized zone (DMZ) was setup on the firewall for public facing data. This represented the “Protection” security model or the "Good old days" when "security was easy".


CATEGORIES: 1feature story, 1outsourcing, 1best practices, 1trends,1advice
Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home