Tuesday, December 20, 2005

FEATURE:Outsourcing = bad security?

PREVIOUS CHAPTER : CAVEAT EMPTOR

CHAPTER SEVEN : MAKING A CAREFUL CHOICE
As applications such as Telephony, P2P and Live Messaging rapidly converge onto the network infrastructure, the security of this infrastructure becomes more complex and important. In addition we are finding a strong convergence of network, systems and security management as companies like Microsoft and Cisco embedd more security functionality into their OS and networking fabrics.

Network Access Control (NAC) and other "Integrity Architectures" are emerging to take their place in the self-defending network of the future, which means configuration, identity and asset management are going to play larger roles in future managed, secure infrastructure. Also, we have seen recently that infrastructure components themselves are subject to security vulnerabilities (see the CiscoGate landing page ). Now the proactive "Assurance" management of those devices themselves become as important as managing standalone firewalls and IDS's. This implies enhanced configuration, security and patching management are going to play increasingly important roles in infrastructure management.

All this means that careful deliberation needs to be given to the partners used in outsourcing contracts as you cannot land up with a situation where multiple parties land up having to manage the same devices to achieve their respective goals. This may just defeat the security objectives of having too many people with "their fingers in the pot". Many MSSP's will insist on full device control to provide their services. That was fine with standalone firewalls and IDS/IPS's, but what do you do when the firewall/IDS/IPS functionality is becoming embedded into standard routers? Who manages the router bits and who manages the security bits in that device?

Just as applications are converging onto the network, and security is converging into the network and applications/OS we will find that outsourcing functions will converge and customers will increasingly seek out systems integrators and outsourcers that have skills in network management, desktop and branch office life cycle management, systems management and configuration management in addition to world class security expertise. This may very well spell the demise of the boutique security shop or niche managed security services player over time.

This brings our seven-part feature to a close. The final bit of advice is that customers need to try and include infrastructure "Security Assurance Level Agreements" with their standard Service Level Agreements in outsourcing contracts in the future, and minimise the amount of people managing the network components.

JUMP TO LAUNCHPAD FOR THIS FEATURE STORY

NOTE : This was turned into a feature publication in the January 2006 issue of IT Security Magazine. See here for details.

CATEGORIES : 1outsourcing, 1feature, 1best practices, 1advice
Rate this post: (Provided by NewsGator)

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home