FEATURE:Outsourcing = bad security?
PREVIOUSLY : THE RUDE AWAKENING
CHAPTER FOUR : KNEE JERK REACTIONS
The realisation had finally set in that traditional Firewall and Antivirus technologies, as covered in the origonal outsouring contracts, were not standing up to the new, emerging threats such as self-replicating worms, port 25 (mail), port 80 (web), P2P exploits and Spyware. Internal IT assets that were becoming infected were infecting other internal assets. A detection and response strategy within the perimeter was now required to supplement the ailing protection strategy. Many enterprises were also not aware that their insurance policies did not cover them against malicious code attacks. Others who tried to buy coverage found there were few policies being written that protected against digital attacks.
Everyone was jolted into action. 2004 was a very busy year for my company. There was much piloting and testing of Intrusion Prevention (IPS) and other appliances to solve specific problems. My company was involved in much of this "exploratory" phase with outsourcers and customers. But once satisfied with the tests/results, the issue would come up as to who was going to pay for all this technology. I have been embroiled in many 3 months periods of to-and-fro between customer, ourselves and outsources as to to who is going to pay for all this new gear and even better still, who is going to manage it.
Now the big mistake made by clients and outsourcers alike (and some technology providers and systems integrators that were none the wiser too I might add) is that they thought that deploying this technology would solve their issues. What they did not realise was that they were solving particular issues, in much the same way they invested in Firewalls, VPNs and Antivirus and thought "Well that's sorted security out." So even while IPS appliances, Application firewalls, host-IPS, desktop firewalls and IDS was being installed all over the show everyone lost sight of the bigger picture, namely that security needs to be a holistic process involving people, process and technology.
Outsourcing contracts were modified to include the provision and management of additional security hardware at strategic points within the network and that was that - on to the next problem so to speak. Actually to be honest, these measures did ease things for a short while. To make matters worse, it actually got quiet in the press for a while as we had a lull of outbreaks of worms and viruses - and this leads us into the next chapter
NEXT : FALSE SENSE OF SECURITY
CATEGORIES : 1feature, 1outsourcing
CHAPTER FOUR : KNEE JERK REACTIONS
The realisation had finally set in that traditional Firewall and Antivirus technologies, as covered in the origonal outsouring contracts, were not standing up to the new, emerging threats such as self-replicating worms, port 25 (mail), port 80 (web), P2P exploits and Spyware. Internal IT assets that were becoming infected were infecting other internal assets. A detection and response strategy within the perimeter was now required to supplement the ailing protection strategy. Many enterprises were also not aware that their insurance policies did not cover them against malicious code attacks. Others who tried to buy coverage found there were few policies being written that protected against digital attacks.
Everyone was jolted into action. 2004 was a very busy year for my company. There was much piloting and testing of Intrusion Prevention (IPS) and other appliances to solve specific problems. My company was involved in much of this "exploratory" phase with outsourcers and customers. But once satisfied with the tests/results, the issue would come up as to who was going to pay for all this technology. I have been embroiled in many 3 months periods of to-and-fro between customer, ourselves and outsources as to to who is going to pay for all this new gear and even better still, who is going to manage it.
Now the big mistake made by clients and outsourcers alike (and some technology providers and systems integrators that were none the wiser too I might add) is that they thought that deploying this technology would solve their issues. What they did not realise was that they were solving particular issues, in much the same way they invested in Firewalls, VPNs and Antivirus and thought "Well that's sorted security out." So even while IPS appliances, Application firewalls, host-IPS, desktop firewalls and IDS was being installed all over the show everyone lost sight of the bigger picture, namely that security needs to be a holistic process involving people, process and technology.
Outsourcing contracts were modified to include the provision and management of additional security hardware at strategic points within the network and that was that - on to the next problem so to speak. Actually to be honest, these measures did ease things for a short while. To make matters worse, it actually got quiet in the press for a while as we had a lull of outbreaks of worms and viruses - and this leads us into the next chapter
NEXT : FALSE SENSE OF SECURITY
CATEGORIES : 1feature, 1outsourcing
posted by Dwaine at 11/09/2005
0 Comments:
Post a Comment
<< Home