Security Basics mailing list archives

RE: Outsourcing of User Administration

From: "Jeff Dinger" <jeff.dinger () e4e com>
Date: Wed, 28 Mar 2007 15:19:13 -0400

The article raises good points, but any outsourcing relationship is only
as good as the documented process and procedures included in the Scope
of Work to be outsourced.  If key items are not clearly communicated and
neither side is able to identify and fill in the gaps during
implementation, then the deployed solution will not be secure.  Any
outsourcer of this type (Managed Services), would first need to request
a deep dive audit of the current security policies in place and clearly
identify in the initial SOW where current processes are not secure.
It's not as simple as many think which is why outsourcing can fail and
fail badly...as with any job its all in the planning and due diligence
before hand that makes/breaks a successful project.
 
Best Regards,
Jeff Dinger

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Eric Zatko
Sent: Wednesday, March 28, 2007 11:14 AM
To: security-basics () securityfocus com
Cc: christine_pouliot () cargill com
Subject: Re: Outsourcing of User Administration

Christine,

Great question! Bruce Schneier says that "On the one hand, the promises
of outsourced
security seem so attractive: the potential to significantly increase
your network's security without hiring half a dozen people or spending
a fortune is impossible to ignore. On the other hand, there are the
stories of managed security companies going out of business, and bad
experiences with outsourcing other areas of IT. It's no wonder that
paralysis is the most common reaction to the whole thing."

I interpret him to say that outsourcing your user/security management
is a bad idea.

Check it out here:  http://www.counterpane.com/outsourcing.pdf 

Regards,
Eric Zatko

"Whatever has overstepped its due bounds is always in a state of
instability."
 Lucius Annaeus Seneca (4 BC-65) Roman philosopher and playwright.

<christine_pouliot () cargill com> Sunday, March 25, 2007 5:47 PM >>>

I am interested to know who has outsourced the user admin function
including add, change, delete of Active Directory accounts, business
applications and Directory services.  What controls were used to ensure
that the outsourcer did not have availability to intellectual capital.

Current thread:

Outsourcing of User Administration christine_pouliot (Mar 26)
- <Possible follow-ups>
- Re: Outsourcing of User Administration Eric Zatko (Mar 28)
  - RE: Outsourcing of User Administration Jeff Dinger (Mar 28)