Michael Hamelin Chief Security Architect Tufin Technologies

Security is a business process and one that the company must maintain control over if it’s to remain secure. However, it’s not as black and white as that as there are significant benefits to tapping into an external resource for certain areas. Firewall management is one security area that can be successfully outsourced to deliver substantial benefits to the organization.

One of the main, and probably most obvious, advantages is the access you gain to highly skilled people, at a fraction of the cost of employing them yourself. For example, to provide 24 hour, seven days a week, cover you’d need at least 10 people (this assumes four shifts of two people with an extra two people for overlap). You would then need an additional five highly skilled, and very expensive, individuals to make decisions the risks and determine what’s acceptable. A reputable outsourcer will have 10 or 12 highly skilled individuals supported by a team of 50 or 60 guys so effectively you’re employing a pool of people.

As we’ve alluded this doesn’t mean case closed as there’s more than just the financial calculation to be made. There are a number of hazards and pitfalls along the way that can prove costly – if not deadly to the business.

The Road To Enlightenment

To make sure that outsourcing your firewall management is successful – and by that we mean that it will indeed lower your costs while increasing efficiency, you need to:

Use good processes

You can’t outsource a bad process and expect to get a return on your investment. Change and configuration is one area that, all too often, organizations fail to handle well. We can break it down to show you what we mean:

If you firewall change process today goes back to the firewall team 3 or 4 times before it get implemented it is going to be a source of problems when you outsource it.  You do not want the change going back and forth between you and the outsourcer several times.  Try and make sure you have a clear separation between what you decide and what you hand over to be implemented.

The benefit of outsourcing is that you’re able to tap into its change process, that is tried and tested with its other clients, so the theory is it flows smoothly with a check and balance system for handling a process like ITIL.

It’s also beneficial during this phase that you separate the process from the business. What we mean by this is that the outsourcer can have the technical process without the business knowledge of what these steps mean:

When you have to make a business decision, do it in house.  When you have to decide if a business unit should be allowed to run an FTP server for example, decide that with an internal team.  Once these business decisions are made then send the request for implementation to the outsourcer.  Always think about what part of the decision involves knowing my business, the answer will tell you what part of your workflow stays with you internally.

Remain compliant

Next, you need to cover the risk to your business data. Handing over your firewall management doesn’t mean you hand over, or can forget about, your compliance responsibilities – both internally or legally i.e. PCI, HIPAA DPA etc. As an organization you need, and should want, to have a process managing assurance that any day to day changes do not affect your compliance requirements, even if someone else is responsible for making those changes. From the outset, define a clear process to manage firewall changes – including risk assessment and compliance position.

Comprehension

To outsource firewall management successfully there has to be a freeflow of clear information back and forth between the two parties. All processes need to be written in a language that is understood by the business owners and the technical people alike that does not leave room for interpretation.

Trust but verify

It might seem obvious but you need a way of trusting that what you have asked to be changed has been changed – and nothing else!

When you outsource you not only inherit differences in technical training, which you hope is better, but you also inherit each person’s cultural difference. This can determine how they interpret risk, justification for a change, and implementation for a design. What you need to verify is that what you have requested is clean enough that it got implemented in the way that you meant for it to be implemented and didn’t grant access that you didn’t expect or anticipate. From the outset you need to design a way to track what changes are being made that includes an audit trail to tie every change back to its change request.

Keep things moving

One of the biggest risks of outsourcing your firewall operations is that it slows down all of your business. To maintain efficiency, you need to make this process seamless and include a SLA that dictates how the ticket flows, the speed with which it is to be processed including how quick responses need to be made on both sides to get things approved and how soon to implement it. At its very least it should include a timeframe covering the following stages:

1. A request is made
2. The outsourcer informs you what they’re going to do
3. You approve the change
4. The change is made

Check their credentials

When outsourcing your firewall configuration you are in effect exposing all of your most confidential security secrets to an outsider – off-shoring elevates this decision and the subsequent risks. Before shipping you’re your master keys to China or India you need to make sure you can trust them to keep your secrets and data secure and not to install back doors that you don’t know about.

To let you inside my mind, I have a recurring nightmare that a hacker sets itself up as an outsourcing company and lures organizations in to its web of deceit. Imagine the damage it could reap before you even know what was happening!

I suggest, at the very list, you complete the following background check:

• Check their credentials and their reputation
• Make a site visit, regardless of where their based, to satisfy yourself that they’re a legitimate outfit
• Make sure they’re going to be responsible and that they’re not then outsourcing themselves – it does happen!
• Check they’re security arrangements - how staff are vetted, processes for handling information, etc. You’re trusting them with the gateway to your organization you need to make sure they’re up to the job
• Get your experts to question their experts – if they can talk to the talk can they also walk the walk?

Read status

Many outsourcers will demand that you hand over responsibility, and therefore lose the ability, to make changes but you need to ensure you still have ‘read-only’ status. You need to be able to see the device configuration and verify what’s actually happened on it to maintain your compliance requirements.

As part of this process it’s advisable to utilize technology to retain visibility into and auditability of your firewalls.  Don’t rely on a verification from the outsourcer that the tickets been closed.

As we said at the beginning, there’s no yes or no answer.  Do your homework and make sure you are clear on what you see as the advantages and risks of outsourcing, especially if your outsourcer is off-shore! Tapping in to the expertise is a compelling reason, but not at any cost. By having really strong controls and processes, that keep tabs on your outsourcers, your firewall can be a solid defense you can trust.