I’ve fried 2 processors in the past 2 weeks.  That’s not a good track record.  Maybe I overheated them with one too many FPS games, but I think the culprit was a bad motherboard.  Since I was running on some older technology, most of it wouldn’t work in any of the newer hardware (I had a socket 478 Pentium 4 with DDR 1 RAM and ATA-166 drives), I knew I was headed for a “forklift upgrade”.

I got a clearance workstation for $400.  Not bad for something with a dual-core (Pentium-D so it’s one generation behind) CPU, 2 GB  RAM, 2 250 GB SATA drives and an Nvidia graphics card.  I probably couldn’t buy the components for that much.

Right now I’m taking the OS (Debian with some special sources) and putting it on the new drives.  Even if you hate software raid, it does give you a solid amount of portability from one drive technology to another, like I am here with the transition from raid on IDE drives to raid on SATA drives.  The operations dweeb in me likes that flexibility.

The point here is that flexibility ~= availability.  That’s why you have a security architecture.  That’s why things such as load balancers, DNS, and redundant SAN fibre switches make sense.

• My System Environment
• Server Upgrades
• Clearances and Economy of Scale
• It’s Still not Too Late
• Lions, Tigers, and VLANs Oh MY!

Notice I haven’t been posting lately?  Well, I’ve been “experimenting” with some games, checking out how well they work in Linux.  Pretty well, actually. =)

• Full Metal Linux
• FIPS and the Linux Kernel
• Jeff Jones and Flameproof Underwear
• Hardware Woes
• NIST and SCAP; SCAP @ Large Part 2

While I’m still on an outsourcing kick, let me go through what I call the keys to the wonderful kingdom of outsourcing.

In true ISM-Community form, let me give you a “Top 10 Keys to Outsourcing” list.

1. Know Thyself:  Like the Oracle at Delphi, the most important thing you can do before outsourcing is to know where your weaknesses are and to sculpt the contract to your needs.  More on this subject.
2. Bottom Line up Front:  It works for newspaper editors, it can also for you.  Being as explicit with security categorization and must-have requirements as you can without defining the solution will allow the contractor to determine a solid security model and staffing to support the outsourcing effort.  More on this subject.
3. Use Compensating Controls:  You can’t control the vendor’s infrastructure, so use compensating controls where you have to sacrifice control for economy of scale.  More on this subject.
4. Retain Authority to Make Decisions:  This is why the contractor shouldn’t be the system owner.  If you lose the authority to make decisions, you will be “worked over” by the vendor.  More on this subject.
5. Understand the Added Complexity of Outsourcing:  Things sometimes get slower when you outsource them because there is the added layer of abstraction in the contracting officers.  More on this subject.
6. Have Requirements-Driven Roles and Responsibilities:  Start with what your security requirements, roles, and responsibilities and then divide them up between government and contractor.  More on this subject.
7. Tie into the Existing Security Organization:  Create a dotted line on the organization chart between your organization and the contractor’s.  More on this subject.
8. Get a Gap Analysis:  Bring in a third party to assess you for areas that need fixing, both pre-outsourcing and during outsourcing.  More on this subject.
9. Hedge Your Bets:  By having a minimum of one security representative on either side of the contracting fence, you have a parallel path other than through contracting officers.  More on this subject.
10. 2 Is Sometimes better than 1:  If you have IT services outsourced through one contractor, you can have a second contractor provide security support.  It sometimes adds more complexity at reducing conflict-of-interest.  More on this subject.
11. (The Freebie) It’s all About Transparency:  Be wary of vendors and contractors that withhold information.  In a partnership, you share information.  More on this subject.

• You Didn’t Outsource Your Responsibilities
• How Much Security Should the Outsourcer Do?
• Introduction to Outsourcing in the US Government
• What the Government Looks for in a Product
• Compensating Controls

The National Zoo in DC has one of the most phenomenal exhibit that I’ve seen: Amazonia.  It’s a mock-up of life along the Amazon River, from both the riverbottom and ground levels.  The arapaima pictured below is this huge fish that lives in the river.  These things are at least 10 feet long!

• Friday Flyfish Post
• Friday Flyfishing Post
• Friday Flyfishing Post: A Tale of 2 Bass Flies
• Friday Flyfish Picture #2
• Almost Time to Fish the Potomac

Worried about this question?  Well, you’re not the only one.  As more and more IT functions are outsourced, we’ll keep wondering and trying to figure it out through trial and error.
Consider all the responsibilities that a security program in the public sector has:

• Policy and procedures creation and maintenance
• Risk Management
• Security Monitoring
• SSP Support
• Incident Response
• Continuity of Operations
• Project team support
• Audit and Compliance

Just about all of these can be fulfilled by contractors.  The interesting thing is that, most of the time, the government doesn’t know how the outsourced system is built because they are only providing oversight.  They depend on the contractor to tell them what the system looks like.
So what parts of security can we never outsource?  Well, the role of system owner has to be
a government employee because it’s a conflict of interest for the contractor to be the ultimate authority on the scope of their project–they can chose the security posture that is more advantageous to their bottom line instead of the needs of the government.

The  rest of security can be outsourced, either as a stand-alone service or bundled with general IT outsourcing.  The trick is, as I have mentioned earlier this week, that you need to do your homework up front before you decide to outsource.

The best approach is to come to the outsourcing RFP with an understanding of what gaps you have in your security program and getting the outsourcing provider to fill those gaps.

So, since we here at ISM-Community believing in bridging from the theoretical to the practical, and since I’ve just given you the theoretical part of this post, how about I give you a couple samples of working models that I have seen in use out around town?

The first example:

• Large contract
• Outsourcing most IT services
• 25+ inventory systems (systems in agency portfolio with an Exhibit 300)
• Existing security organization

While the government already had a fairly well-staffed security organization, they realized that a large contract would require personnel to augment their existing staff.  The security solution provided by the vendor was to staff at one person on the contract as a counterpart to each section in the government security structure (Risk Managment, C&A, Architecture, Policy and Procedures, Incident Response).  The contractors were matrixed and dotted-lined directly into the agency’s security organization.

Another example:

• Medium-sized contract
• Complex data-management system
• One inventory system
• One security person on government side

The security team for the program management office was small–just one person who served as the ISSO for the system and who worked directly for the program management office.  The security solution from the contractor included 5-10 people who provided an end-to-end security solution with the ISSO’s only role to manage the government-side politics and to be the ultimate authority for security decisions on the contract.

Final example:

• Medium-sized contract
• Outsourcing of large web application
• One inventory system
• Well-established, well-staffed security organization

You might think that the contract really doesn’t need a security person, but I have a belief that both the government and the contractor need at least one security point-of-contact.  So this contract was staffed with one person to manage the inter-contractor politics and to provide support to the existing security organization.

• You Didn’t Outsource Your Responsibilities
• Keys to the Outsourcing Kingdom
• Build a Security Program
• Compensating Controls
• Effective Inventory Management

OK, everybody take a deep breath and have a seat.  I’m going to tell you something that is either so obvious to you that you’ll pass out laughing or is so unethical to you that you are going to have an aneurysm and the cops will come beating down my door asking why you died looking at my blog.

So here it is:

When it comes to outsourcing, you cannot own all of the system, even if it’s in your contract.

Let me say that another way:  although you require the contractor to be compliant with FISMA and NIST standards and guidelines and your information security policy and anything else you feel necessary to bind them to, there will be a part of the contract that you are paying money for as a service that will be out of your Certification and Accreditation boundary and that you will not be able to control.

Calmed down yet?  Let me explain what I mean.

For example, consider the circuits that the telcos run to your facilities.  You don’t want to manage them both from a capabilities standpoint and from a risk management standpoint.  If you go and try to manage “your” circuits, and they break, then you have no recourse with the vendor–you have accepted the risk in their eyes.
Quite a few agencies nowadays use MPLS.  You don’t even need to know what the acronym means.  You just need to know that it’s a virtual private Internet that is owned and operated by the telcos.  You can take all your facilities, give them circuits to the MPLS cloud, and you have all the good redundancy of paths that the Internet provides, but in a more-controlled environment.  Deep down inside, you don’t really care how the cloud gets managed, you care that data that enters one end eventually makes it out the other end.
Now you’re contracting for server collocation with a vendor who provides you rackspace in their data center.  They have 20 different agencies with equipment in the data center.  The vendor maintains a common controls package that you now have to rely on for assurance.

Or you have contracted a vendor for end-user support, ie, on-site IT technicians.  These people need to be able to share trouble-ticket information with both people inside their company and the government agency that they support and to interface the trouble-ticket system with their billing, staffing, and cost systems.  Looking at all the requirements for a trouble-ticket system like this, about the only viable way to do it right is to have it on the vendor’s network and accessible from the government LAN/WAN.

I’ve talked to numerous people on how to manage these shared environments.  One Big 4 auditing firm told me that what I needed to do was to determine which agency had the majority of their data on the shared system.  They then would “own” the system with management of the system being a collaborative effort between all the agencies.

I had to wonder, what kind of crack was this guy smoking?  Seriously, most of the time I can’t get people in the same agency to agree with each other, much less people from different agencies with different missions and different risk cultures.  There is bound to be disagreement over how the system is run, with the end result is that the system will not be provided adequate security because it is bogged down in bureaucracy.

Yes, this is what the Lines of Business initiative will provide once it’s working, but even then, you have the same considerations.  Who really owns the various components of the system?

The thing to remember is that the vendors use shared systems because they work–this is the model that commercial providers use whether they tell you or not.  They also provide a significant cost savings to the government through economy of scale.  Inside our NOC, if we have 5 clients, wouldn’t it be nice (not to mention cheaper) to watch one screen instead of 5?  Let’s see, $14000 times 4 equals a nice chunk of currency that I just saved and can carry through to the client.  Beyond 5, and my business doesn’t scale–I can’t have 20 screens to watch, and I can’t afford to hire enough people to watch them all.  This goes the same for data centers, trouble ticket queues, security incident and event monitoring infrastructure, network monitoring systems–the list goes on and on.

I have basic architectural principles I use everyday at work as a managed services provider.  One of the most key principles is segregation of impact: that one client cannot be allowed to affect the service that I provide to another client.  I don’t let all 20 of them make decisions that affect you, and in exchange, I don’t let you affect them.  It’s really how people have coexisted with each other for bazillions of years, only now we’re talking IT security, which gets everybody’s heart pumping.

Part of this principle of segregation of impact means that I have some parts of my service offerings that I can’t give to the government from a boundary perspective.  Because if I do that, then I will have clients managing each other’s space.  It’s not only wrong from a service provider’s standpoint, but somewhere in there, I’ve double-charged the government for services.

The second principle that I use is that of transparency.  I tell you how I do it.  I manage the shared systems just like they are a government system, only I own them.  Our security policy executive statement states that we will meet or exceed government security requirements, keeping in mind that we are not a government agency, so some of the requirements don’t apply to us (reporting to OMB and the government style of CPIC in particular).  However, I do security planning, risk management, contingency planning, all the key points that the government does.

On the government side, what they get is a fairly simple risk management decision:  do we do it ourselfves with whatever costs it entails, do we keep the cost savings of the shared systems and give up some control, or do we want to pay more for something that we now “own”?  That really is the best of both worlds, because the government can determine which option they want based on cost/benefit/risk comparisons.

By providing transparency, I make that decision much easier.

The third principle is transference.  By providing a shared service attached to a service-level agreement (this works very well for the telco examples), the government has effectively transfered the risk to me as a vendor.  The problem is that SLAs for a very complicated outsourcing engagement are harder to define due to the complexity of the solution.  The other caveat is that the government still bears ultimate responsibility when things go wrong, so you still have a certain amount of residual risk.

Notice what I didn’t explicitly say here, but I did describe it in detail… we use compensating controls to manage the risk of the shared infrastructure from the perspective of the government.  That’s the only viable way to manage the risk of outsourcing.

The lastest revision of Special Publication 800-53 talks about this in section 2.4.  Sadly, though, most people don’t read that part.  They usually get to the catalog of controls and start making a checklist out of it.  However, if you are doing any kind of outsourcing in the US government, you need to read and re-read that section.

• Lines of Business, Relationships, and Trustability
• How Much Security Should the Outsourcer Do?
• Always Behind
• Effective Inventory Management
• Feds to Embrace SaaS, End is Nigh for Security!