• United States
by Steve Taylor and Joanie Wexler

Should you outsource network security?

Sep 02, 20032 mins

* The WAN security conundrum

This summer’s emergence of new managed network security services from global service providers AT&T and Equant makes you wonder: Does outsourcing some or all components of network security to a network operator improve your chances of thwarting a serious breach? Or could you actually put your organization at greater risk?

On the one hand, it seems that turning over access to another entity such as a large, global carrier would significantly increase the number of people with access to a given enterprise’s security infrastructure. Probability-wise, it follows that exposing your network security processes to more individuals would increase the chances that something untoward could happen.

However, depending on how the service provider runs its operations and the size and focus of your own IT staff, we’ve come to realize, this assessment could be an oversimplification.

“For example, if you have a small IT staff with one employee who can devote just 10% of his attention to security, you will likely be much better off turning security over to a staff of experts,” says Gary Kessler, associate professor of computer networking and digital forensics technology at Champlain College in Burlington, Vt.

And Peter Glock, head of Equant’s security product line, draws a distinction between “outsourcing security” – which implies relinquishing key decisions about security policy – and using a “managed network security service,” which is more about running equipment such as firewalls and intrusion sensors.

States Glock: “I’d agree that no one should outsource security, per se. Rather, we take on the operations and management of boxes.”

The key to whether you are safer outsourcing is to first judge the availability and security skills of your own staff. If you need help, then find out how a potential provider separates duties and manages access privileges, how you can audit your service provider’s activities and how you can make changes to your security policies.

Kessler advises to find out the following:

* What is the response time to events like the Sobig virus and how is the response handled?

* Who is liable for what? For example, will the carrier share in any liability resulting from a breach that happened on its watch? Also, do you have any liability in potentially affecting the carrier’s network?