IT Security – Who Watches the Watchmen?

When clients raise the question of the security of an outsourced service, it’s frequently a proxy for the feeling that they can trust/have control over their own people, but don’t really trust the service provider’s personnel. This type of concern showed up in a recent survey of CFOs conducted on behalf of SunGard Availability Services, more than half (56%) of those polled said they are concerned about the idea of outsourcing the management of their IT infrastructure due to the perceived security risks. According to the survey, the responding executives’ fears are exacerbated by high profile media stories about third party IT outages or data losses – with 45% of the respondents confessing that such cases make them more inclined to keep their data in-house, despite the cost implications.

When these concerns come up in an outsourcing deal, it’s helpful to consider the current risk profile of the company and whether the company’s systems and data are actually more secure in their current environment with their current staff, or if it’s just the perception of loss of control that is making the executives feel that way.

There are, of course, risks associated with allowing your data and applications to sit somewhere else and be operated on by someone else, and some of these risks become more pronounced when you are operating in a cloud-based environment with little assurance about the physical location of your data. However, these risks can be managed both contractually and procedurally and have to be evaluated in the overall context of the business.

In many cases, the outsourced model may offer better, more secure, services because (a) the service provider has significant financial incentives to provide appropriate security policies and procedures – i.e., if the service provider’s security fails they may be on the hook contractually for significant damages and the bad publicity could significantly impair their business or relationships with current customers; and (b) the service providers are able to recruit, train and retain dedicated security resources.

A few recent surveys help make the point that keeping your data in house might not be as secure as you think:

First, a new survey from Cyber-Ark Software found that 28 percent of IT managers in North America have used their privileged access to snoop around their corporate network for confidential information, and 44 percent of those in the EMEA region have done so, as well. Roughly 1/5th of respondents in North America and nearly 1/3rd in EMEA reported that co-workers have used administrative privileges to reach confidential or sensitive information. Although nearly two thirds (64 percent) said their use of privileged accounts is currently being monitored, 40 percent of the respondents who said they were subject to that kind of monitoring (and 47% of respondents who are C-level personnel) said they could get around controls that monitor privileged access. Almost one fifth (18%) admitted that they had cases of insider sabotage or IT security fraud at their workplace.

Second, a survey of 1,250 IT decision makers at large enterprises (nearly 3/4 of which have more than 1,000 employees) by Courion Corp. found that one third (33%) of respondents do not believe their organizations have an accurate assessment of the level of IT risk they face from internal and external threats. Nearly a quarter of the companies (23%) indicated that they do not have a formal IT risk management program in place – something required by in the US by numerous laws and regulations including the Red Flag Rules and the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. Some notable results in this survey include:

• 39% of respondents identified instances of inappropriate access by privileged users within their organizations;
• Nearly half (48%) of all responding companies reported discovering excessive user rights within their systems: and
• over half (56%) admitted to cases in which access was still active for a user’s prior role.

Security experts recommend that users’ access be reviewed and certified by their managers and/or resource owners at least annually, but often more frequently (and for some industries this is required by the relevant regulatory authorities). However, the survey results show that only 59% of responding organizations require business managers to certify access while just over half (52%) require certification by resource owners. More than 40% responded that the certification is done irregularly, at best.

A third survey from last October, also done by Courion Corp., revealed:

• Nearly half (48.1%) of respondents said they are not confident that a compliance audit of their cloud-based applications would show that all user access is appropriate. An additional 15.7% admitted they are aware that potential access violations exist, but they don’t know how to find them.
• 61.2% of respondents said they have limited or no knowledge of which systems or applications employees have access to.
• Nearly two thirds (64.3%) said they are not completely confident that they can prevent terminated employees from accessing one or more IT systems.

While ceding control of your environment and your data to a third party may seem like a scary prospect, particularly given the media attention on high-profile data breaches, it may be that the service provider has a better handle on the security of information entrusted to them than you might think (or than you might actually have in your own company).