Service suppliers: risk or rigour?

Working with third parties, whether they are hosting companies, co-location sites or cloud providers, is bound to raise security fears, writes Rod Newing

If there is one change that is likely to arouse security concerns, it is outsourcing your IT. After all, security is difficult enough to maintain inhouse, and introducing a third party outsourcer adds more complexity and more risk.

However, in the right circumstances and managed properly, it can actually improve security, according to Ken Bunce, from the leadership board of The Corporate IT Forum’s Information Security Service. “The general perception is that [outsourcing] is a bad thing, because you are losing an element of control,” he says. “However, in some cases outsourcing may be the best way to increase security.”

That is because before an organisation embarks on an outsourcing contract, it must go through a lengthy dialogue with the potential service provider to establish its processes and needs, including security. The involvement of an expert third party can help the organisation to understand its own operations and risks.

“It encourages you to identify the things you rely on and the controls needed around them,” says Mr Bunce. “The outsourced service is more secure, because security requirements are much more clearly defined.”

Keith Tilley, European vice president at SunGard Availability Services, warns that an organisation must have a grip on governance, risk management and regulatory compliance internally. It not, it will expose just how deficient their security is when they start working with an outsourcer.

Because they serve multiple clients, outsourcers are able to build more resilient systems, employ more specialist security staff, and monitor activity much more closely than would be possible for any single organisation. Databarracks, a cloud service provider, even bases its data centres in nuclear bunkers, which are proof against natural and urban disasters.

“Security is a serious business for outsourcers, with implications for their survival and reputation, so it is not a simple check in the box,” says Ralf Dreischmeier, European head of IT practice at The Boston Consulting Group. “It requires a significant investment.” Part of the negative perception is that outsourcing can be delivered in so many very different models, including business processes, hosting, co-location, managed security services, private clouds and public clouds.

A service level agreement may help to reduce the financial impact, but cannot replace adherence to security standards

Garry Sidaway, global strategy director at Integralis, an information security solutions provider, says that traditional outsourcers have long-established reporting and certification processes that provide assurance to businesses wanting to contract their services. However, this is not yet the case with some cloud service providers.

A major caveat is that while organisations can outsource tasks and processes, they will always remain responsible for the security. This means they must maintain an active internal risk function. “They can guide the outsourcer on their appetite for risk and the processes and controls they need to maintain the right level of security,” says Etienne Greeff, professional services director for SecureData Europe, a supplier of secure networks. “An outsourcer can’t make that determination.”

Mr Dreischmeier warns that compliance does not relieve outsourcers of the need to demonstrate compliance with local law as well. Also that many outsourcing companies own internal standards are stronger than required by security standards. “A service level agreement and some contractual penalties are as good a protection against a risk of failure as a home-owners insurance is a protection against being burgled,” he adds. “They may help to reduce the financial impact of a risk materialising, but they cannot replace adherence to security standards, combined with adequate business continuity planning - the deadbolt lock in the reinforced door of a home.”

Fujitsu encourages its clients to use independent third party contractors to test outsourced systems. “This requires investment of time and money, but it is vital to ensure that the client gets what they paid for,” says David Robinson, the company’s chief security officer and director of its information security business unit.

Mr Bunce advises security managers to visit the outsourcers’ key sites and talk to the people who operate their controls and make decisions, particularly offshore in a different cultures. This can reveal issues that audits or evidence-based testing would miss.

Whereas some of the more immature cloud providers may struggle to meet an organisation’s security requirements, it is clear that outsourcing to experienced contractors can actually increase security if managed properly. This requires constant dialogue between the parties on security issues, however, with the organisation taking responsibility through proper risk management and governance, and through adequate auditing and testing.

“The traditional thinking, that outsourcing increases risk, has been exposed as a myth,” says Ron Perris, chief technical officer of Outpost24, a network security provider. “Outsourcing providers have the time, resources and expertise to improve the risk posture of organisations.”

SECURITY STANDARDS

Adoption of appropriate security standards provides a vital first step in the essential process of building trust with a potential outsourcer. These include: ISO 27001 on information security management system; Statement on Auditing Standards (SAS) 70 on service organisations; Statement on Standards for Attestation Engagements (SSAE) 16, reporting on controls at a service organisation that took effect in June 2011; and the Common Assurance Maturity Model on risk.