Monday, October 13, 2008

Security in outsourcing deals: problem or solution?

Question:
Security in outsourcig deals: problem or solution?
It seems to be somekind of paradox. Outsourcing could lead to efficiency if processes are standardized. So implementing security as a part of standard governance should be part of some solution. At the same time every customer demands their own security standards implemented which often differ in approach and/or weight. Each line of industry (ofcourse) have their own standard. This makes it next to impossible to deliver according all those standards at the same time (according contract) and still reach efficiency goals. Or is the whole community silently agreeying to deliver uncompliant? Anyone have any thoughts about this matter which they would like to share with me in Dutch or in English?

Answer:
.......,
I have been evaluating/auditing security aspect of outsourcing operations for a while.

It is actually possible to find efficiency in delivering security requirements for outsourcing providers.

Security has a universal interpretation, regardless of the languages that it is spoken.

You are right that every customer/ every industry/ every information security framework brings some new obligations to the solution providers, and it is not possible to offer a standard cookie-cutter solution set for a broad customer base.

Here are the tested approaches to ease the pressure of never-ending customer security requirement on outsourcing providers:

1)- Map it : When analyzed thoroughly, you will find more common requirements than the exclusive ones. In my own projects I can tell that more than 80% of the security requirements are common. The first step is to form cross-industry requirement matrixes. Several organizations deliver these mapping matrixes (e.g. ISACA) Customer has requirement A, which matches your solution B. You can find mapping matrixes for COBIT, ITIL, ISO27001, PCI, etc. For example if you have an ISO 27001 compliant service and your customer is asking for HIPAA you may easily map your existing ISO controls to HIPAA.

2)- Offer Self-Service: Flexibility of the delivery infrastructure is the most effective answer for the diverse customer requirements: When we initially developed a reporting portal, we thought that having 100 reports would be sufficient for our customer base. It wasn’t. As you have indicated, it never ends, every day there is a new requirement. We ended up building a reporting engine so that the customers can build their own reports . Today if a customer has a new security report requirement, we tell them to go to the portal and build one. For the workflow we took the same approach. We could not enforce our own workflow for escalation to all customers so we ended up developing a business rules engine. Now incidents are escalated according to customer requirements on the backoffice system. If a customer requires sophisticated flow, they choose to pay for developing their own business rules on our rules engine. It is possible to increase the number of example but I assume the idea is clear

3- Get Modular: Even the mighty outsourcing providers are brought to their knees by weird customer requirements. Make sure that the operational flow and the compliance of the outsourcing operations can interface with 3rd party specialists. That is the beauty of multi-sourcing under single contract. I was working with a large TelCo where outsourcing provider had everything but the DNS appliances, introducing a 3rd party specialist under outsourcer’s umbrella fixed the problem. If the interface agreements are done, and if there is a structured framework for auditing outsourcing service partners this is a way to grow healthy operations (low on cost side as well).

4-Focus on Service Management: Usually service/outsourcing companies rely on generic service managers who are afraid to go outside the contract terms. That does not work well in information security world. If the service managers can understand customer requirements properly and relate to outsourcing backoffice operations, many of the problems can be fixed before escalation. I like to see all customer facing members of the team working at the delivery side in the operations for a while. It is the only way to learn to flip the burger before selling it.

At the end of the day, the whole community is silently following a darwinist path, the ones who are adapting the requirements intelligently without hurting the operations and the budgets survive… The old way of my way or the highway approach just hurts the whole service industry.

I would have written more since the topic requires more attention, but please let me know if you have a specific question.

regards,
- yinal ozkan

Sunday, October 12, 2008

IT Security Consultant Jr.

Question: How can I train myself in IT Security?
I've been a technical consultant, developer and other various SDLC-related roles for quite a while now. My goal is to move into IT Security, so how do I jump-start? What should I read, or do?
I would very much appreciate if anyone can clarify what skillsets an IT Security Consultant should/must have

Answer:......,
As discussed above you have the right foundation to kick-start an IT security career.
IT Security career is a broad term and it can be defined by the combination of several practice areas, and you need the fundamental skills to take the first step. Specializations like Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit will come later with specific skill-set requirements.
First fundamental skills:
1- Have a solid understanding of TCP/IP for today’s interconnected world of digital assets.(if any other network technologies are used you need to understand them as well) You may either read one of the good books in the market, (e.g. TCP/IP Illustrated) or write a small socket application from the scratch. You should be able to pass Cisco CCNA cert with your development background without any detailed help/courses, just a few books... When you read a network capture file you must be confident.
2- Have solid understanding of the basic pillars of information security; authentication, authorization, integrity, encryption and non-repudiation. You should be able to relate all the applications you use, in a security perspective. Try evaluating the applications that you use daily in terms of the pillars I mentioned above. Understand approaches, methodologies and solution sets.
3- Have a solid understanding of risk. Make sure that you understand the full risk life-cycle. Assets, Threat, Vulnerabilities, Safeguards, Gaps etc. Once you understand the threats and the safeguards, your vision gets clearer. You can study risk management frameworks that are available publicly.
4- Have solid understanding of IT security specific initiatives like COBIT, ISO27001, NIST, PCI NSA, CERT, CVE etc...
If you want to be a consultant then you need some more basics:
1- Understand market requirements, trend, and solutions sets. Start reading. Start following the top 10 blogs, other interesting blogs for information security, set up your google alerts, subscribe to the mailing lists, start checking security research sites daily
2- Build up your jargon, study CISSP, GIAC, CISM, CISA etc… these certifications help you to speak the same jargon with the rest (the CIA triad, role-based management etc…) When you say web access blocking instead of URL filtering your interviews will be short.
3- Get familiar with common solution sets, vendors, methodologies. Name 3 alternative solutions for each security requirement.
Another shortcut is to focus on 1 area only, if you like any of the areas above (Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit) I can provide different paths. You may also try getting a vendor certification first and then start practicing security (Check Point, Cisco etc) as a shortcut.
Again, these are basics, these things will open the door for you, and they will make you book smart... Being a consultant requires active projects and hands-on expertise. On the job training is priceless if you can get an opportunity. If you do not have a project, then you may join to one of the community projects like OWASP, Snort, OSSTMM et al.
I have seen many self starters choosing the security management path. Without genuine information security experience, security management claim will be fun material for the veterans. Baby steps recommended.
I think this is a good start but let me know if have any specific questions.
Cheers,
- yinal ozkan