Network Security November 1995

Security Considerations of Network Outsourcing Dr John leach and Colin Brown Zergo

Over the last year or two a large number of organizations have looked seriously at concentrating their efforts on doing what they do best, their core businesses, and at outsourcing where possible the management of their IT. Outsourcing the network or network services can be highly beneficial but brings with it major security concerns. In this article we discuss what can be done to protect the business from network security problems when the network is outsourced. The main instruments available to retain the needed level of control are the contract with the service provider and the Service Level Agreement. We discuss the problems with specifying security requirements within the SLA and of measuring the security service provided. We focus on the Issues that the contract needs to tackle and on what it is the contract needs to say. At the end of the day, having an open and cooperative relationship with the service provider is possibly the best way to obtain the necessary confidence that the security requirements are being net.

The tighter financial pressures of the last few years have forced companies to identify and concentrate on their core business. This has led them to consider whether it is part of their core business to run networks and has caused them to look into outsourcing the provision of the network services they have built up. Organizations ranging from government departments to banks and pharmaceutical companies have taken the plunge and now buy their network services from external suppliers.

Outsourcing raises new worries about network security. Ideally these need to be thoroughly addressed before any outsourcing contracts are entered into, but in the real world, other pressures can mean that the security issues are not addressed until after the external supplier has been awarded the contract to operate the network. This article will be of interest both to those who are contemplating

outsourcing their network services and to those who have already done so.

Outsourcing a network does not bring any radically new threats to bear, The main concern stems from the transfer of direct day-to-day control over some of these threats out of the hands of the network user organization into the hands of another organization. How can the user organization be confident that the supplier of network services will take the necessary security precautions? Despite what the account manager might have promised, will the provider’s employees understand the need for security and adhere to the necessary security procedures? Will the provider recruit staff without checking their background adequately?

There can be some grounds for optimism. The supplier of network services is likely to have been exposed to the network security concerns of many of the customers it

supports. It should have the resources needed to handle network security in a professional manner. It should be well aware of the impact of a security breach on its future business as well as on the business of its customers. However, a network user would be rash to rely on these factors on their own to ensure that it receives adequate attention to security issues!

The approach to making outsourcing secure

Outsourcing introduces a significant change in the business arrangements around the provision of the network service, and the security arrangements usually have to be changed to reflect that. The principal change is that outsourcing results in a greater separation between the network service customer and network service provider roles.

Without outsourcing, these two roles are normally separated only by internal boundaries between divisions within an organization, The modus operandi by which the two parts interwork will reflect the point that ultimately they are both part of the same organization and are (should be) working towards a common goal, Importantly any disagreements or disputes can be resolved by escalation within the company.

With outsourcing, the customer and provider roles are separated by external boundaries between two independent and legally autonomous organizations, This requires a more formal approach to be taken to the security arrangements withe a view, ultimately, to the arrangements possibly needing to be defended in a court of law,

The overall objective of the outsourcing security approach

10 01995 Elsevier Science Ltc

November 1995 Network Securitv

is to ensure that there is a clear, unambiguous and agreed definition of :

l The allocation of responsibilities between the two parties,

l Ail expectations by either party regarding the services and facilities being provided by the supplier.

l Ail expectations by either party regarding how the relationship between provider and purchaser will be managed and controlled.

The recommended method for achieving this is for the contract between the two parties to make reference to a Service Level Agreement (3-A) containing this unambiguous and agreed definition,

The user organization’s senior management remains responsible for the security of their information. Although it is the service provider’s responsibility to comply with ail the security-relevant items in the outsourcing contract, it is the user organization’s responsibility to enure that, through the outsourcing contract, adequate protection is provided. The form of the contract terms is open for discussion, Given that the outsourcing contract is a private agreement between two parties, the security relevant items may cover whatever the two parties together agree they should cover. However, the intention should be to make the specification of security items comprehensive and for it to fit naturally within the overall framework of the service being provided, so that security issues can be managed in the same way that all other outsourcing issues are managed and that no special arrangements need to be made.

For example, it is common for the outsourcing contract and its associated SLA to describe the service being provided in terms of the requirements of the service at a point of presentation (the service availability, recovery time etc.) And to allow the service provider to determine for itself how it would wish to satisfy those requirements, This is supported be agreed arrangements for how the service will be measured and monitored, how shortfalls will be notified and responded to, how disputes between the two parties will be handled, and how changes to the contract called for by either party for any reason will be managed.

In this situation, the description of the security requirements should, ideally, follow suit. The user organization should specif y in full its security requirements for the service, and allow the service provider to determine how to satisfy these requirements, However, great care must be taken when agreeing how the service is to be measured and monitored, and when ensuring that the notification and response arrangements are adequate. This is not only because significant information assets may be at risk but also because it is extremely difficult to measure from the outside whether or not the security requirements have been met. How does the user organization measure whether adequate protection exists against, say the disclosure of network addresses without having to get into doing its own penetration testing to see? Given the difficulty if direct measurement of the security performance of the contracted-in network services, indirect means such as the terms of the SLA and the nature of the relationship between the user organization and the service provider need to be used.

The specific security measures and responsibilities which the service provider is to carry should be specified when quotations are obtained for providing the service. Subsequently, these should be incorporated into the full SLA between the two parties. The SLA should also cover issues relating to the management of the relationship between the user organization and the service provider. The subjects the SLA should address are:

Confidentiality integrity and availability.

The management and control of the network.

The management and control of network security,

The management of security incidents.

Responses to alarms and emergencies.

The control of staff.

Reporting lines and divisions of responsibilities.

The management and review of the contract.

Each of these will now be discussed in this article.

Pm-contract

Ideally the user organization should have a defined network security policy prior to commencing negotiations to outsource its network facilities. Associated with this policy there may be a number of security standards and a set of baseline network security controls which the organization applies when it does its own network management. Contracting out may require changes to the user organization’s Security Policy, strategy or architecture, for example, it might lead to a shift away from network security

01995 Elsevier Science Ltd 11

Network Security November 7 995

facilities towards host and application-level security facilities. Ideally, these changes would be considered and authorized before proceeding with the outsourcing, but this is rarely if ever achieved. It Is not unusual for the security requirements for the services being outsourced to be defined after the framework for the outsourcing has been agreed.

information about the user population.

l Protection of data stored on network connected devices.

- adequate controls will be defined and implemented to prevent the network being mismanaged or misused,

The Security Policy, Standards etc. will provide the network security input to a draft of the Service Level Agreement which can be discussed with the prospective service providers. It is important the service provider takes the network security requirements into consideration when preparing his proposal. During the discussions, the user organization should assure itself explicitly that the prospective service provider is capable of meeting its contracted obligations, that is that it has a satisfactory understanding and commitment to security, that it has appropriate facilities in place to provide the necessary level and scope of controls, and that it has the management practices and procedures required. It might well be appropriate for the user organization to do an audit of the short listed service providers to check that they have the management and control infrastructure in place to make it easy for them to take on board the security requirements of the users.

Where high levels of confidentiality are required, there may be a need for encryption. The SLA should make clear whether the provision and operation of encryption facilities will be the responsibility of the service provider or of the user organization. Where the responsibility is assigned to the service provider, the SLA should address approval of the encryption products by the user organization as well as standards and arrangements for their operation and key management.

- adequate monitoring of the network management and administration functions will be enforced to detect mismanagement or misuse,

- adequate recovery plans and procedures will exist and be detailed.

It is not usual for the service provider to make any special provisions for data integrity. The SLA may define a guaranteed error rate, but any special provisions for data integrity would normally be left as a responsibility of the user organization.

l The network management system should be reviewed and approved to ensure that it has been designed to be fail-safe, that is that the contractor’s staff cannot, through simple incompetence, feasibly mismanage the network to the point that the user organization suffers a business-critical loss of service,

Network availability is normally a key feature of any SLA concerned with the provision of network services. Indeed, this will normally be seen as the key issue in the SLA and not within the field of information security.

l Adequate response times should be guaranteed to service changes required by the user organization where those changes are driven by network security concerns or requirements.

The management and control of the network

Confidentiality, integrity and availability

l Acceptable levels and timeliness of reporting on network service statistics and changes is to be provided.

The management and control of network security

Under the subject of confidentiality the SLA should address the requirements for:

l Confidentiality of data transmitted over the network.

The transfer of management and control of the network out of the hands of the user organization is, of course, one of the key areas of concern, when considering outsourcing. To deal with this, the SlA should address the following issues:

l Assurances to be provided by the contractor that:

l Confidentiality of addresses and other

- its staff are reliable and properly trained,

Just as concerns arise over the transfer of management and control of the network to the service provider, so parallel concerns arise about the transfer of management and control of network security. To deal with these concerns, the SLA should require that the

12 01995 Elsevier Science Ltd

November I995 Network Security

service provider submit its proposed security scheme to the user organization for review and periodic audit so that the latter can assure itself that:

Network Security Policy, Standards, Baseline Controls etc. are correctly interpreted and will be properly and fully complied with.

The contractor’s staff cannot under any circumstances obtain access to any highly classified business information or cause it to be disclosed to others.

Sensitive security information held within the network will be properly and sufriciently protected from disclosure or unauthorized modification.

The contractor’s staff cannot conceal from or misrepresent to the user organization logging, monitoring or audit information.

Adequate response times can be provided and guaranteed to security changes required by the user organization,

Adequate coverage, levels and timeliness of reporting on network security statistics and changes will be provided.

The management of security incidents

It is likely that the service provider will have no way of telling when application-level security incidents occur (for example, MAC failures or server access failures). For those network security incidents that the service provider should be able to detect (attacks on firewalls, dial-in access violations, CUH violations), specific security requirements

should be included within the SLA to address the following concerns.

That an adequate level of logging and monitoring will be maintained.

That security incidents will be detected and appropriate actions initiated within prescribed timescales of events being logged.

That speedy notification of any incidents will be provided to a nominated contact person in the user organization,

That adequate support can and will be provided by the service provider to the conduct of any investigations, especially where it is the contractor’s staff being implicated by the investigation.

Responses to alarms and emergencies

Each of the security requirements included within the agreement to address the Security Incident concerns given above should be repeated for alarms and emergencies, but should require from the service supplier more immediate notification to the user organization and a greater level of support and response.

Control of staff

For all outsourcing situations, the user organization will be vulnerable to the misuse or abuse of the network infrastructure by a wide range of operations and support staff over which it will have no direct control. Specific security requirements should be included within the SlA to address the following concerns.

l That there should be a strong management and controls structure to

prevent the service provider’s authorized staff misusing their privileges. This will require the ready use of dual control for critical activities, close monitoring of significant activities, full auditing and accountability controls.

l That all staff should be subject to security terms in their contracts of employment. Contracts should state clearly the staff member’s responsibilities and liabilities, require signed non-disclosure and cooperation agreements, describe the methods for monitoring staff, and spell out escalation, discipline and dismissal procedures.

Reporting lines and divisions of responsibilities

As mentioned at the start of this article, in the absence of direct control over the service provider’s security response, the user organization has to rely to a larger extent on the powers available to it under the outsourcing contract and on having a close and satisfactory working relationship with the service provider, sufricient to give it confidence that security issues will be properly addressed. The relationship between the user organization and the service provider must be clear, open and controllable. Specific requirements should be included within the contract with respect to the following:

l An unambiguous allocation of responsibilities between the contractor and the user organization.

l A fully defined SLA covering all details of the contractor’s responsibilities and, where it is appropriate, approved methods to be used by the contractor.

01995 Elsevier Science Ltd 13

Network Security November 7 995

Adequate levels of reporting by the contractor to contacts in the user organization.

0 Independent verification by the purchaser of the levels of critical elements of the service.

Adequate means of 0 recovery should the contractor fail in its duties.

Adequate and sensible level of redress for any losses or damage caused by the contractor.

. . . . . Managing and reviewing tne contract

If, at any stage in the move towards outsourcing or in the agreement of a contract with a potential service provider, or within the period of an existing contract, adequate security concerns should arise, it should be possible for the manager responsible for information security to advise that the contract should not be entered into (or an existing contract should be terminated), without having to demonstrate adequate cause to the contractor.

organization must be able to bring forward a review if specific concerns need to be addressed urgently

The response times by either party to issues raised by the review, and on escalation triggers and processes.

Agreement on what constitutes default by the contractor and the mechanisms for recovery redress and contract termination,

The relationship between the user and the service provider will need to be reviewed from time to time and may be changed as a result of those reviews. Specific requirements should be included within the contract with respect to the following:

l The scope and purpose of the reviews, and the seniority of those people to be involved from either

par-N

l The periodicity of the reviews, Reviews will be frequent in the first year of the relationship and will become less frequent in subsequent years. The user

Summary of key issues

Outsourcing does not relieve the user organization of its security responsibilities. The user organization remains responsible for ensuring both before agreeing the contract and during its operation that:

l the contractor is a suitable service provider

l the contractor is able and is properly prepared to deliver the service it is contracting to deliver

l the service provider meets all the requirements of the organization and its users

l the service delivered meets all the requirements of the organization and its users

It is essential that:

l Sufficient time is spent and care is given to building a Service Level Agreement and Service Contract that cover all the relevant issues explicitly, unequivocally and unambiguously

l The organization remains close to the contractor, at least in the first year of the contract or until the capabilities and credentials of the contractor have been well confirmed.

l Mechanisms to obtain the right level and timeliness of recovery and redress are available should the service provider fail to deliver an adequate service.

I 14

NEWS - COMMENT If you have any news items that may be of interest to the readers of Network Security, or wish to comment upon anything that appears in the newsletter; please send it for the attention of the Editor, to: Network Security, Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, OX5 I AS, UK; fax: +44 I865 84397 1; E-mail: netsec@elsevier.co.uk ,

Erratum

The typesetting gremlins struck in last months issue and deleted the last two words of the news item entitled “The digital ID case”, which appeared on page 4. The two words deleted were “electronic postmark.”

01995 Elsevier Science Ltd