Stop service providers becoming data security Achilles heel
Published in ComputerWeekly
The UK government’s recently announced cyber security threat information sharing partnership serves to underline the level of cyber risk organisations are facing.
For those responsible for public and private sector IT services, it is of further concern that the 2013 Trustwave Global Security Report states that over 60% of cyber attacks occur through external IT service providers.
Minimising this risk is a challenge facing many organisations.
Launching the Cyber Security Information Sharing Partnership (CISP), Francis Maude, the Cabinet Office minister responsible for the national cyber security strategy, said the CISP delivers a key component of the strategy in facilitating information sharing on cyber threats.
He said this approach is vital in the face of the increasing volume and sophistication of cyber attacks against both government and corporate computer systems.
Different businesses face different kinds of threat, with financial services seeing large numbers of attempted frauds and other industries vulnerable to the theft of intellectual property or customer data.
The one thing on which all agree is that incidents of cyber attacks are growing. According to the 2013 Trustwave Global Security Report, nearly every industry, country and type of data was involved in a data breach of some kind last year.
With an ever-increasing volume of electronic data flooding the world, the potential for malware, memory scraping, hacking and other exploitation exists at myriad touch points.
The Trustwave report indicates that most attacks involve personal ID and payment card data, and highlights the fact that some 63% of these cases occur via outsourcers. Of such pubic concern is this trend, that heads of state (David Cameron and India’s prime minister) have been compelled to sign a cyber security deal to reassure UK citizens about the protection of their data held by India-based outsourcers and cloud service providers.
The IT service provider
It is perhaps understandable that service providers are not typically as vigilant about data security as their corporate customers, for whom a data breach can mean vast revenue and reputational damage. Whatever the reason, the Trustwave report lists it as a priority in selecting a service provider.
But what do you look for and how can you tell whether or not your current or intended outsourcer has adequate provision for data security?
To gain a leading industry opinion, ImprovIT recently spoke with the Information Security Forum (ISF) about the high rate of cyber risk happening through outsourcers. Many of its views tallied with our own experience and comments made by our clients – which are both enterprises and outsourcers.
Because of the interconnectedness of organisations and their service providers, any IT operation is only as strong as its weakest link – so even if the corporate firewall is iron-clad, the vulnerability to risk exists from end-to-end. Added to which, providers typically have very high-level and wide-ranging access to corporate systems and data, which makes a security compromise even more harmful.
This interconnectedness means that whoever is to blame, the actual risks are the same whether one is using a provider or running the datacentre internally. The difference, of course, is the relative importance and impact of the risks.
To ensure a high level of security, an organisation might prefer to run everything in-house. However they may not have the budget, the technology or the skills needed to provide high-level risk management, in which case a service provider offers better protection. Or they may go for a hybrid solution, keeping the datacentre in-house, while outsourcing application and other support.
De-risking the supplier
In opting to work with a service provider – either traditional or cloud-based – what should an organisation be looking for to safeguard against data leaks brought about by carelessness (potentially causing system failure) or criminality? In consultation with the Information Security Forum (ISF), ImprovIT offers the following guidelines:
- The starting point is to look for a strong track record, backed up by measurement, benchmarking and quantified reporting.
- Then examine relevant and up-to-date certifications and personal qualifications of staff and their rate of turnover.
- Approach to service management is also important. Does the provider adhere to industry-standard processes and procedures, such as ITSM/ITIL? And what are its stated integrated information security processes?
- The quality of incident management, response and reporting is also key, along with business continuity and disaster recovery processes. Look for evidence that these are rehearsed and updated regularly. In the event of a data breach, what are the exit and termination processes to rectify the incident? And what has been the impact of previous incidents?
- Beyond these, geographical location, jurisdiction of contracts and service level agreement (SLA) costs are further considerations.
Is it in the SLAs?
What kind of SLA should be in place to build in appropriate levels of security? The contract needs to lay out the customer’s data security requirements and the supplier’s commitments in a clear and detailed way – with regular reporting, audit and performance benchmarking schedules built in.
If high levels of additional costs are being imposed, specified for security measures, it is worth pointing out to the service provider that risk management should be a standard deliverable: after all, the fallout from a security breach affects the supplier’s business, as well as its customers’.
Finally, don’t just leave it to the outsourcer. Given the interconnectedness of the IT process, both parties need to work together to identify, assess and manage any risk during the contract lifecycle.
Security in the cloud
Increasingly, organisations are looking to new cloud service providers to manage their IT operations.
This presents additional challenges in, for example, determining location, backup and logging on procedures. These should be identified during procurement, and suitable contract terms and conditions included. Where the cloud provider cannot meet these requirements, then either the cloud should not be chosen or the risk accepted and workarounds or other measures adopted to reduce/manage the risk.
There are, of course, different types of cloud services. A large public cloud may present more security risks than a private cloud that has invested more heavily in firewall features and/or runs customer applications on dedicated servers.
A popular choice is to seek a hybrid solution – a combination of different cloud-based systems that typically communicate with each other. For example, an organisation might use software as a service (SaaS) on a public cloud to deliver a web application to consumers, and platform as a service (PaaS) on a private cloud to deliver the back-end database that the web application interfaces with. These should be considered as two cloud-based systems, each with different inherent risks, and a separate risk assessment should be performed for each.
Whatever its vulnerabilities, IT outsourcing in the UK is more popular than ever, and cloud services are expanding exponentially. But when it comes to information security, the Trustwave report highlights one imperative – it is not enough to leave it to the provider and hope for the best. Organisations must take equal responsibility by ensuring best practice procedures are in place and selecting the service options that best suit business requirements.