|
Moderator: Today's Expert Q&A with Bob McKee, VP, advisory services, senior advisor and managing director at Technology Risk Advisors, will begin in 1 minute. Please enter your questions in the bottom frame of the screen. If you want to avoid seeing participants entering and exiting the chat room, please press hush in the upper right hand quadrant of the screen.
kguglielmo4019: What general security criteria should be used in choosing a service provider?
Bob_McKee : How is physical security provided? How is network security provided? Is periodic testing for breaches done? What are their methods for ensuring data privacy e.g., encryption and user authentication? Are operating systems hardened? Are security audits/assessments done regularly?
scushman32719: What are the basic security questions that need to be asked in the initial stages of evaluating a service provider?
Bob_McKee : How does the provider address: secure connectivity (VPNs, encryption of data), perimeter security (firewalls, access control lists), activity monitoring (intrusion detection, log management), security scanning (servers scans for vulnerabilities), identification and authentication of users (server certificates, extended authentication techniques, remote assess authentication), access control (authorization) and security management (policy, standards).
pvio144730: What are some of the security services that an outsourcer can provide?
Bob_McKee : Managing firewalls and VPNs, performing vulnerability analyses, intrusion detection, anti-virus software installation and definitions, and designing, implementing and/or managing a security architecture.
bvigil778530: Who are some of the providers of security services?
Bob_McKee : In addition to well-known providers such as the "Big 5", IBM Global Services, EDS and CSC, there is a growing list of providers who emphasize security services including: ISS (Internet Security Systems), Counterpane Internet Security, RIPTECH, Foundstone, OneSecure, Guardent, Exodus and RedSiren.
mlewis755104: As part of the security "due diligence" process what other steps should a company take before signing a contract with a service provider?
Bob_McKee : 1. Assign responsibility for security coordination to a senior person in your organization. Remember, your organization is still responsible for the protection of your information assets. Primary accountability for this cannot be delegated to the service provider. 2. Clearly define the security responsibilities of the provider. 3.Establish clear communication mechanisms. If an incident occurs you will need to know about it immediately. 4. Make security a major part of your SLA with the provider. 5. Does the provider participate in industry groups such as the ASP Consortium or the ISP DDOS Working Group, which is made up of technology companies looking at methods to address the growing problem of distributed denial of service (DDOS) attacks, which can shut down the provider and disrupt service by flooding the provider with bogus messages which overwhelm their servers.
mbrunelli483239: What are the security components of the service level agreement (SLA) that exists in the contract with the service provider?
Bob_McKee : What is your system availability standard? What is your problem resolution standard? Describe how your business contingency/disaster recovery program works. Specify the actions the SP will take in the event of a security incident (a warning only or an attempt to address the issue). Understand the actions taken by the SP to guard against denial of service attacks (e.g., filtering out DOS traffic).
cketcher806153: Should client references be asked for and checked out?
Bob_McKee : Always. It is important that these references are managed service clients and not just professional services (consulting) clients. Many vendors provide both services. Discussing security concerns with professional services clients will not provide you with the information you need to make a good decision on a service provider's approach to security.
rkugele710330: Do you see more companies (both corporate IT departments and dot-coms) embracing outsourcing more or less during this current IT spending slowdown?
Bob_McKee : Yes, I do. The costs can be significantly less by going this route.
bill-beaton771303 : Are there contract terms that should be considered to mitigate the impact (financial) of a breakdown in the provider's security?
Bob_McKee : Yes, in today's environment you need to understand who has responsibility for what as far as protection of info is concerned. You need you law dept involved in this sensitive area. Most ISPs will not take direct responsibility fo security incidents. On the other hand they are obliged to take reasonable precautions and that is where your law dept should be involved to make certain that everyone is clear on the definition of reasonable
connell_dan944907 : What tools are available to perform vulnerability analyses?
Bob_McKee : There are many tools that providers use such as those from Internet Security Systems to Axent Technologies to name a couple. You can find a lengthy list of these products on the sans.org website.
ben.friedman683733 : Who in the SSP space do you recommend that does a good job regarding security issues?
Bob_McKee : There are many. but i can give you the following to look into: ISS, Riptech, Foundstone, OneSecure Counterpane, Exodus Para-Protect or Netigy. That is not a complete list but all of them have good reputations.
mlewis755104: Are there any type of service providers that are too much of a security risk?
Bob_McKee : Absolutley. I would not name them here but you can tell quickly by asking some basic questions such as 'show me how you ASSURE the operational security of your imternet connected computers?
cgagne72489: What is a SAS70 Report?
Bob_McKee : This applies to service provider certification by a third party.
anns641793: How important is it for a co-location to have multiple facilities. In addition, how far apart should these facilities be located?
Bob_McKee : From a security perspective, it is very important. Ideally they should be geographically diverse. However, as a practical matter that may not work. They ahould be at least in separate cities if not in separate states.
jonathan.palmer535179 : Have there been any well known breaches of data privacy that you are aware of?
Bob_McKee : Tons. Start with Microsoft and work toward government sites around the world and then to financila services and telecommunications companies. There are now many political 'hacktivists' in the world who are doing this as well. Most companies will not admit to having a breach, but it is unlikely that any major company has not been victimized at leasat once.
daniel.spooner349743 : Do you think the telecommunications links currently available are secure enough for data transfer now and in the future?
Bob_McKee : Yes, I do. I believe this is a matter of giving security its proper attention, configuation and monitoring.
brama712777: What is the role of an Aggregator and what are the security issues to be considered?
Bob_McKee : An Aggregator is a vendor who can integrate and consolidate functions that service providers perform. This may be useful when multiple service providers are need, especially in the near term where there are still so many providers of specialty services such as security. Many are small companies providing specialty services like security who will eventually merge, be acquired or go out of business. While the aggregator can save you a great deal of time and money, the same security issues that apply to individual providers must be addressed. For example a combined SLA with all of the noted security components would be easier to administer. In any case, an enterprise should have a senior manager act as the liaison between the company and the aggregator to make sure its interests are served well.
ben.friedman683733 : Security is huge on corporate IT minds. How would you overcome "traditional minded" objections related to outsourcing security services to a service provider?
Bob_McKee : I have run into that a lot. I think it needs to be presented as a means of helping the business succeed. There are, of course threats and vulnerabilities to point out, but that is not necessarily going to be enough to get mamanegements attention. However,developing a reputation as a company that takes protection of information seriously is a big help when responding to inquisitve cleints or business partners. Security questions come up much more frequently today than in the past.
sburns53763: Can I get an XSP to guarantee security levels?
Bob_McKee : Good luck. You will never get a guarantee, but by asking the right questions, you can come reasonably close. There are a number of detailed questions that a security practitioner can ask to quickly ascertain how seriously and SP takes protection of information.
bsheets30856: What are some of the more specific security questions that should be asked of the provider?
Bob_McKee : Describe your incident management process. What user authentication methods are used? ID/Password only? Other? How frequently are security assessments (audits) completed, who performs them and how are findings implemented?
dan935726: Should you protect your data from the provider since most security breaches are from within an organization?
Bob_McKee : Yes! Find out what their own security policies and standards are, how they are communicted to staff and who has access to your information and at what level. Most providers take good care on this point but it should not be taken for granted.
jonathan.palmer535179 : Do you think companies are happy using a SSP or are there considerable reservations? Would you find this greatest with larger or smaller businesses?
Bob_McKee : I think the trend is for more companies to use providers in place of expensive and scarce qualified resources. A good SLA is crucial to future success regardless of the size of the company. Like anything, if you do your homework and ask the right question up front, you will be happier. There is a trend toward consolidation of providers so be sure to find out about their plans and financials.
peter_rigsbee218172 : Most xSPs seem to be ignoring solutions that share servers or storage between customers, despite the cost advantages for space, scaling, or reduced admin (in large part for security reasons). Do you see this changing?
Bob_McKee : Don't know if it will change, but from a security perspective you dont want to do that as it creates addes exposures and puts you at risk to be victimized by someone else's security weaknesses.
ben.friedman683733 : What are those questions that need to be asked? (referring to the detailed questions to ask a XSP about security levels)
Bob_McKee : Some are:
- How is network security provided?
- How is physical security provided?
- How is perimeter security done?
- How is activity monitoring accomplished (Intrusion detction software and log monitoring)
- What are their user authentication methods?
- How often are independent third party security audits done and how are the findings acted upon?
- Last but not least, how do they filter out DDOS traffic? - a critical question and one that is difficult to answer.
terri.curran893668 : Should you check to see if the service provider has good relationships with law enforcement and have an external escalation plan (NIPC, etc.)?
Bob_McKee : Yes, however, the answer will probably be no to the law enforcement question, but they must have some knowledge of forensics and have some type of external escalation plan.
beschram807948: Are you familiar with any content tracking technologies?
Bob_McKee : Those that I am familiar with I would not necessarily recommend as many have significant weaknesses. There is a good list of these products on the SANS.ORG web site.
ben.friedman683733 : From a technical standpoint, there are proven ways to avoid being "victimized" as you say when it comes to security in shared-storage services, wouldn't you agree?
Bob_McKee : Yes I would agree, but they require diligence and attention on your part.
bill-beaton828255 : How good or bad are the current generation of SPs at admitting to their clients that breaches have occurred?
Bob_McKee : I think SPs are probably pretty up front about that. A clear set of resposnbilites should be in your SLA on that point. In other words, do you expect them to just inform you or do you expect them to take an active role in addressing the incident. Also you need to know what their incident management procedures are.
Moderator: We are no longer accepting questions. However, Bob McKee will continue to answer questions that have been submitted for the next 15 minutes.
william.tompkins689385 : Should you ask to be directly involved with the xSP's Disaster Recovery exercise? Should you require them to show you documented proof that they have been performing disaster recovery tests?
Bob_McKee : Yes and yes.
anns641793: Considering these security breaches, how reasonable is the claim that data is more reliable when stored by an SSP?
Bob_McKee : Not very. I am probably more conservative then most, but I wonder how much energy a provider will put into that when they know that it is you who still are ultimately responsible for data protection, not them. On the other hand they have a reputation to uphold and it is a very competitive industry right now. It is a two edged sword.
jjimenez417114: Typically, how many man-hours should my ISP spend on security per day?
Bob_McKee : Great question. I would say it is a 24x7 thing. You cannot predict when a hacker or a virus will strike. They are not 9 to 5'ers. Seriously they should have monitoring capabilites in place on a 24x7 basis.
mike.marshall186343 : It seams that the questions I should ask my xSP are the same question I should ask my own IT department. Can you make any distinctions?
Bob_McKee : That is true. You might want to ask them about their relationships with other providers and/or how they handle their own corporate security. That at least gives you an indication of how seriously they tale it. If they do not have security policies and procedures, look for the nearest exit.
dan935726: Should your data be protected from the service provider since most security breaches are from internal sources?
Bob_McKee: Yes, At a minimum, SPs must have their own, well communicated, security policies and standards, they must have adequate control over employee access and they should conduct background checks on new employees.
dan.holzman529633: How are personnel at ISPs checked for trustworthiness?
Bob_McKee: Through background checks and through acceptance of and demonstrated adherence to the ISPs formal employee security policies and standards.
henry.sirola642810: Hesitation over security concerns seems to be hindering the SSP market as a whole. Could this shut the industry down? Is there any particular SSP that is doing it right?
Bob_McKee: It is difficult to assess from a distance which of the many SPs is doing the job of information protection well and which ones is not. The only way to find out for sure is to do you homework by asking the right questions of each and every SP that you are considering. Some of these questions might include: How do they provide physical security? How do they authenticate their users? What is their incident management process? How are policies communicated to their employees, especially those with access? How often are independent third party security audits conducted? Also, look for examples of their policies and their SLAs. Another good question is How do they deal with protecting your information from Denial of Service (DOS) Attacks?
ryan654490: Are there any Managed Hosting Providers in the marketplace that focus on Security?
Bob_McKee: Yes, there are many. The big three, CSC, EDS and IBM Global Services are expanding their capabilities to include more emphasis on security. Others include the 'Big Five' and smaller companies such as Counterpane, ISS, Guardent, Foundstone and Exodus and Loudcloud. This is by no means a complete list, just a few examples.
han_ying524463: What single sign-on products do you see that are popular today?
Bob_McKee: It is important to understand your Single Signon (SSO) needs (web access, employee access for example) before talking to any vendor as all of the products differ somewhat. Some of the products are: GetAccess from EnCommerce (recently acquired by Entrust); Siteminder from Netegrity; Cleartrust from Securant; IBM, Microsoft and Computer Associates include SSO as part of their suite of security offerings.
henry.sirola642810: What, in your opinion, are some of the better security certifications currently?
Bob_McKee: A SAS70 (Statement of Auditing Standards) audit is a good way to assess the security capabilities of an SP. It addresses controls put in place, their design and their deployment. Many security services vendors can conduct his assessment.
Bill.gleason465336: What are the security risks associated with outsourcing your data storage to a Web Storage Service Provider (e.g. X-Drive, Driveway, etc.)
Bob_McKee: Many of the risks apply to any outsourcer who has information entrusted to them. The risks include: unauthorized access from inside and outside; stealing or destroying the information for competitive, political reasons; attacks by intruders such as denial of service (DDOS) attacks that can deny access to the stored data; tools for doing these things abound on the internet; Another risk is relying on the provider to provide for the protection of your stored information as well as you would do so. You are outsourcing trust in this case, so due diligence when evaluating an SSP is a must.
david.lawson669123: While the responsibility to protect assets remain with the company, what mechanisms are available to shift/share some of the risk/liability to the SP in contracts and elsewhere?
Bob_McKee: A strong, clear SLA will help, one that clearly describes responsibilities, expectations and actions. A law department sign off is essential as is a continuing relationship with SP management.
ryan654490: Are you familiar with ServerVault? We are currently looking at several hosting providers, and they seem to address security the best. What is your take on them?
Bob_McKee: Cannot get into evaluating individual providers.
anns641793: How many nines are acceptable for an SSP?
Bob_McKee: From a security perspective, acceptability should not be judged in terms of nines. Risks are always present and the wolf is always at the door. How an ISP protects your information and, therefore, mitigates these risks is what is important to determine. There is no such thing as 100 percent protection in today?s computing environment.
beschram807948: What do you recommend regarding the protection of intellectual properties/ digital assets?
Bob_McKee: My recommendation would be to perform a risk analysis (probably an independent third party) to identify what your IP is, how it is protected and who is most likely to want to copy, steal or destroy it.
jeffrey.redden967818: What type of reporting should I expect from my provider regarding the security of my platforms?
Bob_McKee: The provider should regularly report any incidents (viruses or attempts at intrusion) and what they are doing about them as part of your SLA. Serious incidents should be reported at once. Any changes in their security technology, such as firewall configurations, Intrusion Detection Capabilities, anti-virus software and activity log management should be reported as well.
gordonstark184959: What is the projection for data security growth over the next 3 years?
Bob_McKee: Don't know what the numbers might be as the growth of security parallels the growing business dependency on technology, i.e., for e-business, the corresponding increase in exposures, and the increasing sophistication of viruses and hacking capabilities. Compliance with consumer privacy legislation will be a growth area. Among other things, I see the need for stronger mechanisms for identification of the user as an essential part of e-business security growth over that period. Wider use of data encryption is also important to ensure privacy. Incident management, including an increasing level of understanding of computer forensics will also become more important.
jonathan.palmer535179: Do you see any potential for a SME product similar to what Sage does for accounting packages, or will security always be a big boys only game?
Bob_McKee: Don't know about SAGE, but security is definitely not a 'big boys only' game. Insecure servers are fair game for hackers and virus writers regardless of who owns them. Security basics apply across the board and products are designed and usually are priced on a per user basis. If you have information to protect, then you are a potential victim whether you have one computer to protect or thousands.
ed.zucker247550: What security SLAs should a storage service provider (offering disk storage and tape backup) be offering to its customers?
Bob_McKee: Basics: They should show how their computers are protected so that they are not easily taken over to gather information or to be used to attack other systems. And where appropriate, they should also show how they protect your server from defacement to publicly embarrass you or mislead visitors to your sight. More specifically an SLA should refer to how the following will be provided: Secure connectivity, perimeter security (firewalls), log monitoring, incident management, user identification, control over access, and physical security. Roles and responsibilities should be clearly stated.
Moderator: This searchITServices.com Live Expert Q&A has now ended. We would like to thank Bob McKee for his time and expertise this afternoon. Don't forget about the chat transcript, which will be available in 48 hours. Thanks for attending!
Bob_McKee : Thanks for the great questions. Please feel fre to email me with follow ups at bob.mckee@tradvisors.com. |
