2

I've been on a kick mentioning to particular clients to quit managing their own dns, email, blogging platform, file transfer setup, etc. This from observing how poor they are at practicing good defense (e.g. promptly applying security patches) and the maturing of security conscious providers.

My conjecture is for security immature companies it’s better to outsource to the likes of:

http://www.zerigo.com/ for dns
http://www.dropsend.com/ for secure file transfer
http://mediatemple.net/wordpress-webhosting.php for blogging
http://chargify.com/ for accepting payments
...plus many more

I still believe sensitive information is better kept in-house (e.g. source code), then again it depends on the org.'s capabilities. But I also say it’s better to let the other guys server get popped versus you having to block lateral movement of an attacker within your network.

From what I’ve seen recently, many SaaS vendors play better defense (they will die if they have too many security incidents).

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83

4 Answers4

3

Outsourcing, whether it be to managed service providers, developers or other third parties should be structured in such a way as to allow you access to the same reporting and management information as you would have had you kept the service in house. This could include results of security testing, alert and event statistics etc.

As mentioned, these requirements MUST be written into 3rd party contracts otherwise suppliers have very little motivation to include them.

The ISF have been working to develop a standard around 3rd party assurance and the International Standards Organisation have just accepted the draft so once published this will give useful guidance.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    If we're paying for a SaaS 'managed' service then we shouldn't need those managment reports. No matter if we are outsourcing the risk, or if we're outsourcing for the expertise, demanding the reports in a 3rd party contract doesn't seem beneficial. The vendor simply needs to maintain a quality reputation with clients who pay bills on time. Anything else should be out of scope of the contract. IaaS on the other hand may require those reports, since they are typically not managed by the 3rd party. – makerofthings7 Dec 02 '10 at 15:38
2

So assuming that the title is the question, then as you've noticed the answer depends. If the business doesn't have the resources or expertise to address the risks associated with hosting its own infrastructure, then outsourcing is the lower-risk approach. Of course, outsourcing comes with its own risks, which can only be mitigated financially via service level agreements.

By the way, on the subject of source code, I even outsource that for my own code (client code is either hosted by the client or kept internal). For me the risk seems low but as a small company the reward in time and effort saved is substantial.

2

As @Graham mentioned, outsourcing has it's own risks. And the existing risks are not gone, they are only reduced.

So the question is, do you view risk transferance as better?
You're not getting rid of the risk, you're just pushing it off to somebody else to handle.
Is that good for you? It's really down to business factors and risk.

Btw, I would question your assumption that outsourcers would do this better than inhouse - but as you already mentioned, it depends on the org's capabilities.

AviD
  • 72,138
  • 22
  • 136
  • 218
1

From a business perspective, startups should always outsource as much as possible. Even if they can manage their own infrastructure better, they should be focusing on their startup business and now the network infrastructure. Also, owning your infrastructure is a large investment -- money better invested in your startup. Renting is much cheaper in the near term.

With that said, in the long term, companies tend to pull more IT functions in house. A lot of outsourcing companies are "body shops" with constant turnover of employees, few of which last more than a year. After a pentest or security assessment, our customers find lots of problems with outsourced companies that make them want to bring more stuff in house.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14