Firewall Wizards mailing list archives
Re: Outsourcing Firewalls/Internet Security count
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 5 Dec 1997 10:09:39 -0500 (EST)
On Thu, 4 Dec 1997, Ted Doty wrote:
If the government, with its ability to investigate far more places than a company, can't stop classified material from leaking to hostile countries, I'm not sure how it's expected that private companies will ensure anywhere near that level of trust for any significant ammount of time and not get burned.I'm not familiar with any examples of classified information leaking out via electronic means; all the cases I can think of is someone selling secrets (tossing packages over embassy walls and things like that). A firewall really won't help prevent this (or intrusion detection, either).
With outsourcing though, you remove control of that function to a 3rd party, and the aggragate customer base makes the of compromising that 3rd party pretty damn attractive. That changes the threat model, and can do so fairly significantly depending on who the *other* customers of the outsourcing company are. You may, or may not be able to get that information. That's a very different model than (a) Someone targeting you specificly, and (b) Someone paying for the compromise of just you specificly. The original note was espousing 'very trusted' outsourcing firms, and I'm not sure that you can have a high level of trust when it comes down to your core infrastructure without having an ammount of risk such that it could shut down your business if that trust were breached. Without any way for that outsourcing firm to do a thorough job of policing itself, and with no recourse from a loss of trust, things get pretty murky. Also, consider revoking that trust, if the outsourcer is cost-effective, they'll sooner or later aggragate customer data into one database. Now a subpoena of that data (for a case against an employee, the company itself, another company, or their employee...), a 3rd party audit of their methods, or a breach of them gets your data, probably historicly for as long as you were a customer. You no longer have control of the expiration of your data, ask your lawyers what they think of that. I think it's important to look at how the threat model changes by using different technologies. For instance, authentication via hardware token means a yellow note on the back of the card left in the case with the laptop gets someone in. Change that to biometrics, and the threat goes away from laptops, and over to user's body parts. It's hard enough getting the users to take care of their laptops, now I've got to worry about them keeping their digits? ;) Guido, the denial of service expert with a $3.97 'as advertised on TV' 'it slices, it dices, it denies them access to their computers' cullinary impliment is a very different threat model than Guido the laptop snatcher. You may be happy with strong authentication, but it may not be worth a 9 fingered user. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Outsourcing Firewalls/Internet Security count, (continued)
- Re: Outsourcing Firewalls/Internet Security count Paul D. Robertson (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Larry J. Hughes Jr. (Dec 08)
- Outsourcing firewalls & InfoSec Ops - Part I/II Frank Willoughby (Dec 09)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II Paul D. Robertson (Dec 15)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II chuck yerkes (Dec 16)
- Re: Outsourcing firewalls & InfoSec Ops - Part I/II Paul D. Robertson (Dec 17)
- Re: Outsourcing Firewalls/Internet Security count Ted Doty (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Paul D. Robertson (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Joseph S. D. Yao (Dec 05)
- Re: Outsourcing Firewalls/Internet Security count Bennett Todd (Dec 08)
- Re: Outsourcing Firewalls/Internet Security count Joseph S. D. Yao (Dec 08)
- Re: Outsourcing Firewalls/Internet Security count Joseph S. D. Yao (Dec 08)