Thursday, June 14, 2007

IT Security Outsourcing Decisions - Considerations

As already raised the bar of suspicion in the previous two articles, now the
thing to think is - what needs to be done to clear the air of suspicion?
What is the possible way out to clear the ambiguity in the Process of
Outsourcing? Well though there are various ways to deal with the situation,
and one can do what may seem to be appropriate, but the steps that need to
be considered are -

* Think as a Hacker

* Decide on Accessibility?

* Control Data Usage and Handling

* Protect the Information

* Maintain Confidentiality

* Apply the Sixth Sense / Instinct

* Deploy Vigilance for Incidence Reporting


Think as a Hacker


There are few things to be considered and understood before finally handing
over the reigns to a stranger. One needs to view the IT issues from a
hacker's perspective. One needs to clearly take a good note of the situation
looking for the answer to the questions -

* What if my confidential information gets into the wrong hands?

* Do I have IT assets worth an abuse?

* What negative consequences would occur if they were abused?

* Is my job going to be on the line if my organization makes the
headlines?


Decide on Accessibility?


Most outsourced IT services require one or other person to have full access
to whole or a part of the organization's IT assets. For instance, IT
Helpdesk support professionals will most likely need administrative rights
to the client machines and probably the respective servers also. This
meaningfully translates into full access to corporate data stored on the
local drives and, potentially, network shares. Consider what an IT auditor
or security consultant may gather during the days, weeks or months while
working onsite at an organization's IT facility. It at times might translate
into more than what even the best guys of the organization know. Certainly
limitless and it only takes one miscreant to cause the damage.


Control Data Usage and Handling


Outsourced IT service provider might have access to the data as highlighted
in the previous point. But that's just one of the points identifying the
risks associated with Outsourcing. What is more important to establish is
what are the various outsourced personnel doing with the data. Data
handling by the outsourced agency is another aspect to be understood. If we
look into the matter we might find that the outsourced agency personnel
could be storing the data on their servers, laptops, CDs or USB drives or
might even be printing hard copies? Clients should expect to turn at least
some of their information over and need to be informed of why it's needed
and how it's going to be used.


Protect the Information


IT Systems deal, process and store vital data and information that is
sensitive, crucial and confidential for the business. When outsourcing the
security of the IT establishment and the organization wide information
security process, one has to consider how the data and information is being
protected? -- if at all. What are they doing with data and/or information?
Are they sharing it with colleagues or competitors? Keeping it to sell on
eBay in a few years? Even if the people you're outsourcing your IT services
to are bound by contract to protect your information, they may not have your
best interests in mind, or they may be just plain sloppy. Consider what a
person has to lose if he ends up leaving the company or getting out of the
IT business altogether. The probability of sales data, source code or
patient information being used for ill-gotten gains is pretty low, but it
can happen.


Maintain Confidentiality


Call me a pessimist, but I've seen too many digital goods mishandled by
careless IT experts with a general disregard for other people's property.
The root of a lot of this -- which continues to amaze me -- is when
organizations outsource IT support, but never consider the basics such as
running background checks and examining references on the people they're
placing trust in. Confidentiality agreements are being used more and more,
but arguably not enough.


Apply the Sixth Sense / Instinct


Strong contracts and clean criminal records are not a perfect indicator of
safe and sound IT services, so don't rely solely on them. It's also
unrealistic to attempt to completely control where your sensitive data is
housed and what a third-party does with it. Whether you're for or against
outsourcing IT services, you'll have to do it eventually. Do your best to
find good people to do business with - preferably through referrals - and
trust your instincts.


Deploy Vigilance for Incidence Reporting


Don't stop there though. It's not a matter of just having the proper
security controls and paperwork in place to take the risk out of outsourcing
IT services. It's just as important to have watchful employees who can tell
when something's not right and management that's willing to listen, support
their employees and create an overall sense of security vigilance in the
organization.

Saturday, June 9, 2007

IT Outsourcing Decision Concerns -II

Loss of Control

By far and the foremost inherent risk of outsourcing is the “Loss of Control” on the outsource process. While outsourcing the IT Security processes, this at times can prove to be the worst nightmare for the organization’s management.

The most common of the concerns, triggered by the decision to outsource lies with the concern of overriding the sense of relief about the day-to-day operations. This may actually be a resultant trend stemming from the difference of perception of internal and external personnel towards the service orientation. Whatever be the case, but at the end of the day it boils down to commitment and dedication to work and the organizational goals.

It is certainly great to do everything IT related in-house. You control access and you control how and when things get done. On the other hand, any smart businessperson knows it's practically impossible for one department or person to do everything and do it well. This certainly makes Outsourcing a trend and a Business Practice involving the transfer of control to the Outsourced Company specializing in the job being outsourced. But while doing this is the organization also realising the fact that the control is being transferred to a complete stranger? This question needs to be answered thoroughly for the outsourced model to be a success.

It is a fact that an employee aligns more to the vision, mission, goals and culture of the organization as compared to the third party or the outsourced staff.

Whatever may be the case, the outsourcing decision can’t just be negatively affected by this factor. At times in the scenario, where the Internal staff may compromise and go with a business decision that might have adverse impact over a period of time, stringer SLA’s would always force the outsourced service provider to stick to the guns and make the organization’s management understand the inevitable.

But still this is a concern that always possesses a risk and this always would give rise to a debate of what and why to outsource.

Availability v/s Quality

This is another concern that hounds the decision of outsourcing. For a large organization with huge operations, it is not of much significance, but for the medium and small size business this is quite a concern to be addressed.

After dealing with the question of losing control and deciding to go ahead with the decision of outsourcing, the organization faces this challenge of availability of quality service.

For medium and small sized organizations, outsourcing might be a concern as they, from a vendor’s viewpoint, may be one of the many as serviced by the vendor and in many cases may account for a small percentage of the total workload and income. This certainly would be associated with the availability and quality of the desired services at the time they are required. In most of the cases the smaller organizations may suffer as the service provider may address the concerns of the larger customers and make the smaller customers wait until the support staff gets free.

For a large customer it is easier to assert the dominance and dictate terms by the sheer size of its order value, but for the smaller organization it becomes an issue. Moreover if the smaller customer is in contention with a larger client, the issue complicates further. In such a competitive battle for preferential availability and quality service, even a smaller customer can gain priority by making the most noise and escalating the issue to the upper management at the service provider, but there is a word of caution that this may not always be fruitful.

To deal with such scenarios, the smaller organizations mostly resort to escalations, stringer time based SLA’s, special relationship and rapport with the senior management etc.

The smaller organizations making the hue and cry at times should also understand that at times, the larger organizations might even be subsidizing for the services being availed by them. At the same time with the same staff servicing the larger and smaller organizations, the smaller organizations tend to be at benefited with the knowledge and expertise of the support staff who has worked at the larger organization.

Mutual Trust

Yet another aspect that needs to be considered in the event of outsourcing the IT Security Processes. It has become very important to ensure that third parties who have access to personal and confidential information are protecting that information from inappropriate disclosure and from misuse.

With the ever increasing responsibilities for security breaches on the senior executives of the organizations from the law and regulatory enforcement bodies, this issue has taken a giant leap from just being another issue. With more and more compliance related concerns, the organizations have to be more alert on the trust aspect from the viewpoint that the vendor might also be providing services to its competitors and in this aspect any leakage of business sensitive and crucial information would turn to be futile and loss making.

The complication in this aspect is multi-fold with the cost of satisfying the regulators and the board of directors that the due care has been taken and the difference of the regulations and the laws that might exists due to different geographical locations of the organization and the service providers.

It is however a good practice to test whether the vendor’s stated policy and procedures are enforced and implemented. Either the customer organization or the service provider may hire third-party auditors or security assessment consultants to perform security and control assessments. Such specialty assessment firms are likely to do a more orderly, structured, and complete evaluation than an in-house staff might achieve, because they perform so many more assessments over a period of time than an in-house group.

Costs – Real and Uncertain

This is an area that is mostly untouched or overlooked during the due-diligence exercise. This could be attributed to the fact that at times its just difficult to quantify certain costs or to certain the probability of their occurrence.

Some of the hidden or uncertain costs may be related to vendor’s financial viability and sustainability or the presence of adequate infrastructure to survive and sustain in the business in case operations at its primary facility are adversely affected due to one or other reason.

There might be cases where the vendor faces a financial crunch situation and this might lead to it being merged with some other larger organization or may even with a competitor. In such cases though most of the business of the vendor gets transferred to the acquiring party, but this is not the right approach to follow and for this the agreements should follow a stringer approach to include the clause of termination of services in any such case with ‘No Liability’ for the outsourcing organization.

In the event of availability of infrastructure and continued support the outsourcing organization must conduct a due diligence at the vendor to assure the management and the regulators that the selected vendor has adequate infrastructure for continued service and support in even the adverse situations of war and terrorist attacks.

But there is a word of caution associated - Even during analysis, some costs might be hidden or excluded altogether, either unintentionally or through the analyst’s ignorance or inexperience.

Knowledge Transfer

One of the key aspects of the outsourcing and that needs quite an attention of the management and the decision makers. The issue here is more the functions and roles outsourced, lesser the chances that the internal staff would be able to address them should they be moved back in-house.

To address this issue however, the SLAs are drafted in a manner that the vendor would be conducting trainings and would be liable to keep the internal staff up-to-date, but do this actually happen? If yes, then in how many cases and to what extent?

The cost of not maintaining a up-to-date and knowledgeable internal staff might prove to be costly and can add to the hidden and uncertain costs of outsourcing. The impact can include loss of negotiating power or movement to an alternative service provider.

Shared v/s Dedicated Operations

One decision that is of prime importance and that is to select the right option of getting a dedicated facility at the outsourced agency or to go ahead and utilize the shared operations. Certainly the cost of dedicated operations at the vendor facility is higher and most of the MSSPs charge a premium for such service, but the overall security and risk of exposure of confidential business information is relatively lower.

But with tighter budgets for IT Security operations and Security operations still being seen as the Cost Centre, most of the organizations opt for Shared Operations. This certainly increases the exposure of the information and can certainly add to the hidden costs.

Legal and regulatory Compliance

Compliance, to what? Their regulatory and statutory requirements, the likes of Banking Regulations, SOX and HIPPA, International standards like Cobit and ISO 17799 etc. More we drill down more we identify the likes of FISMA, GLBA, CASPR etc. Why are they doing this? and what is the need for this?

The requirements are not set upon by the organizations themselves, rather they are imposed, imposed upon them by the concerns of cyber crimes that are increasing day-by-day and as is the extending regulatory periphery of the respective authorities, be it the Government or the Regulatory Bodies for the industry verticals.

References

Berinato, S., “Security Outsourcing: Exposed!” CIO Magazine, August 1, 2001, http://www.cio.com.

Warren Axelrod C., “Outsourcing Information Security”

Various Articles on – http://www.searchsecurity.com

IT Outsourcing Decisions - Concerns

Outsourcing of IT Services is the trend of today, and why not it helps an organization in focusing towards its core business where the strength lies. Why should an organization spend the time, effort and other resources where it does not specialize and which is not its core area of operations.

The first and foremost thing that is considered while taking the step of outsourcing is the selection of the right company. Yes, it is very important to select the right company to execute the outsourced job and in the manner and with the effect as the outsourcing organization would prefer it to be conducted. But is it the only requirement in outsourcing scenario? May be most out there would say ‘Yes’, but there is a difference somewhere, somewhere we are lagging. Why shall we just focus on the efficiency of the outsourced Company’s delivery mechanism and why not address the some other issues? Other than the effective and efficient delivery mechanism followed by the Outsourced Company, there are other areas that are more important and rather critical to the success of the Outsourcing Model being followed. These issues are rather related to the mechanism followed by the Outsourced Company to address the security risks involved in the overall outsourcing model.

For instance lets’ have a look at the US market that is one of the biggest market for the Outsourced Business Process concept. The organizations there are increasingly outsourcing their IT divisions including their IT Security set-up. Certainly to manage the growing cost of managing the IT establishment and at the same time to focus on the more profitable Business Divisions/Processes.

But then there is a flip side of the decision and that might have more of impact than the benefits. The flip side is for the obvious risks associated in outsourcing the IT function; the function that deals with processing and storage of the information that even includes critical and business sensitive information.

Now, coming from an Outsourcee background and being and being one of the Lead Consultants on the Outsourced jobs for my company, I would be one of those in the bandwagon to support the Outsourcing trend. Why should not I and why should I ever oppose it? After all I get my bread and butter from the outsourced jobs.

But just because I am an Outsourcee I should defy the fact that there is no risk in the Outsourcing models and approach as being followed? Should I just try to conceal the fact that when an Organization outsource a process to a third-party, be it for desktop support, security testing or network monitoring, the more accessible the electronic assets are and the greater is the risk of something bad happening. There is always a potential for loss increases given the seemingly endless amount of data stored processed and transmitted through so many different devices.

Though it might seem to be but it would not be a wild statement to say, “While most IT consultants are trustworthy and responsible, some might not. Seemingly not so bad people are doing bad things on computers all the time – and often the company who hired them doesn't even realize it.”

Let us examine the various risks that are associated with the outsourcing decision and then we can look into the aspects or steps that would help us in making the appropriate decision on outsourcing and what to outsource.

Concerns of Outsourcing

As every aspect of business has inherent concerns and the related risks, so is with the decision to outsource. Making a decision with the knowledge of these inherent risks makes life easier as we would be ready to take steps to avoid any materialization of these risks and avoid any adverse impact of the business profitability.

So what are the risks? and where they exist? are the main questions to be known. Let’s have a closure look at the risks that exist with the decision to outsource –

n Loss of Control

n Availability v/s Quality

n Mutual Trust

n Costs – Real and Uncertain

n Knowledge Transfer

n Shared v/s Dedicated Operations

n Legal and regulatory Compliance

Different views - Skype Detection - It's a Reality

I had written this article in November 2005, when there was a article published on VOIP Softwares by Jim Wagner, well the summary of the same is –

"Researchers: Skype, VoIP Are Hot And Risky" by Jim Wagner. As per this article, the research firm noted in an recent advisory, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record" are the words from a senior research analyst at Info-Tech.

But me and my team were already identifying and blocking skype usage in the corporate network from June 2005. Following was the article that I had written then –

Peer to Peer voice services are the talk of the Internet users. Why not, as they provide inter computer calling for free. So if you have a machine with sound card and an Internet connection, you can connect to other users using the same Peer to Peer voice service software and well its absolutely free.

Skype is one such software that has become quite popular. The developers of Skype have gone a step further in providing with service they call as SkypeOut. This is though a subscription based service but provides with a facility to Users to call landlines and cellphones for a fee

With the increased usage of Skype and other such Peer to Peer voice services, the IT Security experts started throwing up warning flags about VoIP on the corporate network and pointing to one provider in particular. Research from VeriSign and Info-Tech Research Group said security risks surrounding increasingly-popular Internet phone software could put networks at risk and should be addressed.

Quoting from article "Researchers: Skype, VoIP Are Hot And Risky" by Jim Wagner – "As it stands, the research firm noted in an recent advisory, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record" are the words from a senior research analyst at Info-Tech.

Somehow I disagree with the point that Skype does not leave any Audit Trail for usage. Atleast we have successfully tested and are using the detection method in live environment. The test that was conducted to detect presence and usage of Skype in the network had two instances –

1. Port based detection

For port based detection we derived that Skype tries to contact peers using TCP fixed port 54045 when a conversation starts. In case it fails on the identified port, it tries TCP or UDP random ports.

2. Signature based detection

For signature based detection packet analyzers can be used to analyze the Skype traffic, but it’s slightly difficult due to encryption. Still the conversation can be detected using custom signatures, which can look for certain pattern in the packets flowing through network gateway. Thus an alarm can be raised whenever a matching event is found

In either case, rst settings could be configured on the IDS and the skype could be blocked. Additionally, Websense could be configured in Network Sensor mode and the traffic could be blocked.

Tuesday, June 5, 2007

Driving Factors for Information Security

Information Security has become the need for survival of the Business today. Irrespective of the Geographic Location or Industry sector, following could be identified as the common Driving factors for the Information Security -

Information Security Threats and Risks

Any information system usage or implementation may be a target for range of serious threats, including computer based fraud, espionage, sabotage, vandalism and other forms of systems failure or disaster. This may result in risk of data loss from accidental/malafide unauthorized access, use, misappropriation, modification or destruction of information and information systems.

Moreover, sharing of information for business reasons using new applications and inter-connected resources increases the threat of information pilferage. Ensuring security of business critical information is important for Organization maintain competitive advantage in the marketplace. In the course of conducting business, any such information must be shared hundreds, even thousands of times each day. Designing, building, marketing and selling products requires discussing, faxing, e-mailing or otherwise sharing sensitive, proprietary information. Each time such information is shared, it is further exposed to the risk of being lost or compromised. Each conduit for information sharing presents opportunities to unauthorized persons to attempt to acquire such information.

Inconsistent policies for assigning system usage may also result in access rights to information and information systems exceeding the needs of employees’ job responsibility. While the number of users accessing information systems are increasing, the control exercised by the system owners or provider is being dissipated.

While technological advancement has provided significant benefits, it has also equipped malicious users with more advanced means and tools to obtain unauthorized access to data/information. With the availability of Internet, there is an increasing risk that these tools are freely available.

Legal and Statutory Requirements

Security requirements also arise from and are subject to the statutory and contractual requirements of Organization, its service providers and third parties. Information Security Department will also ensure that the security policies factor account these requirements as well.

(The U.S. government has created new laws that specifically address Information Age misconduct; Sarbanes Oxley Act, GLBA and HIPAA are the mentionable names in this aspect. In India too initiatives have been taken in this regard and “Indian Information Technology Act 2000” has been rolled out. More is expected to fall in place as the Government and Industry consortium is working in Unison to create much awaited infrastructure for secure organizational practices.)

Apart from the laws, there are the internationally acclaimed best practices and the standards that have evolved. 27001, ISO/IEC 17799; 21827; 15408 etc from ISO, CoBit, COSO, SAS 70 etc are few of such standards where the organizations are seeking compliance for the Security Practices and Operations.

But beyond these laws, best practices and standards, organizations need to know how to create a system and a culture that will not be susceptible to this type of illegal behavior. It’s a good practice to put some basic policies and guidelines in place and share it with the associates, consultants, customers & vendors.

Gaining User Support

It is also necessary to ensure adequate IT control environment to minimize the risk of any negative incidents involving computers. This assumes significance in view of the rapid strides that Organization has achieved in adopting newer technologies. The end-user confidence and support is one of the fundamental building block for deriving full benefits of IT resources.

Building Customer Confidence

Customers must have confidence that information systems will operate as intended without unanticipated failures or problems. Otherwise, the systems and its underlying technologies may not be utilized to its optimum level and further growth and innovation may be inhibited.

Any views?