.

Outsourcing of Security

<<

luckydevil

User avatar

Newbie
Newbie

Posts: 19

Joined: Fri Feb 17, 2006 3:27 am

Location: UK

Post Mon Dec 04, 2006 4:28 pm

Outsourcing of Security

In light of recent conversations at work i have been wondering what other people think about outsourcing of security to parties outside the organisation.

The reason for this is that whilst looking after the security of the network there are some parts, namly our VPN link, that are not in control of us and we have limited access to view the concentrator logs.
I am wondering what others think as i am of the opinion that if you are going to our source it should be all or nothing, depending on the size of the oranisationand resources available. The reason for this in my case, historically, was that there was not the skill base in-house to cope with this.
I find it increasingly difficult to work on keeping a network secure when there is a grey area that i have no access to that connects to the internet.
Having sneaked a look at the config of the firewall that the 3rd party controls, i have become increasing alarmed as although our request for changes have been actioned there are several inconsistances that give me concerns as to how it is managed.
The main problem i see with outsourcing of security devices in pieces is that you have to assume that the other party are doing a good job. We have on many occasions asked for a config of the devices but trying to find someone willing to give it out is very hard.
I just think that without knowledge of the internal network it is very difficult for a 3rd party to be able to work efficiently, plus the fact that any changes required take time to do and are chargable even when testing so simple tests tend to turn into a headbanging exercise of paper configs and working it though step my step to see if it should in theory work.
There is a movement to trasnfer these devices back to internal control, led by me due to the remote connection becoming more critical.
Anyway after my rant i feel better but my main point is that i have to make sure the network meet accredication standards that are high but how can anyone say the perimeter is secure when there is this grey area?
Even with external testing of the devices you have to assume that the config of devices is updated and kept locked down, but without access how does anyone know and if you have access to the config would it not be easier to do it yourself.
I can understand smaller companies needing to outsource such services due to manpower and internal resource but is there any place for this in mid-larger organisations?
Correct me if i am out of order on this.
Nothing is impossible just improbable!!!
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Dec 05, 2006 10:03 am

Re: Outsourcing of Security

I don't think outsourcing of security should be done unless you absolutely dont have the manpower to do it yourself.

I think one big problem I have with outsourcing IT in general is that you don't get what you pay for. Typically with a majority of consultants you get one guy who is a real expert who will be there for the initial sales con and for occasional problems. Otherwise your stuck with newbies who are learning security first hand on your network via googling and trial & error. When this is the case, your not getting what you pay for. You pay for security expertise, however this is the std practice in consulting. Have one real expert, but most of the staff is newbies who only have just passed a cert and have limited experience. Why pay for newbies when you can have a newbie in house for much less then 300/hr that they bill out at. I know some people might get offended by this, because obviously there are big exceptions to this generalization. I know there are very skilled smaller consulting groups out there that do top notch work. However I can say without a doubt the big 4 and IBM/EDS all operate like this.

The second reason I'm against Security outsourcing specifically, is what you already mentioned. How can you trust that they are doing a good job. You essentially have another expense of auditing to make sure that they are doing it "right".

The only good thing about outsourcing is that consultants are big targets. They are often made to take the blame for problems that are completely in house. This is complete BS, but often it is how suits get promotions or deflect the cost of failure.

Also never buy into the fallacy that outsourcing is cheaper. When you compare the cost of outsourcing versus the benefit of the actual results produced you see that this usually isn't the case. There are many high profile stories where consultants produce multi-million dollar code that is completely useless.

Too me in regards to security, outsourcing only make sense when you simply don't have the man power and you need to supplement for a very short time. It should also be employed for urgent incident response/forensics type problems where there may be prosecution involved. Other then that, I'm not a big fan.
<<

jimbob

Post Wed Dec 06, 2006 10:10 am

Re: Outsourcing of Security

One of the biggest problems I have seen with external security contractors is that they often do not gain enough familiarity with your site to provide effective cover. This is not always the case, particularly with smaller sites, but ask yourself how many other customers are vieing for their attention at any one time.

The catch is that smaller companies cannot afford a dedicated security staff and simply dumping this role on an existing staff member may not be an adequate solution. Horse for courses.

Jim
<<

luckydevil

User avatar

Newbie
Newbie

Posts: 19

Joined: Fri Feb 17, 2006 3:27 am

Location: UK

Post Thu Dec 07, 2006 3:06 am

Re: Outsourcing of Security

I am glad i am not on my own on this. Thanks for your comments, now all i need to do it convince my office that we need to change. I think i will go down the savings route as outsourcing our kit costs a fortune and does not provide a service of the related standard.

See how it goes..the words brickwall and running spring to mind but will persist.
Nothing is impossible just improbable!!!

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software