Thursday, November 27, 2003

System Administration and Security

Computer World has a short discussion about managed security services. The article is here and following are my answers to their questions:

Should I select the same service provider to manage both IT services and security services?

No, absolutely not. System administrators that also understand security are rare and (usually) high paid. Unless your system administrator has been around the block quite a few times (able to stand up servers using three or more OS's), it's usually a safe bet that they will attempt to do EVERYTHING using the same OS. You end up with a monolithic network (this is the "all your eggs in one basket" train).

What process should I follow when implementing a managed security service?

Semi-agreement with the article. Before you farm out your security services, you should have well-documented policies, procedures, and plans.

How do managed security services affect corporate security risks?

Realize that it is still your organization that is responsible for overall security. You're hiring someone to provide reports on the status of your network. It's still up to you to "push" policy. It'll also be up to you to deal with the politics. If the hired security says that someone is doing something that's against policy, it's up to you to either correct the person or change the policy. Please note that ignoring the situation is bad practice (you're paying for security!) in that it's not a known condition and if you don't correct it immediately, you can't fire anyone for it at a lter date. If it involves anything "shady", you could be sued by other organizations if the situation expands and affects them.

What are the pitfalls of managed security services?

Cost mostly, but depending on what you're buying for service, it can be cheaper than having your own full-time in-house talent.

Also, if you've never had ANY security up 'till now, be prepared for some surprises. The first report that shows up on your desk may tell you a few things about your network that you don't want to hear. Examples of this could include: a virus infection, Bob in accounting spends most of his working time surfing porn, your secretary runs peer-to-peer file trading software at her desk, Fred in purchasing is selling corporate assets on eBay, etc. Just try to remember that these are the reasons that you hired out for security in the first place. Don't shoot the messenger.

What problems are best addressed by managed security services?

If you can't afford (or retain) full-time in-house talent, managed services are definitely an option. See the article for a much better explanation.