How to Exercise Security Diligence When Outsourcing IT

By Rob White  |  Posted 2010-12-06

How to Exercise Security Diligence When Outsourcing IT

When outsourcing IT, your company is giving up its operational control; therefore, it is more critical than ever to exercise IT security diligence and confirm that your IT vendor has the proper security controls in place throughout the term of the engagement. Regardless of how much is outsourced, the risk and financial liability from an IT security perspective is still the responsibility of the customer.

Here are 10 security questions to ask of any vendor before outsourcing IT.

Question No. 1: Where will my data and applications physically reside and what security protections are enforced for those locations? Does my data go to any other entity outside of the vendor? Does it ever leave the country?

Information security is about securing the entire data supply chain to ensure protection of data in-flight and data at rest, no matter where it travels. An outsourcing/cloud/IT service vendor will easily know the physical locations of data centers, but it is the client's responsibility to dig deeper and demand the same level of intelligence about the security of their new virtual data center as if they were doing it themselves. Who has access to that data? Can you get criminal background checks on those resources? Where is the disaster recovery (DR) data center? Where do the tape backups go? Who has access to those facilities?

Your data IS your business. Protecting that information and keeping it safe is like protecting a nation's gold reserve when that was the standard of currency.

Question No. 2: Will my company have a dedicated or shared infrastructure? If shared, how does the vendor maintain compliance between its customers? How does the vendor maintain isolation and privacy of my data?

Whether it is public cloud, personal cloud or any other services engagement, vendors will naturally want to leverage virtualized shared infrastructures to drive down cost and increase utilization.

Clients should demand an understanding of the security controls in place protecting their "home away from home" data center, and include tightly prescriptive controls around isolation and protection of their data and applications from other vendors' clients. The potential savings of that outsourcing initiative can be all wiped away with a single breach. It is always about risk and reward.

One must take a hard look and ask themselves, "At what risk am I saving this 50 percent plus TCO?" It is the client's responsibility to manage the risk and enforce security controls as part of the contract since the vendor's primary motivator is to demonstrate the cost savings. The client should take their new role as an auditor seriously.

Is the vendor running IDS or IPS on the network?

Question No. 3: Is the vendor running intrusion detection systems (IDS) or intrusion protection systems (IPS) on the network?

IDS/IPS have been a compliance requirement of the Payment Card Industry Data Security Standard (PCI DSS) for some time now. Most vendors will be able to fill the check mark in the box for perimeter IDS/IPS technology. Any technology is only as good as how well it is implemented. The security delivery team must stay ahead of the ever-changing threats and provide businesses with the flexibility that is needed when it comes to tuning, updating and keeping security policies fresh.

Intrusion detection is also just that ("Too late!"). Intrusion protection to actually prevent the breach before it happens in the first place is far superior and a better security posture. IPS can be leveraged only when a baseline of good business traffic is understood for 60 to 90 days. Only then can you understand the good traffic from the bad traffic to customize a protection strategy for your business in the clouds.

Clients need to dig deep and demand an understanding of these security controls. Review your outsourcer's network diagrams and security policies, and understand what security is tuned for your personal cloud to protect your business. One-size-fits-all does not work in security. Your security profile is as unique as your business or your fingerprint.

Question No. 4: If the deal encompasses endpoints, is the vendor using encryption?

Managed desktop engagements are typically about reducing cost. Traditional approaches leverage desktop virtualization and lock down the desktop with tools such as Citrix to reduce cost.

While the vendor will be primarily concerned with demonstrating cost reduction, the client needs to incorporate and enforce security controls to be in place on those endpoints. Technologies such as full disk encryption, media encryption, device firewall and anti-malware should no longer be optional. Roughly 80 percent of corporate breaches are from lost or stolen distributed endpoint devices and 45 percent of corporate data resides on endpoints. A single lost device can be the crack in the dam, causing catastrophe.

What is the SLA for updating security policies for change requests or security protections?

Question No. 5: What is the service-level agreement (SLA) for updating security policies for change requests or security protections when new threats arise?

One of the challenges of security is the constant changing threats that can attack from anywhere on the planet. New attacks and threats occur every hour and the primary challenge of running security operations centers is staying ahead of those threats. What is needed is centralized management to click a button and propagate consistent security protections out to every device, every asset and every location.

Roughly 90 percent of network security breaches happen on systems where a known patch could have prevented that breach. Most providers will have SLAs defined, but one must check references and make the vendor prove that they deliver on their SLAs. They must take the business of protecting your data very seriously. They also should not price gouge if your change requests exceed your monthly quota.

The client has given up operational control but not the risk. They should demand the most from their vendor to take that risk seriously and deliver on their SLAs.

Question No. 6: How often does the vendor update firewall rules and policies?

One must have frequent updates to security policies and protections in order to stay ahead of the threat. The TCO of any system is how often you have to touch it. Security by definition implies frequent updates and forever. Centralized management and proactive SLAs ensure staying ahead of the threat and delivering business agility. Security managed correctly can be a business enabler.

What insurance does the vendor have in the event of an IT security breach?

Question No. 7: What insurance coverage does the vendor have in the event of an IT security breach, and what is its incident response plan and process?

No security vendor assumes the risk of a full-out security breach. They do, however, provide SLAs and other services to mitigate risks. If enough time goes by, the likelihood of a security breach increases in probability of occurrence. Any outsourcing negotiation should include protocol and set guidelines on who assumes the risk in these situations. Shared risk with your provider in the event that they did not meet SLAs contributing to the breach is the shared model.

Putting security controls in place to mitigate risk is important. The next question is, "What is the incident response and process to immediately close the vulnerability and work with research, forensics and broader law enforcement entities?"

Question No. 8: What cyber-forensics capabilities are there?

Security response and business process is just as important as the ability to effectively manage security policies and estates. The threat today has changed from a decade ago. It is not about fame and bringing down the stock exchange. It is about getting in, stealing your data and then leaving no trace behind. The threat knows how to spot and exploit vulnerabilities-and especially how to weave in cleverly blended attacks.

The ability to stop thieves mandates top industry expertise to not only correlate events between security controls, but to know their tricks and how to head them off at the pass before they happen.

Part of any engagement should include vulnerability and penetration testing, and even ethical hacking from the best tools and best security engineers.

How does the vendor stay in touch with the broader security community?

Question No. 9: How does the vendor stay in touch with the broader security community and how does it receive updates?

An outsourcing vendor should demonstrate that it is plugged in to the broader community and has multiple data feeds for new threats, viruses and other malicious code. What is the communication vehicle to update clients on security risks, news and breaches? How fast does your personal cloud get updated upon notification of a new threat?

Your chosen vendor needs to demonstrate that it has incident response processes with connections to law enforcement, multiple feeds of threat intelligence and a direct linkage to the broader security community. Security is about proactive management; a vendor's quality of service (QOS) in this respect is determined by how well-informed they are of threat vectors to mitigate risk and stay ahead of the problem.

Question No. 10: What is my ability to get out of the contract?

Vendors naturally try and lock clients into long-term engagements that last five years or more. Until a vendor can demonstrate that they take the stewardship of your data and your applications seriously as mission-critical operations, you need to know how you can get out of the contract.


Given the economics of cloud and outsourcing, it is hard to argue against considering such solutions. The hype around cloud can be a little nauseating as it is nothing new from an IT operations perspective. Mainframes had virtualization, workload management and many of the facilities we associate with cloud today. The Internet age found the concept rebranded as "ASP" (application service provider), with many of the UNIX platforms as the primary virtualization platforms. Today, the cloud hype is giving a renewed face to outsourcing and a new commercial model for how IT is consumed.

Outsourcing can be a great method for achieving those financial gains but you can never outsource risk. You should think twice before giving up the keys to the kingdom. Whoever you do decide to trust with your business has the ability to cause catastrophic damage.

The best thing you can do is demand all of the best security controls, and enforce continual diligence and proactive management of your business to mitigate risk. Use PCI as an actionable and prescriptive framework, and then add data loss prevention (DLP) to the requirement of your engagement. Public clouds are more dangerous. Go with personal clouds of isolation and protection and customization to have your very own security profile.

If you don't enforce security and diligence, your vendor will just do the minimum. Then it's only a matter of time before there is a security breach or loss of data.

Rob White is Director of IT Security Services at Fujitsu America. Prior to his role at Fujitsu America, Rob held positions at Fujitsu Technology Solutions and Amdahl IT Services. He can be reached at

Rocket Fuel