Managed Security Services

Transcription

1 New Environment for IT Outsourcing Managed Security issues have never been more important than they are now. Companies must ensure that their systems are secure to be able to use them for all their sensitive business information and processes. Processing of companies data will most likely involve the personally identifiable information of employees and clients. Thus, in addition to security companies need to consider how they protect, handle and use such data and adopt policies accordingly. In the context of outsourcing arrangements these considerations have the added challenges of dealing with transfers of the data to a service provider and controlling how the service provider manages, stores and uses the data. As companies become increasingly reliant on complex, open networks, and as new technologies for accessing information systems and data continue to emerge, the task of preventing corruption and intrusion, and eliminating network security vulnerabilities is becoming a daunting one. Without the proper safeguards in place, companies are exposed to critical security breaches, causing damage to both company data and reputation. Given the new importance of information security, companies are increasingly turning to service providers for managed security services, technologies and expertise. Outsourcing security services enables companies to offload these complex and specialized functions, allowing them to focus on their core competencies.

2 Security Before Networks Location & Transmission of Corporate Data Information Systems Databases and Filing Dedicated Lines Processes & Trade Secrets Trade Secrets Business Processes Intellectual Property Sensitive Assets For most companies, information security used to be a matter of protecting the physical location of corporate data. The methods of accessing corporate data were limited and therefore the mechanisms for protecting corporate data did not require much imagination., corporate data resided entirely within the corporation or, if stored outside the corporation, was only accessible through dedicated, leased lines. Closed systems and leased lines drastically restricted the ways in which company information could be retrieved. When the only way to access data was to physically operate the database, or a separate station dedicated solely thereto, protection merely called for physically guarding a few isolated work stations and filing cabinets, and insuring the physical integrity of dedicated lines. Before the widespread adoption of the Internet and corporate intranets and extranets, company trade secrets and business processes were stored either in the minds of corporate agents or in some physical location within the company. Customer databases were not linked to systems to which most employees, contractors, or outside parties had access. Core data could not easily be burned to a disc and disseminated. Even when a company chose to outsource a particular business process, rarely was the vendor in a position to access such secrets and processes by means of their employment with the company-customer. 2

3 Security in a Networked Environment Location & Transmission of Corporate Data Public Infrastructure LANs, WANs, & Virtual Private Networks Open Networks Companies are increasingly turning to public infrastructure for data transmission as well as to enable off-site storage and facilitate access from multiple locations. A company s own information and communication systems are no longer the sole means for obtaining company data. With information stored in a variety of off-site and networked locations, companies can no longer rely solely on their own internal security measures. The creation and spread of Local Area Networks (LANs), Wide Area Networks (WANs), and other Virtual Private Networks (VPNs) has made protecting information both more important and more difficult. The multitude of points of entry into core company systems, make monitoring and regulating access to company data a far greater challenge. E-commerce and e-business rely heavily on the ease and high capacity of open networks. While such environments are designed to network ideas and resources and provide efficient access to critical information from multiple points, these same networks create vulnerabilities that allow internal and external attackers to damage both the company s data and reputation. Confidential Processes & Information Intellectual Property Privacy & Customer Data Company confidential information today is more sensitive, more comprehensive, and more easily replicated and disseminated than ever. The management of digital rights is more important than ever with some startups relying entirely on a single piece of software. Privacy regulations require added protection of company data. Databases of customer information can be companies most valuable asset and also their greatest exposure. 3

4 Network Vulnerabilities & Assessment Excess Software & Open Ports Internet Vulnerability Assessment Intrusion Detection & Response Plans Open network environments raise a variety of challenges that companies must address to remain viable. The first step in addressing network security is vulnerability assessment. Excess software and open ports provide venues for outside intruders to gain access to local networks. Unused components require maintenance and patching and ports must be regularly scanned for vulnerabilities. System weaknesses can be identified through penetration testing and proper software and port maintenance. All computers connected to the Internet are vulnerable to attack. Regular assessment of Internet-exposed systems such as firewalls, Web servers, mail servers, e-commerce servers, and DNS servers is essential and allows companies to identify, analyze and prioritize configuration weaknesses and ensure that structures remain in compliance with the authorized baseline functions of the critical systems. Companies must be able to efficiently detect and respond to unauthorized access of company systems and data from both outside and inside the company s own IT environment. Intrusion detection systems (IDS) for both network-based and host-based systems, and an efficient disaster response plan, help enable companies to withstand and counter the increasing number of attacks on corporate systems and demonstrate management s commitment to protecting the companies information assets. 4

5 Backups, Firewalls & Network Management Off-Site Storage, Backups & Restoration Testing Firewalls VPN Management & Filtering Packets Maintenance and Enforcement of Network Security Policies Passwords and User IDs Audits & Risk Analysis Security Policy Compliance The inevitability of attempted attacks on core systems challenges companies to properly manage their networked information. Locally stored company data must also be stored off-site, backups of critical data and systems must be made to tamper-proof media, and restoration testing must be regularly performed to ensure that backed-up data conforms to the original information. Firewalls offer companies an effective method for protecting corporate information assets including networked systems, applications and software, as well as customer and personnel data. A flexible firewall structure is necessary for companies relying on both UNIX- and non-unix-based systems and allows companies to regulate remote access to all core systems regardless of platform. The maintenance of Internet Protocol VPNs requires careful attention. Packet filtering enables system administrators to prevent receipt of anonymous data packets and data arriving from restricted or prohibited IP addresses. Careful management of user accounts, IP addresses, and remote VPN access, which includes the monitoring and logging of all activity on the Network as well as a fully developed response plan, is essential in the heavily VPN-reliant business environment of today. Password and user ID account maintenance is critical to the maintenance and enforcement of security policies. A well developed and maintained password policy will guide users on proper password selection, provide companies with the ability to monitor and update user profiles, remove default, built-in or unused accounts, and outline encryption options for protecting the transmission of password and user ID information. Besides the secure management of the networks themselves, companies must manage and update their security policies. Regular audits and risk analyses are essential in order to ensure that security policies remain effective. Penetration testing, restoration procedure and response plan validation, and security policy compliance audits are an indispensable part of a complete network security system. Security policy compliance requires proper communication of security procedures to a companies employees and contractors. Security handbooks and security seminars will alert employees and contractors to companies security practices and changes thereto. Compliance with the security policy should be regularly audited or tested, as part of companies general risk analysis process. For all companies it is critical that security breaches are monitored and responded to in real-time. Security policies must 5

6 be updated frequently to meet the demands of emerging networking and hacking technologies, and compliance with these policies must be tested and enforced. Outsourcing Security Services IT Staff & Continued Innovation Outsourcing the security management functions to a third-party service provider may provide an efficient and effective solution to security issues for both large and small companies. Corporate IT resources are often insufficient to support companies primary business requirements developing, producing, selling and servicing the companies products. Inhouse IT staff often lack the resources and expertise to adequately address these challenges and protect valuable information assets. Experienced information security professionals are hard to find, expensive to hire and difficult to retain. Outsourcing security services may enable companies to save money by reducing specialized staff and cutting installation and maintenance costs linked to deploying effective security solutions. Structuring Security Services Agreements Term IT outsourcing agreements have historically been long-term arrangements 10 years being standard. These agreements were structured so that IT services were transitioned to the service provider over a period ranging from 6 to 18 months and provided for a renegotiation period commencing in year 8 or 9 of the term, leaving about 7 years of steady-state services. Service providers pushed for long-term agreements since such agreements ensured them a long-term, predictable revenue stream making Wall Street analysts and investors happy. Customers accepted long-term agreements because of the disruption involved in transferring services and because many transactions involved a not insignificant amount of financial reengineering (i.e., the service provider would come in and quickly reduce customers IT spending while recouping this loan to customers over the term). 6

7 Most customers are only willing to commit to short-term agreements (ranging from several months to a few years) for several reasons. First, security needs have increased greatly with the advent of distributed computing and more recently with the wide-spread adoption of the Internet and use of public infrastructure. Moreover, most customers expect their security needs and the security landscape to continue to evolve at an extremely rapid pace for the foreseeable future and thus are hesitant to commit to one service provider, or one solution, for a long period of time. Additionally, customers want incumbent service providers to compete with other service providers on a regular basis so that the incumbent does not take the customer for granted. Requirements & Exclusivity Large companies often became aligned with a particular IT service provider, so it was not unusual to refer to a company as a IBM shop or an EDS shop. This often resulted in customers receiving better pricing and better access to resources that come along with preferred status. Service providers often agreed to extend such benefits to customers in exchange for customers agreeing to use the service provider for all of the customers needs or requirements. Again, service providers were able to enjoy the benefits of a long-term captive customer. Customers, however, often found themselves trapped in contracts that no longer suited their needs. Absent compelling reasons, customers should avoid requirement contracts and other types of exclusivity arrangements. In fact security is of such critical importance that customers may seek to have redundant and/or back-up solutions available. Also given the range and complexity of security services, it is more likely than not that no one service provider is best of breed in more than a few aspects of security services. Service Levels, as part of an outsourcing arrangement service providers often hired customers existing staff and bought customers assets. In the early days and months of an IT outsourcing arrangement the service provider was really a proxy for the customer. Thus in the early days or months of an outsourcing arrangement, service providers often would agree to be held only to the same service levels as the customer was achieving in-house prior to outsourcing. Security services are of such a nature that customers are either not providing the service in-house or, even if services are being provided in-house, customers want to contract for improved service levels from day one. 7

8 Customers are demanding state-of-the-art service in the security area and are expecting service providers to put significant dollars at risk should the service provider fail to meet service levels. Since upon a service level failure it may be difficult to know with certainty whether a court or arbitrator will find that a service provider is in material breach thus triggering a termination right, customers are insisting on clearly defined termination rights triggered by a certain number of failures or a single failure of a certain severity. Force Majeure A force majeure event is widely accepted as relieving a party of its obligation to perform under contract. In typical IT outsourcing arrangements service providers are often given hours if not days to establish work-arounds before customers are entitled to seek cover or terminate the relationship. With regard to disaster recovery plans, customers often leave the details of the DRP, if not the creation of the DRP, until after the IT outsourcing agreement is signed. The occurrence of a force majeure event should automatically trigger the immediate implementation of the DRP or Business Continuity Plan (thus Customers must define and execute a DRP/BCP at the same time as they execute their security service agreement). Regardless of whether the DRP/BCP is implemented as expected or not, customers should be entitled to immediately seek alternative and/or supplemental services upon occurrence of an event of force majeure. Termination Rights & Termination Assistance Outsourcing agreements have traditionally allowed customers to terminate the agreements upon occurrence of specifically enumerated events, and in the case of material breach only after a period of time during which the service provider is entitled to effect of cure of the breach. A customer should be entitled to effect a termination immediately upon the occurrence of a material breach and the service provider should not be given the right to cure. While this may seem a radical departure from the established market terms for IT outsourcing, the impact of a security breach by its nature cannot be cured and is likely to be so significant that the customer should be able, if it so chooses, to engage another service provider or provide the service in-house. 8

9 Damages & Indemnities Service providers have had great success in insulating themselves from damages claims and indemnity claims, in essence arguing that, in addition to such limitations having become standard in the market place, the cost of providing services would be greatly increased if service providers were forced to bear the responsibility for all of the losses caused by their own actions or omissions. This ignores the argument that while in the short term prices might increase as service providers assess the new risks they have undertaken, the service providers that ultimately cause such losses will suffer the consequences of such loss (as would the customer had it not outsourced) and those service providers will ultimately not succeed (as would the customers). Customers entering into security services agreements should not accept the traditional IT outsourcing market place approach to limitations on damages and indemnities. This does not mean that service providers should be responsible for unlimited damages or indemnities. Rather, customers and their counsel need to carefully evaluate what type of damages and third-party claims could result from a failure by security service providers (including things like damage to data, damage to customers reputation, government fines) and determine what recourse customers are entitled to in the event of such failures. After Agreement Executed Scope Issues Customers and service providers frequently disagree on what is in-scope and thus covered by the base fees. Customers, their counsel and other technical advisors must carefully define what services service providers are expected to perform in order to minimize the potential for such disagreements. SLAs Service providers implicate customers or third-parties as the cause of service level failures. Customers need to ensure that service level responsibilities are clearly defined in multi-service provider environments and that all service providers are required to take corrective action immediately with issues of fault being determined later through root-cause analyses. 9

10 Customers accuse service providers of not delivering changes or improvements that customers believe service providers promised during marketing efforts and contract negotiations. Customers need to carefully evaluate marketing materials and make certain that any expected changes or improvements are clearly reflected in security services agreements. Commercial Relationship What was once touted by service providers as a partnership soon becomes a seller-buyer relationship. Customers need to evaluate their relationship with service providers as they would any other complex commercial relationship. Service providers are after all in business to make profit. Trends Selective Outsourcing & Multi-Service Provider Environments Shorter Term Cost Savings Improved Service Levels & Continuous Improvement The IT outsourcing marketplace is evolving at a rapid pace partly as a result of changes in technology and partly as a result of changes in business practices and economic conditions. Several trends in outsourcing are of particular importance in security service agreements, including: selective sourcing; multi-service provider environments; shorter terms; guaranteed cost savings; and improved service levels and continuous improvement. 10

11 Conclusions Companies considering security services outsourcing arrangements need to ensure that their service provider uses appropriate standards of security so that the companies data is secure and not available to others. A company s needs assessment at the outset of an outsourcing arrangement should include careful consideration of the security and privacy issues presented by the company s current, and anticipated, business practices and the current and evolving technology landscape. Often service providers security standards will be higher than those employed by companies considering outsourcing and outsourcing may actually enhance the companies security profile. However, this should not be an assumption going into the outsourcing arrangement and companies should specifically examine the extent to which their needs are addressed by service providers security offerings. With diligence and careful attention in addressing salient issues, including the issues presented in this paper, outsourcing security services can be a very effective, cost-efficient and expedient method for addressing the myriad of security challenges facing companies today. * * * If you have any questions or require further information please contact David Hudanish ( ) dhudanish@mayerbrownrowe.com or Nigel Howard ( ) nhoward@mayerbrownrowe.com. 11