Is the vendor running IDS or IPS on the network?
Question No. 3: Is the vendor running intrusion detection systems (IDS) or intrusion protection systems (IPS) on the network?
IDS/IPS have been a compliance requirement of the Payment Card Industry Data Security Standard (PCI DSS) for some time now. Most vendors will be able to fill the check mark in the box for perimeter IDS/IPS technology. Any technology is only as good as how well it is implemented. The security delivery team must stay ahead of the ever-changing threats and provide businesses with the flexibility that is needed when it comes to tuning, updating and keeping security policies fresh.
Intrusion detection is also just that ("Too late!"). Intrusion protection to actually prevent the breach before it happens in the first place is far superior and a better security posture. IPS can be leveraged only when a baseline of good business traffic is understood for 60 to 90 days. Only then can you understand the good traffic from the bad traffic to customize a protection strategy for your business in the clouds.
Clients need to dig deep and demand an understanding of these security controls. Review your outsourcer's network diagrams and security policies, and understand what security is tuned for your personal cloud to protect your business. One-size-fits-all does not work in security. Your security profile is as unique as your business or your fingerprint.
Question No. 4: If the deal encompasses endpoints, is the vendor using encryption?
Managed desktop engagements are typically about reducing cost. Traditional approaches leverage desktop virtualization and lock down the desktop with tools such as Citrix to reduce cost.
While the vendor will be primarily concerned with demonstrating cost reduction, the client needs to incorporate and enforce security controls to be in place on those endpoints. Technologies such as full disk encryption, media encryption, device firewall and anti-malware should no longer be optional. Roughly 80 percent of corporate breaches are from lost or stolen distributed endpoint devices and 45 percent of corporate data resides on endpoints. A single lost device can be the crack in the dam, causing catastrophe.