RE: Outsourcing of User Administration

The article raises good points, but any outsourcing relationship is only
as good as the documented process and procedures included in the Scope
of Work to be outsourced. If key items are not clearly communicated and
neither side is able to identify and fill in the gaps during
implementation, then the deployed solution will not be secure. Any
outsourcer of this type (Managed Services), would first need to request
a deep dive audit of the current security policies in place and clearly
identify in the initial SOW where current processes are not secure.
It's not as simple as many think which is why outsourcing can fail and
fail badly...as with any job its all in the planning and due diligence
before hand that makes/breaks a successful project.

Best Regards,
Jeff Dinger

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Eric Zatko
Sent: Wednesday, March 28, 2007 11:14 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: christine_pouliot@xxxxxxxxxxx
Subject: Re: Outsourcing of User Administration

Christine,

Great question! Bruce Schneier says that "On the one hand, the promises
of outsourced
security seem so attractive: the potential to significantly increase
your network's security without hiring half a dozen people or spending
a fortune is impossible to ignore. On the other hand, there are the
stories of managed security companies going out of business, and bad
experiences with outsourcing other areas of IT. It's no wonder that
paralysis is the most common reaction to the whole thing."

I interpret him to say that outsourcing your user/security management
is a bad idea.

Check it out here: http://www.counterpane.com/outsourcing.pdf

Regards,
Eric Zatko

"Whatever has overstepped its due bounds is always in a state of
instability."
Lucius Annaeus Seneca (4 BC-65) Roman philosopher and playwright.



<christine_pouliot@xxxxxxxxxxx> Sunday, March 25, 2007 5:47 PM >>>
I am interested to know who has outsourced the user admin function
including add, change, delete of Active Directory accounts, business
applications and Directory services. What controls were used to ensure
that the outsourcer did not have availability to intellectual capital.

Relevant Pages

  • Re: Student-Degree valuable or not?
    ... I am 24, have a Masters in Networking, and have been studying info ... security exclusively for the past 4 years.. ... > and the mass IT outsourcing to the 3rd world, ... in creating jobs in US versus outsourcing - tax relief etc. Ad infinitum.. ...
    (Security-Basics)
  • RE: Student-Degree valuable or not?
    ... I am 24, have a Masters in Networking, and have been studying info ... security exclusively for the past 4 years.. ... > and the mass IT outsourcing to the 3rd world, ... in creating jobs in US versus outsourcing - tax relief etc. Ad infinitum.. ...
    (Security-Basics)
  • RE: More MSSP Questions
    ... but outsourcing has been around for a very long time. ... Any security consulting firm can turn into an MSSP overnight by hiring ... I do believe in the MSSP business model. ...
    (Focus-IDS)
  • RE: A reminder that security is not inherently solvable withtechnology
    ... With this type of money riding on outsourcing there are substantial ... but more security type note: ... The issue of access to sensitive data, such as that in the article, is one ... > network analyzers. ...
    (Security-Basics)
  • REVIEW: "Outsourcing Information Security", C. Warren Axelrod
    ... "Outsourcing Information Security", C. Warren Axelrod, 2004, ... %T "Outsourcing Information Security" ...
    (alt.computer.security)