Shostack + Friends Blog Archive


Security & Outsourcing

[Inland Revenue] learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated.

Computing has a good basic article on security issues in outsourcing of IT activity. It doesn’t touch on the security (confidentiality) of outsourced development, or the security (vulnerability) of the delivered code. Recently, I heard about an outsourcer who was well-regarded by their customer, who delivered a security fix in the form of javascript-driven client side verification. This was discovered because the verifier didn’t work in Firefox. The same sort of issues will come up in outsourced IT security. You won’t know if until it bites you, or if you get lucky. Oversight raises the cost of outsourcing, which weakens the reasons to do it. You want your outsourcer to know more than you about the issue.

A great many operational decisions are security decisions. Knowing what to put into an outsource contract is hard, and I hope that painfully learned lessons get shared quickly.

(Via SecurityFocus Elsewhere.)