Outsourcing. There are a number of reasons why companies would want to outsource network security:

University Degree Business and Administrative studies

Outsourcing Network Security

Research paper submitted in partial fulfillment for

INFO 634

Jincy Sarah George

Texas A & M University

Fall 2007

Introduction

Information is as significant as assets for businesses. Network and digital information can support the overall operation of any business and when they are compromised corporations can suffer grim financial consequences. But is it really safe to surrender the network security perilously in the hands of an outsider? This can be answered only if we understand the need for outsourcing and the pros and cons related to outsourcing. Also, this would also include all the IT regulations and knowledge about the different components of the network.

Outsourcing can be an option only if all the steps to it are planned well else it will prove to be a futile effort on the part of the organization.

Need for Outsourcing

There are a number of reasons why companies would want to outsource network security:

Challenges in technical expertise staff - In any business, ensuring network security is a 24X7 job. In addition to the system responsibilities, the staff needs to be constantly updated on understanding and shielding against the latest threats. This results in an ever increasing need for security staff accumulating to the budget of staff and related benefits. (Levine,2005)

Cost Savings - A comprehensive network security system demands staff with very specialized technical expertise, continuous training, software etc. Outsourcing offers cost savings as they are able to reduce the IT staffing as the need to update security arises. (Mears, 2004) Also, costs of managing the security service works out to be less than hiring in-house, full time security experts. For example a managed security service provider spend about $75,000 a year to monitor a 250 user computer network on a T1 (1.5 MBps) gateway excluding hardware. Replicating these in an organization produces similar hardware costs, plus at least $240,000 in annual compensation to hire three full time specialists” (Information Week Survey, 2002)

Service Reliability- Network security requires 24X7X365 staff and monitoring which is possible when it is being handled by the service providers. Also, there would be service level agreements signed with service providers allowing them to even out the price of the services against the level of services making sure that all the service deliverables are met. (Cisco Systems, 2002)

Network Security Services

Discussed below are some essential concepts and components of network security:

Firewalls – A firewall is a protection planned against outside trespassers. They are often placed in between an Internet connection and an internal network. A firewall can be hardware or software that performs packet filtering. What this means is that it is specialized software which examines incoming traffic and if it does not meet certain criteria of rules it is blocked. The firewall should be configured properly in agreement with the ever altering business and technology infrastructures (Albanese & Sonnenreich, 2004, pg. 224).

Managed Anti- virus protection – Known viruses and Trojan signatures are stored in Anti-virus software. The latest virus updates are installed by itself periodically and the software is effective if it is run all the time. It also has to be updated frequently which is a “tremendous security hog and is expensive” (Albanese & Sonnenreich, 2004, pg. 394). The organizations can reduce their concern about security as the service providers bring in antivirus protection to the entire network which eliminates the need for the organizations to worry about updating their security from time to (Cisco Systems, 2002).

Access Control Services – The two primary parts to access control is authentication and authorization (Stamp, 2006, pg. 153). Authentication relates to a method where the user tries to authenticate themselves to a machine and authenticated users are allowed access to a machine. Authorization deals with how the users try to authenticate themselves and if access is granted or not.

The three basic ways a user can be authenticated are:

Something you know – This deals with something the users know like passwords, social security numbers, etc.

Something you have - ATM card, Smart cards

Something you are – Deals with the field of biometrics like fingerprints and handwritten signatures, facial recognition, speech recognition etc

Something the user knows does not cost much whereas the other two techniques would require the company to buy a smart card or a biometric device. It is the responsibility of the IT department to decide which technique to use taking into the account factors such as the company’s security philosophy and the cost.

This is a preview of the whole essay

Intrusion Detection Systems (IDS) – These security systems alert and warn the network administrators on unauthorized access. (Albanese & Sonnenreich, 2004, pg. 378) “Authentication can be viewed as a way to prevent intrusions and an example is firewalls” (Stamp, 2006) what will happen when intrusion prevention fails? The purpose of an IDS is to “detect attacks before, during and after they have occurred” (Stamp, 2006, pg. 197). When it notices a possible malicious threat called event it logs the transaction and takes the appropriate steps. For eg. by continuing to log, sending an alert by email , preventing the attack etc. Service Providers can put in the significant maintenance effort needed to keep it up to date and finely tuned. (Cisco Systems, 2002)

Encryption – Encryption protects the data which is being transferred by creating and sharing a secret by encrypting and decrypting messages. Companies should encrypt data wherever it sits on the network as it makes sense for backup tapes, laptops, PDAs or other storage media which contains sensitive information. According to the operations director Vincent Fusca from the Dartmouth Medical School, who receives quarterly updates of 18 GB Medicare patient data shipped on standard IBM cartridges, encryption is really important. Since the data contains sensitive personal and healthcare information, and it falls under the Health Insurance Portability and Accountability Act, they have looked at encryption with a security vendor and designed security architecture to keep up to date with encryption capabilities. The IT department should thus ensure that all data on and off the network is encrypted. (Cisco Systems, 2002)

Patch Management - An unpatched system is a hacker’s best friend. Most vendors are aware of the vulnerabilities of their product and release patches for system administrators to apply. Unfortunately, rarely do corporations apply patches. Bragg , Phodes-Ousley and Strassberg (2004) have designed the following rules for managing patches in the systems:

Make a list of software so that you would know what you have to shield.
There should be notification processes and services subscribed and implemented so that you would know when new patches are released.
The patches should be tested before they are applied to a production environment.
A feasible patch management tool must be implemented.
A patch management policy should be implemented so that we knows how frequently patches should be checked. Also computers should be audited to ensure patch mechanisms are working

A good system administrator should administer patch management to be done on a timely basis.

Security Audit Services – An audit is a comprehensive look at the information systems and business processes to check if security policies are being adhered to or not. And this is provided as documentation to the senior management in order to get a picture about what is working or not working. Looking through log files and using audit software are some of the processes which can be employed to audit a network for vulnerabilities (Bragg, R., et al., 2004).

Wireless Issues - There are a number of vulnerabilities in terms of business risk, which a wireless connection can be exposed to. As Chad Dickerson states IT has moved far beyond and now has become increasingly mobile. As the number of wireless hotspots increase it is equally necessary to secure these systems by setting up firewalls etc. There should be a periodic security audits done to find out about the areas of potential risks so that security policies can be implemented to make wireless devices secure.

Information Security Regulations

Chief information Officers and information security personnel should be increasingly responsible for the security practices which are followed by the Information Technology department. (Bragg, R. et al., 2004) IT personnel should play an active role in reducing the information losses by cyber attacks. Thus we would need an overview of the standards and regulations with respect to the security network. Some standards include ISO 17799, Gramm – Leach – Bliley Act of 1999, Sarbanes-Oxley Act of 2002 (SOX), Health Insurance Portability and Accountability Act (HIPPA).

ISO 17799 – International Standard ISO 17799, published in 2000 is the “code of practice for information security management”. It is the current gold standard for defining the best practices in information security. Some of the areas which this standard addresses are Organizational Security, Business Continuity Management, System Access Control, System Maintenance and compliance etc. (Bragg, R., et al., 2004)

Sarbanes – Oxley Act (SOX) – This act was by the Congress of the United States in 2002 in response to the fraud issues in Enron. The purpose of this act is to avert problems in big organizations by making certain that the higher management is actively involved and responsible for the correctness of data used in reporting the finances of the organization. (Haworth and Pietron, 2006). The data would most often be linked to a computer system which would explain the importance of knowing the Acts.

GLB – This act was put in place to bring about a standard for financial institutions to protect personal information. There are some federal agencies have been given the responsibility of establishing standards to ensure the confidentiality of customers and protect against any expected loss of such records. (Bragg, R. et al, 2004) The federal Trade commission safeguards rule says that any financial institution should take serious security measures which would include administrative and technical, whenever they are dealing with sensitive customer data (Bragg, R. et al, 2004, pg. 774) The IT personnel working with any sensitive financial data should be aware of these rules.

HIPAA - The Health Insurance Portability and accountability act was introduced to establish standards to safeguard health-related personal information. HIPAA reuires that all health departments and organizations offering health related services should make provisions to adhere to this Act in order to safeguard patient information which they would be using for their activities (Bragg, R. et al, 2004, pg. 776) Again the department of IT in that organization would be held responsible if they were not kept aware of this and sensitive patient health information will be jeopardized.

Outsourcing Network Security

From the above reading we understand that the move to hand off security functions to outside parties is a tough decision. With numerous government regulations and increased and complexed security issues, its time we looked at some of the benefits and risks of outsourcing to decide.

Benefits of Outsourcing Network Security

Below are benefits in accordance with Mears (2004) and Messmer(2005) :

Less Staffing – Outsourcing Network Security would require the organization to hire less staff for round-the-clock equipment monitoring.
Time Saver – By handing the network security functions to a service provider, the organization can use their time and resources to concentrate on more critical business needs, as a service provider would be able to monitor the client’s network 24X7X365.
Reports for senior Management - A managed service provider would be able to prepare ready audit reports on the network security functions much quickly than if it were managed in-house.
Deep Expertise – Monitoring a complex network security environments requires a very specialized know-how , which must be available 24X7X365 and also continuously updated and this is not affordable if the security is administered in – house.
Customer Equipment – Outsourcing corporate security removes “the need to purchase customer premises equipment and also reduces equipment support cost” (Messmer, 2005)

A good example of successful network security outsourcing is that of Credit Suisse in Zurich, Switzerland. The entered into a three year contract with Ubizen where Ubizen was asked to monitor their network security.

The chief security officer of Credit Suisse agrees that keeping intrusion detection systems is very essential to managing suisse’s network security. In addition to this he adds that it is especially costly and challenging because it is not credit suisse’ core function. He says that Ubizen is definitely going to effectively monitor their network security and they will have savings due to the relocation of the IT staff and also they woulnt have to worry about the increasing need for IT staff as security need heighten (Messmer, 2005)

The VP of information security for Raymond James Financial, Gene Fredriksen decided to add part outsourcing of the financial’s intrusion detection systems with Verisign in addition to having internal security procedures. He believes that it is important not to restrict the sphere of security and that it is essential to have a benchmark or a metric so that an outsider can have a look at the level of security and let them know if they missing something. (Messmer, 2005)

Risks of Outsourcing Network Security

Let us explore both sides of the coin. The following are some of the apparent risks of outsourcing network security (Mears, 2004):

Vendor Viability – Outsourcing is a big irreversible step, therefore a reliable provider should be chosen. One with a proven track record in providing quality security services over extended periods of time. Also, in addition to this, the financial stability should also be considered. “Gartner estimates that a publicly traded Managed Security Service Provider (MSSP) should have more than $10 million in annual MSSP contracts.” (Levine, 2005). The management credentials should also be checked which includes looking at the background of the MSSP management and staff.
Finding a match – There must be a partnership which should be formed between the client and the service provider so that they would be able to work on common goals. “Things could take a bad turn”, if a successful partnership is not on the cards of the client.
Setting a safety net – Since the network security is primarily the responsibility of the Information Technology personnel, there should sufficient experts on the client side to articulately communicate the needs of the organization and also to address issues that might come up with the outsourcer.
Legal Issues – Outsourcing might in some cases introduce legal questions especially if it is being done in a foreign country where they are not familiar with legal compliance procedures. Therefore users may become distrustful of some service providers.

Some organizations are wary of outsourcing their network security. The CIO of Harvard Medical School and Caregroup healthcare system in boston is not a big believer in outsourcing. He had begun outsourcing in 2001 but put an end to it after a span of two years. Halamka says that being a healthcare organization played a big part in his decision as he feels it is essential to create a core competency in network security. In addition to the HIPAA, he also needs an extra vigilant team of expertise which would help him in keeping away from hackers who attack his network system on an average of 7 seconds. (Mears, 2004, pg. 80)

Evaluating Outsourcing Implementation

If the decision to outsource network security is taken, then it becomes critical for the organization to outline “security responsibility and penalty breaches” (Twing, 2005) in the outsourcing contract. There should be a review team which will sketch out the potential risks that would impact the different business units of the organization and also to provide a way to raise issues to the senior management. Some examples of potential risks are (Twing, 2005):

Critical company information is being exposed to an outsider
Personal Employee or employee data is visible to an outsider. For example, data provided by a healthcare company would expose many personal details of patients to an outsider.
Patented intellectual property of the company. For example, source code
There would be no control over the vendor’s recruitment of management.
No control over business continuity problems for the processes which are outsourced.
The IT equipment would be relocated to an unknown environment.

After the potential risks are understood, there should be policies defined with respect to roles and responsibilities, audits and penalties. These should be included in a contractual statement between the service provider and the corporation. With a thorough risk and risk mitigation review, the IT department can ensure that they have taken the necessary steps before transferring the workload to the service provider.

Gartner Research has laid out ten steps to successful outsourcing (Parry, 2004), as stated below:

Multi-source Network function - Networks should be chosen based on their expertise and core competency so getting a sourcing management in place team in place would help develop the multi sourcing networking function in the organization.
Alignment of IT and business needs – All the sourcing strategies should be planned in such a way that they are aligned with the business needs of the organization. This helps the senior management and executives to be on the same page as the IT security department.
Keep in mind to communicate the expectations – The desired outcomes of the client should be communicated clearly with the vendor so that they map directly with the contract structure. The client should keep in mind that the focus should be on the effectiveness of the sourcing and not only on the efficiency so that it will help make their business successful.
Weigh the value of customized versus standardized services – The risk/benefit of the type of service should be considered. Also, the strategic importance of the outcome should be worked out to determine if it is the exact fit for your organization.
Select a vendor who will be able to meet the organization’s financial and business goals – The outsourcing vendor may have many different delivery options like offshore, near shore etc. Therefore the organization should adapt itself to this and align it to their business goals.
Define a partnership model – A good partnership which maps the outcome to payment and incentive structure becomes mutually beneficial to both the parties which results in a successful business relationship.
“Negotiate and renegotiate a win win deal” – Clients should make sure short term contracts are signed so that they could “realign expectations and benefits on an annual basis” and also benchmark performance and measure customer satisfaction.
Choosing vendors with the “consortia approach” – The market should be scanned for different types of outsourcing service vendors.
A good central management plan should be implemented – There should be reponsibilities matrix set along with rules on continuing relations without conflicts
Outsourcing relationships must be rejuvenated – It is very important to strike the right balance of trust and control with your outsourcing partner to form a successful business relation.

By following these ten steps, managing the outsourcing activities and ongoing communication on all levels will help to better the relationship with the service provider.

Conclusion

If companies were to decide on outsourcing network security, then it should be made after outlining the organization’s overall outsourcing strategy and also the IT department should have the necessary expertise, tools and capacity to manage a successful outsourcing relationship. There are some companies like John Hamalka CIO of Harvard Medical School who feel that there is no benefit to outsourcing because his company deals with sensitive patient data. On the other hand, organizations like Credit Suisse finds that financial savings and IT staffing are two of the greatest benefits of outsourcing network security.

There is no best model for outsourcing security. Small companies do not have a committed security staff so they can use service providers to relieve themselves from routine security functions. Whereas large companies may have the staff but they would have to continuously update themselves with new vulnerabilities and compliance issues. Therefore, we can conclude that if outsourcing is clearly planned and monitored, then it is just a matter of time and experience before outsourcing network security becomes a feasible alternative for companies.

References

Albanese, Jason, and Wes Sonnenreich. Network Security Illustrated. 1st ed. New York, NY: McGraw Hill, 2004. 1-410.

Cisco Systems Inc. “Securing your Business Information Strategies for Outsourcing Security Measures” 2002. 1-9

Hope, Michele. "Who's Minding the Data Store?" Networkworld.Com 15 Aug. 2005: 42-44.

Allen, Julia, Gabbard Derek, May Christopher. “Outsourcing MSSP” Carnegie Mellon Software Engineering Institute

Bragg, Roberta, Robert Rhodes-Ousley, and Keith Strassberg. The Complete Reference Network Security. 1st ed. Emeryville, CA: McGraw Hill/Osborne, 2004. 1-787.

Dickerson, Chad. "The Top 20 IT Mistakes." Infoworld.Com 11 Nov. 2004: 34-41.

Haworth, Dwight A., and Leah R. Pietron. "Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799." Information Systems Management Winter 2006: 73-87.

Levine, D.E. “Farming out Network Security” Security Technology and Design May 2005: 66-72

Mears, Jennifer. "Is Security Ripe for Outsourcing?" Network World. 23 Aug. 2004. <www.networkworld.com>.

Messmer, Ellen. “Outsourced Security called battle tested” NetworkWorld 13 June. 2005: 22-23

Parry, Ed. "Gartner's 10 Steps to Mastering Outsourcing." Seach CIO. 19 May 2004. <www.searchcio.com>.

Peltier, Thomas R., Justin Peltier, and John Blackley. Information Security Fundamentals. 1st ed. Boca Raton, Florida: Auerbach Publication - a CRC P Co, 2005. 1-234.

Pinder, Phil. "Preparing Information Security for Legal and Regulatory Compliance (Sarbanes-Oxley and Basel II)." Science Direct 2006: 32-38.

Stamp, Mark. Information Security Principles and Practice. 1st ed. Hoboken, NJ: John Wiley & Sons, Inc., 2006. 1-357.

Schuchman, Martin. “Should you consider outsourcing?” Communication News December 2006. www.comnews.com

Schwartz, Ephraim. “Outsourcing the Network” InfoWorld 16 Jan 2006: 12

Twing, Dan. "Reviewing the Security Aspect of Outsourcing." Network World. 12 Sept. 2005. <www.networkworld.com>.

Outsourcing. There are a number of reasons why companies would want to outsource network security:

This is a preview of the whole essay

Document Details

Related Essays

Outsourcing Report. Objectives are: To conduct a literature review...

Outsourcing or Insourcing

Nike's use of outsourcing.

Outsourcing: A Covert Curse?