Security Basics mailing list archives
RE: Outsourcing of User Administration
From: "Jeff Dinger" <jeff.dinger () e4e com>
Date: Wed, 28 Mar 2007 15:19:13 -0400
The article raises good points, but any outsourcing relationship is only as good as the documented process and procedures included in the Scope of Work to be outsourced. If key items are not clearly communicated and neither side is able to identify and fill in the gaps during implementation, then the deployed solution will not be secure. Any outsourcer of this type (Managed Services), would first need to request a deep dive audit of the current security policies in place and clearly identify in the initial SOW where current processes are not secure. It's not as simple as many think which is why outsourcing can fail and fail badly...as with any job its all in the planning and due diligence before hand that makes/breaks a successful project. Best Regards, Jeff Dinger -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Eric Zatko Sent: Wednesday, March 28, 2007 11:14 AM To: security-basics () securityfocus com Cc: christine_pouliot () cargill com Subject: Re: Outsourcing of User Administration Christine, Great question! Bruce Schneier says that "On the one hand, the promises of outsourced security seem so attractive: the potential to significantly increase your network's security without hiring half a dozen people or spending a fortune is impossible to ignore. On the other hand, there are the stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT. It's no wonder that paralysis is the most common reaction to the whole thing." I interpret him to say that outsourcing your user/security management is a bad idea. Check it out here: http://www.counterpane.com/outsourcing.pdf Regards, Eric Zatko "Whatever has overstepped its due bounds is always in a state of instability." Lucius Annaeus Seneca (4 BC-65) Roman philosopher and playwright.
<christine_pouliot () cargill com> Sunday, March 25, 2007 5:47 PM >>>
I am interested to know who has outsourced the user admin function including add, change, delete of Active Directory accounts, business applications and Directory services. What controls were used to ensure that the outsourcer did not have availability to intellectual capital.
Current thread:
- Outsourcing of User Administration christine_pouliot (Mar 26)
- <Possible follow-ups>
- Re: Outsourcing of User Administration Eric Zatko (Mar 28)
- RE: Outsourcing of User Administration Jeff Dinger (Mar 28)