So you’ve decided to outsource part of your network infrastructure or services. There’s nothing particularly new about that - outsourcing and managed services have been with us for many years now. They may rise and fall in favour from year to year, so the amount of services outsourced varies, but it’s not a new concept.
You may decide to outsource your WAN, your ecommerce services or your whole LAN infrastructure, but just because you’ve handed over the running to someone else doesn’t devolve you of responsibility when it comes to securing the services used by your staff and customers.
If you’re in the process of choosing an outsourcing partner, think about these guidelines. If you already have, do a quick check and see how much of this you’re doing — and what you’re missing out.
Choosing a partner
If you’re issuing a tender for an outsourcing contract you should have a dedicated section covering security. Emphasising its importance in this way will show you are serious about security and that they will have to be too. Ask for the security credentials of the company, what security training its employees go through and what security policies it follows. You should have the right to audit - or have an independent third-party audit of - any security procedures and the security mechanisms in place within the company itself.
If you have a managed service, you may well have people from the supplier working in your offices alongside company staff, but however well integrated into the team they are, they don’t work for your company. They should have access rights suitable to their job function - not necessarily the same rights as company employees. You should have an authentication, authorisation and accounting (AAA) process in place for protecting and auditing network devices. It is best that suppliers are included in this and have unique login IDs, not one generic ID that may be shared by many different engineers.
Similarly, just because BT, for example, looks after your WAN, doesn’t mean that any BT engineer can just wander into your building or comms rooms. Passes for regular visitors are a good idea - anyone else should be treated like any other (untrusted) visitor. If you work for a government agency, do you need to specify that contractors need to be of a certain security clearance? Even if you don’t, there should be a stipulation in any contract that protects your confidential company data, and requires your supplier to sign an agreement to that effect - after all, these people may be capturing client-server transactions on a sniffer and who knows where that file may go afterwards.
It’s probable that there will be a link between your company network and your providers; the amount of connectivity will depend on what they are managing for you. They will have their own security measures, no doubt, to protect themselves from you, but it is your responsibility to ensure that that link is tied down to provide access for exactly what you need it to and nothing else. If they use a link to provide offsite monitoring and management, then make sure that only the required management traffic is permitted, ideally to and from specified known addresses. Make sure you know how they secure their own network (obviously not all the details - if they offer you too much information then worry because that suggests a careless attitude to confidential information).
You’ll have SLAs in place in terms of service availability, bandwidth guarantees and response times. What about security issues? Have you specified anything to do with how soon you’ll be told if there is a security violation? When patches and security updates will be applied? How your supplier will handle the checking of logs for potential problems? Or are you just assuming that they will ‘look after it’? Make sure that they tell you when they are applying fixes and patches, otherwise it may get done as a general maintenance task and you’ll have no visibility of what’s being done to your network.
In the end remember that it is your company’s network. You may wonder why you need to concern yourself with these facets; the point of outsourcing surely is supposed to be that you don’t have to manage your network. As far as security is concerned (unless you are specifically outsourcing your security and even then you still need to take account of all the above) it is your responsibility, and claiming it’s all someone else’s fault won’t wash if a security vulnerability takes down part of your company network.