Controlling Outsourcing Risk
This year’s industry feedback about challenges and experiences related to outsourcing, especially offshore, clearly points to an emerging IT market trend – vendor access controls. Therefore it is not coincidental that the need to control, secure and audit the activities of outside users is one of today’s top CSO and CIO focal points. Providing access to mission critical internal infrastructure to a variety of third parties opens companies up to huge risk. These third party groups include hardware/software vendors, managed service providers, consultants/contractors, application developers and back office support for such functions as human resources or finance.
Third party users – company outsiders – are by definition “untrusted,” although they deliver a valuable business function. It is difficult to grant broad access to the most critical data and sensitive systems within the infrastructure. Many organizations attempt to accommodate these outside users with handcrafted solutions that are expensive and hard to manage, or solutions that are designed for established end-users working at an application layer. Unfortunately, in many cases, these solutions overprovision access, giving away the “keys to the kingdom.”
Operational EfficiencyAll newly adopted solutions for increased security must initially deliver high levels of operational efficiency, which is a key reason why many businesses initially adapt to outsourced models to begin with. For outsourced service providers to perform their duties, they require a variety of powerful access methods and a broad array of protocol tools.
Standardized ContainmentAs outsourcing becomes increasingly relied upon, it is critical to standardize a security model that imposes enforceable containment criteria on these outsiders. Compartmentalization can allow companies to grant users with visibility and access to specific, authorized areas of the infrastructure, while scrutinizing and controlling violation attempts such as roaming into forbidden areas. Companies are calling for real-time alerts to these violations. In addition, companies must prevent these powerful external users from abusing their command line tools to leapfrog into unauthorized parts of the security or IT infrastructure.
For performance monitoring and regulatory compliance, there is also a need for an end-to-end account of activity replete with a complete audit trail. Command line tools pose a formidable challenge in this area. Solutions that deliver complete keystroke logging and session recording capabilities, which deliver a picture of activity at the application and command line layer, are critical to delivering a complete picture of user activities.
About the SourceCheryl Traverse is president and CEO at Xceedium Inc., For more information, visit www.xceedium.com.
SIDEBAR: Best PracticesCompanies considering solutions that can assist with the day-to-day management, control and auditing of external security and IT user activities should consider the following needs:
- Centralized Management: IT CSOs and CIOs need a single, easily-integrated, comprehensive management interface with encrypted access, and the safe presentation of access methods and tools that allow for efficient service of the entire remote data center solution. Solutions must also provide companies with the ability to create a single ingress point with standardized entry for all users to the data center and centralized, “on the fly” access to the tools and access methods that enhance operational efficiency.
- Compartmentalization: Companies need to restrict outsourced users to only authorized areas of infrastructure and eliminate visibility into the rest of the security and IT infrastructure to prevent network and data leakage or leapfrogging into unauthorized areas.
- Violations Control: Organizations also need to implement prevention strategies and real-time alerting that will deter users from abusing Telnet, SSH and other powerful access tools, thus preventing outsiders from roaming freely about the infrastructure.
- Visibility: An end-to-end view of all activity across the heterogeneous environments helps evaluate risk, manage untrusted users and generate reports that satisfy audit and compliance requirements. This calls for the ability to easily pull up a “day in the life” of a user, what protocols were used to go to which devices and a summary violations report by source IP, in essence, a complete picture of all users and infrastructure to spot performance or security issues.