This article can also be found in the Premium Editorial Download "Information Security magazine: Weight lifter: Appliances that lighten your security load."
Download it now to read this article plus other related content.
If your business deals with British conglomerate Imperial Chemical Industries' data, you'll have to submit to regular third-party scans of your networks and be prepared to promptly fix any exploitable flaws.
And don't try to pull one over on Paul Simmonds, ICI's global information security director.
"We have a very simple rule: If you have a new vulnerability that crops up, you see it at the same time as I do, and you take care of it," Simmonds explains.
"If the same vulnerability shows on the next week's scan, then I want to come and get you."
And he does. He's killed contracts with vendors who fail to fix major vulnerabilities that put at risk the maker of paints, food additives, fragrances and personal hygiene products. Question the accuracy of the probes, and Simmonds will sic his staff on you, offering bonuses to programmers who breach your network and deface your Web site or capture data to prove a point.
Such assurances, sometimes referred to as security warranties or service-level agreements (SLAs), are on the rise as enterprises realize growing risks in a legally complex and increasingly regulated, interconnected global economy. But their emergence also raises questions about the legality and enforceability of contracts that are still largely written ad hoc. And while the industry grapples to find a common language and best practices, the ICIs of the world are blazing new trails by penalizing business partners who fail to adequately maintain
"They're probably at the front of that curve," says Jonathan Gossels, founder and president of IT consultancy SystemsExperts, of ICI's initiative. "There aren't a lot of people doing weekly scans of their ASPs."
But, a growing number of companies are demanding that software development and service provider agreements include security provisions, and that's changing the competitive landscape, particularly when it comes to outsourcing.
"Unless you're able, in this climate, to put these [security] practices in place from the ground up, you're not going to be successful," says David Bixler, an information security officer for Mason, Ohio-based Siemens Business Services, which provides hosted IT services to such giants as Intel, MetLife and Kemper Insurance.
"Selling a hosted Exchange service or Web hosting or any other service provider type of business now means you can't just sell the service," he says. "You have to sell the security around it if you want any serious companies to work with you."
But to what degree should service and software providers, especially smaller startups, be secure? How is this measured, and how can a business partner ensure its requirements are met?
Defining "secure" is a major hurdle when negotiating security contracts, says Ounce Labs CEO Jack Danahy.
"One of the challenges in the SLA space is creating a defined language through which one can enforce the security measures being placed on the outsourcer," says Danahy, whose company roots out source code vulnerabilities. "There exists a real need within our market for an acceptance of responsibility from those who demand security and those who provide services. There needs to be a baseline."
Security should be a key provision of every contract for outsourced software development or hosted services, experts say. For outsourced code development, companies should have the right to review code, and the parties should agree that any bugs be corrected prior to delivery of the final product. The contracting company should be allowed to terminate a business agreement if the outsourcer--for either a code development or hosted service--fails to meet its security obligations, including assuming risks when using subcontractors.
For service providers, SLAs should include expectations for uptime and availability requirements, security response and alerting processes, qualifications of security personnel and patch remediation time. The SLA should specify penalties for failing to meet these requirements.
Such terms may seem severe, especially when working with small companies or young development teams that lack large budgets, but that's the new cost of doing business, says Forrester Research analyst Michael Rasmussen.
"Organizations face an increasing amount of liability and regulations, like HIPAA, Gramm-Leach-Bliley, SB 1386," Rasmussen says. "Even in the case of Sarbanes-Oxley, you've got disclosure requirements. They all have pretty harsh penalties, and your liabilities don't stop when you outsource. They only grow."
Leading the Way
Not surprisingly, the movement toward refined SLAs comes largely from the heavily regulated financial services industry.
"Leading financial institutions marinate in a culture of regulatory compliance and protection of their reputation and security in general," explains SecurityExperts' Gossels, whose company reviews ASPs' risk level annually for major financial firms. "You go to these small ASPs, and many of them have no clue. They're just little startup companies begun by a software developer with a good idea for a particular application, but have no concept of how to build a secure application."
SystemsExperts' reviews include on-site examinations of ASPs' policies and system configurations, operations and code-to-production process. Once the company is sure an ASP can assume the risk, the provider must deploy one of a half dozen risk models to keep a client's data secure, ranging from installing an AAA solution and VPNs to more elaborate safeguards, such as IDS or IPS.
Similarly, Siemens' Bixler performs his own periodic penetration tests to ensure his ASP is as bulletproof as possible.
"I have probably the most scanned environment on the planet internally," he boasts. "I have a team that works for me that does nothing but vulnerability assessment and remediation."
Without such diligence, Bixler knows he'll lose business; maybe even his job.
With only 1,000 of his subsidiary's 4,700 employees working in the office, Bixler must somehow ensure remote employees meet strict security standards. "We do not tolerate noncompliance," he says. "If you don't correct an issue--such as you haven't installed a mandatory patch--we'll shut off your accounts."
Bixler can afford such treatment because of his company's vast resources. Yet he competes with startups and believes they can easily be held to the same security standards.
"The good news, I think, is that it's not rocket science. It's really a matter of putting the right processes in place. Patch management is not hard. It can be time-consuming, but to just apply a patch is not difficult. It's the process that's a challenge."
The most contentious aspect of security SLAs may be the right to audit, which frequently means the right to scan another company's networks for vulnerabilities and then demand they be fixed. The company buying a service often pays for the scans, which are shared with the ASP or development firm.
"The liability with scanning is interesting," says Gossels. "Most organizations that do it simply say, 'We'll incur no liability. If you want us to scan, we'll scan but make no guarantees on how your systems will behave when scanned.'"
The audits, though not always initially appreciated, can help cash-strapped startups or provide a second opinion for those already conducting security diagnoses.
Experts say thorough reviews should be conducted at least annually and anytime there's a system change, such as an upgrade. Be sure to hire a good penetration tester, too.
ICI's Simmonds says he's quite happy using Qualys, a vulnerability assessment service, to scan his business partners' networks. And he's earned more than a little leverage from those weekly reports on all external Web-facing connections.
"Now I can provide information to my supervisors showing them the state of ICI security to the outside world," he says. "We're making a real difference, and I'm able to justify my existence at the end of the day."
That doesn't mean ICI is completely secure, he quickly adds. But the SLAs help ensure he's dealing with people who at least immediately patch their systems.
Notes Forrester's Rasmussen: "Organizations that are averse to facing these privacy and security audits and reviews are going to have to change their perspective or not survive."
This article orginally appeared in Information Security magazine.
This was first published in December 2005