Wednesday, October 19, 2005

FEATURE:Outsourcing = bad security?

PREVIOUS CHAPTER :THE GOOD OLD DAYS

CHAPTER TWO : THE SCOPE CREEP

This “Protection model” worked for a while, but then became increasingly powerless against viruses, Trojans, worms, application level attacks and malicious code entering the perimeter through email, file transfers, Web pages, P2P networks and VPN links. When the virus outbreaks before Blaster et al. first made their appearance, it was considered an infrequent nuisance and the outsourcer dealt with the diagnosis and mopping up excersises accordingly when requested by the client. In fact the outsourcer would start dealing with the issues automatically on subsequent occurances, even when the issues were not related to their scope of work. An example of this is a WAN or LAN network outsourcer that would inevitably have to deal with the virus issues at the endpoints as they were considered a "bandwidth or connectivity or infrastructure problem." It was never dreamt that the issues would rear their heads again or even keep getting worse. To be fair, the outsourcers were focused on service and their main aim was to resolve the issues of the day - which they did.

As corporates' networks became more complex as they connected to more partners and suppliers and made use of more contractors, the issues became more frequent. And then a strange thing happened - the outsourcer was dealing with the issues as "their issues" conducted as part of their normal business process and the client lost all visibility of the nature of the problem. They never received regular reports as to the frequency, scope and impact of the security incidents and so were ignorant to the looming issues. In fact in some cases where internet abuse and viruses were sapping WAN bandwidth, the solution was to throw more bandwidth at the problem, which probably suited many WAN outsourcers just fine as they could bill the client for the additional bandwidth.

Some outsourcers deployed IDS technology in the networks as a first proactive step. But they quickly realised that this would not scale and in the end. What accelerated the scope creep was that all the new infections and problems were originating from within their clients own trusted network or from their own trusted users. This was despite aggressive antivirus, IDS and other traditional security investments made by these organisations. Since the outsourcers were managing the networks and/or users, one can understand why the responsibilty "landed in their laps" so to speak.

To make matters worse, as part of the outsourcing contracts, the clients had scaled back their IT expertise. The fact that security was not a real issue 3-5 years ago, coupled with the loss of visibility we have mentioned, meant that there was never really a consideration to have a IT security competency within the clients staffing complement. In fact the clients' IT staffing complement gravitated to procurement and "outsourcer relationship managers".

NEXT : THE RUDE AWAKENING

CATEGORIES: 1feature story, 1outsourcing, 1best practices, 1trends
Rate this post: (Provided by NewsGator)

0 Comments:

Post a Comment

<< Home