RE: Managed Firewall Service - Opinions

[Dave Piscitello <dave () corecom com>]

At 11:02 AM 4/21/2003 -0400, PMelson () analysts com wrote:
> Excellent point.  This example, which is probably fairly common, 
> illustrates how
> risk management can never be 100% outsourced and requires a good deal of trust
> between the customer and the MSSP.

Agreed.

> Unfortunately for MSSP B, to refuse their
> customers' requests, regardless of reason, is likely business suicide.  On the
> other hand, if the customer has decided to outsource security services from a
> company and then ignores their recommendations, then I have to question the
> customer's commitment to security in the first place.


My experience has been that small organizations (under $25M) are
too ill-informed about security to have the commitment you might consider 
appropriate.
From outward appearances, it seems that security awareness and the willingness
to take the extra measure aren't growing as fast as the population of 
organizations
that are willing to remain ill-informed.


> Of course, what's the
> alternative?  If the 3rd-party product vendor has no security commitment, then
> instead of allowing Telnet, do they hang a $60 modem off a serial port
> somewhere?  Is that any better?

Well, we could begin a thread on SSH (I recommended this, and it turns out
that Company B did indeed adopt this about a year later).

> Ideally, these issues are addressed in the planning and selection phases 
> of the
> project and the 3rd-party vendor agrees to abide by the customer's security
> requirements before anything is ever installed or paid for.

There's a huge vaccuum between the "Ideal" and "I deal" worlds...

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards