IT Security - Who Watches the Watchmen?

Wednesday, April 27, 2011

John Nicholson

D15e0b682a84587af9af463961d00f22

When clients raise the question of the security of an outsourced service, it's frequently a proxy for the feeling that they can trust/have control over their own people, but don't really trust the service provider's personnel.

This type of concern showed up in a recent survey of CFOs conducted on behalf of SunGard Availability Services, more than half (56%) of those polled said they are concerned about the idea of outsourcing the management of their IT infrastructure due to the perceived security risks.

According to the survey, the responding executives' fears are exacerbated by high profile media stories about third party IT outages or data losses - with 45% of the respondents confessing that such cases make them more inclined to keep their data in-house, despite the cost implications.

When these concerns come up in an outsourcing deal, it's helpful to consider the current risk profile of the company and whether the company's systems and data are actually more secure in their current environment with their current staff, or if it's just the perception of loss of control that is making the executives feel that way.

There are, of course, risks associated with allowing your data and applications to sit somewhere else and be operated on by someone else, and some of these risks become more pronounced when you are operating in a cloud-based environment with little assurance about the physical location of your data. However, these risks can be managed both contractually and procedurally and have to be evaluated in the overall context of the business.

In many cases, the outsourced model may offer better, more secure, services because (a) the service provider has significant financial incentives to provide appropriate security policies and procedures - i.e., if the service provider's security fails they may be on the hook contractually for significant damages and the bad publicity could significantly impair their business or relationships with current customers; and (b) the service providers are able to recruit, train and retain dedicated security resources.

A few recent surveys help make the point that keeping your data in house might not be as secure as you think:

First, a new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have used their privileged access to snoop around their corporate network for confidential information, and 44 percent of those in the EMEA region have done so, as well. Roughly 1/5th of respondents in North America and nearly 1/3rd in EMEA reported that co-workers have used administrative privileges to reach confidential or sensitive information.

Although nearly two thirds (64 percent) said their use of privileged accounts is currently being monitored, 40 percent of the respondents who said they were subject to that kind of monitoring (and 47% of respondents who are C-level personnel) said they could get around controls that monitor privileged access. Almost one fifth (18%) admitted that they had cases of insider sabotage or IT security fraud at their workplace.

Second, a survey of 1,250 IT decision makers at large enterprises (nearly 3/4 of which have more than 1,000 employees) by Courion Corp. found that one third (33%) of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats.

Nearly a quarter of the companies (23%) indicated that they do not have a formal IT risk management program in place - something required by in the US by numerous laws and regulations including the Red Flag Rules and the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth.

Some notable results in this survey include:

  • 39% of respondents identified instances of inappropriate access by privileged users within their organizations;
  • Nearly half (48%) of all responding companies reported discovering excessive user rights within their systems: and
  • over half (56%) admitted to cases in which access was still active for a user's prior role.

Security experts recommend that users' access be reviewed and certified by their managers and/or resource owners at least annually, but often more frequently (and for some industries this is required by the relevant regulatory authorities).

However, the survey results show that only 59% of responding organizations require business managers to certify access while just over half (52%) require certification by resource owners. More than 40% responded that the certification is done irregularly, at best.

A third survey from last October, also done by Courion Corp., revealed:

  • Nearly half (48.1%) of respondents said they are not confident that a compliance audit of their cloud-based applications would show that all user access is appropriate. An additional 15.7% admitted they are aware that potential access violations exist, but they don't know how to find them.
  • 61.2% of respondents said they have limited or no knowledge of which systems or applications employees have access to.
  • Nearly two thirds (64.3%) said they are not completely confident that they can prevent terminated employees from accessing one or more IT systems.

While ceding control of your environment and your data to a third party may seem like a scary prospect, particularly given the media attention on high-profile data breaches, it may be that the service provider has a better handle on the security of information entrusted to them than you might think (or than you might actually have in your own company).

Cross-posted from SourcingSpeak.com

Possibly Related Articles:
6636
Cloud Security
Service Provider
Cloud Security Enterprise Security Outsourcing SaaS Vendor Management Managed Services
Post Rating I Like this!
681afc0b54fe6a855e3b0215d3081d52
Susan V. James The statistics provided by CyberArk are interesting, and in no way exclude that the same sorts of snooping behavior does not happen at a cloud service provider. If it does or doesn't, how would the customer know?

At least on your own corporate network, while you may not have invested in technical controls that limit and track the activities of a privileged account, the potential to correct that problem rests within your own control. Either you're not controlling administrator privileges, you're doing it but not effectively, or you're doing it well. If you hand off data and/or application management to a service provider, you have to take their word regarding the effectiveness with which they claim to control administrator access to your privileged data.

It is interesting to contemplate the mischief that can be done in a cloud environment where administrator access to data is not well controlled, and the data of several same-sector competing businesses is managed by the same provider and accessible by the administrator staff. What kinds of inferences might be made by comparing the privileged information of competitors, and what value would this represent to an investor? Such a situation could make cloud an attractive target for corporate espionage. Taking things a step further, an organized hacking operation might be able to place operatives on the administrator staff of just a few cloud service providers and have access to a wealth of information that was formerly dispersed on separate corporate networks.
1303999712
D15e0b682a84587af9af463961d00f22
John Nicholson All good points, Susan. Thanks for your thoughts. My point is that:

(a) Before fearing that a cloud environment (or any outsourced environment) is inherently less secure than your own, you need to consider the possibility that your own environment may not be as secure as you think it is; and

(b) Outsourcing service providers and cloud providers have an economic interest in providing security and control as part of the service for which they are charging, while many businesses consider their own information security as overhead (ie a cost center rather than a profit center) and the line business people frequently consider information security as something to get around because it prevents them from moving as quickly as they want to.

You're absolutely right that a cloud environment could be a target rich environment for a dedicated criminal group, and if someone has sufficient privileges it's difficult to prevent them from doing something untraceable.

In the case of one cloud provider I've worked with, their admins do not generally have the rights to see the contents of customer's files, however, they have the ability to grant themselves those rights on a temporary basis. This would be a significant risk but for the fact that any such assignment of rights is logged and is automatically classified and investigated as a security incident. If those admins had access to the security logs and could erase the log, that would be poor design, but those systems are managed by other admins.

Obviously, there is the possibility of some level of conspiracy among admins, or that a bad actor will initiate a breach one a one-time, "career suicide" basis, but that kind of risk exists within each company who is outsourcing the function, as well.

Anyone outsourcing a function needs to investigate and evaluate the business practices of the service provider as part of their due diligence associated with the deal.
1304003383
681afc0b54fe6a855e3b0215d3081d52
Susan V. James I don't think there is any way to prevent collusion.

I think for some sectors where the risk of compromise has major cross-industry implications, professional licensing for engineering / administrator staff is becoming necessary, just like clearances for access to government systems.
1304004229
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger and then there's the risk of actual watchmen like ghostexodus -- http://www.wired.com/threatlevel/2011/03/ghostexodus-2/
1304086456
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.