Re: Outsourcing Firewalls/Internet Security count

["Paul D. Robertson" <proberts () clark net>]

On Thu, 4 Dec 1997, Ted Doty wrote:

> > If the government, with its ability to investigate far more places than a 
> > company, can't stop classified material from leaking to hostile 
> > countries, I'm not sure how it's expected that private companies will 
> > ensure anywhere near that level of trust for any significant ammount of 
> > time and not get burned. 
>
> I'm not familiar with any examples of classified information leaking out
> via electronic means; all the cases I can think of is someone selling
> secrets (tossing packages over embassy walls and things like that).  A
> firewall really won't help prevent this (or intrusion detection, either).

With outsourcing though, you remove control of that function to a 3rd party,
and the aggragate customer base makes the of compromising that 3rd party  
pretty damn attractive.  That changes the threat model, and can do so fairly 
significantly depending on who the *other* customers of the outsourcing 
company are.  You may, or may not be able to get that information.  That's a 
very different model than (a) Someone targeting you specificly, and (b) 
Someone paying for the compromise of just you specificly.  

The original note was espousing 'very trusted' outsourcing firms, and I'm 
not sure that you can have a high level of trust when it comes down to 
your core infrastructure without having an ammount of risk such that it 
could shut down your business if that trust were breached.  Without any 
way for that outsourcing firm to do a thorough job of policing itself, 
and with no recourse from a loss of trust, things get pretty murky.  
Also, consider revoking that trust, if the outsourcer is cost-effective, 
they'll sooner or later aggragate customer data into one database.  Now a 
subpoena of that data (for a case against an employee, the company 
itself, another company, or their employee...), a 3rd party audit of their 
methods, or a breach of them gets your data, probably historicly for as long 
as you were a customer.  You no longer have control of the expiration of your 
data, ask your lawyers what they think of that.  

I think it's important to look at how the threat model changes by using 
different technologies.  For instance, authentication via hardware token 
means a yellow note on the back of the card left in the case with the laptop 
gets someone in.  Change that to biometrics, and the threat goes away from 
laptops, and over to user's body parts.  It's hard enough getting the 
users to take care of their laptops, now I've got to worry about them 
keeping their digits? ;)  Guido, the denial of service expert with a $3.97 
'as advertised on TV' 'it slices, it dices, it denies them access to 
their computers' cullinary impliment is a very different threat model 
than Guido the laptop snatcher.  You may be happy with strong 
authentication, but it may not be worth a 9 fingered user.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280