Re: Outsourcing Firewalls/Internet Security count

["Joseph S. D. Yao" <jsdy () cospo osis gov>]

> That is true Joe...but could you explain the root difference between acting 
> as a consultant to a government agency, performing essentially the same 
> monitoring tasks, designing safe systems etc...AND doing the same as an 
> independant or employee of an outsource company...perhaps running a 
> monitoring center etc..   There is none.  Oh yes the govvie setup provides 
> the equipment and building, perhaps some physical security, and a 
> perception that they are under control, but unless the intended stuff is 
> classified, and they are not using the REAL Internet as the backbone, what 
> is the difference?....   You will run into good people, and bad in both 
> cases.

Undeniably true.  The difference, of course, is that when you and I are
doing it in-house for the govvies, they can look over our shoulders and
ask what we are doing (and some of them understand it), they know who
they are dealing with on an individual level, and there is personal
accountability.  With a company doing it, they don't know the
individuals involved, just the company.  They can't look over the
shoulders of the people doing the work.  [This can be an advantage for
the people doing the work!]  There isn't personal accountability to the
end customer, only to the out-source company.

The question is really, does the company or govt. agency that needs a
firewall also need that level of oversight?

One point of view is that the out-sourced company is just a utility,
and the contract with the utility should provide enough incentive to
provide proper protection (or discourage slackness).  I think I can see
this point of view for the average company that just wants Internet
connectivity without too much interference, doesn't have much to
"hide", and can't afford to put a lot of internal effort into it.

The opposite PoV, of course, points out that firewalling is still a
young field [contrary to what Marcus is feeling], and that the company
or agency wanting the firewall knows than the average street-educated
techie, and that there are more serious privacy issues involved.  In
THAT case, of course - if there really are more "local" clues and there
really IS something to be kept private - then there is a good argument
for a local firewall rather than an out-sourced one.

It seems that there may be room for both - just as there is room for a
general switched telephone system [and even multiple vendors!], and for
privately held and used communications systems.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
        PLEASE ... send or Cc: all "COSPO Computer Support" mail to
                        sys-adm () cospo osis gov
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.