In today's highly competitive business environment, many companies are considering outsourcing services as a way to streamline resources. Outsourcing enables IT departments from Fortune 1000 companies to meet or exceed operational needs while controlling costs. Yet when evaluating the benefits of IT outsourcing and utilizing third party support vendors to manage network assets and applications, many companies struggle with the notion that outsourcing might diminish security.

In fact, in a recent survey of enterprise CIO's, security ranked as a top decision factor as whether to outsource IT operations. Further, it was identified that this security risk could potentially outweigh the significant cost and resource benefits of outsourcing.

When reviewing various outsourcing options, CIOs must carefully evaluate the methods that outsourced service providers use to remotely access and manage network assets in their datacenters. To conduct the research, CIOs can ask the following questions:

What if any level of security risk am I introducing to my datacenter through use of remote managed services?

What will the cost be to my organization (i.e. time & internal resources) to manage outsourced remote connectivity?

How will my organization control vendor visibility and access to the datacenter?

Does the solution provide my organization with an audit trail of activities which meets both our internal policies and the existing regulatory compliance standards?

Does the vendor utilize a solution that can meet or exceed contracted Service level Agreements (SLAs)?

Outsourcing issues are further compounded when an organization plans to distribute its remote access needs across multiple vendors. In this case, an organization would require internal resources with specific disciplines and expertise in each access technology that is used by the various vendors. This is the only way that the organization can provide the appropriate level of day to day maintenance and control.

Costs of Various Transport Solutions

IDC estimates that more than $4 billion is spent annually on the use of dial-up and private lines for remote support services. While these technologies have been an extremely popular option for managed service organizations (MSO) for years, their continued use no longer addresses the efficiency and security needs of most CIOs today.  CIOs today require remote support services that have AAA (Authentication, Authorization, and Accountability).

CIOs should be weary of MSOs that utilize dedicated lines (i.e. dialup, leased line, Frame Relay) for remote access to their datacenters. By using dedicated lines, organizations will not achieve the maximum cost savings typically associated with outsourcing because they will still be burdened with managing remote connections on site. Using dial-up, for example, eliminates security, traceability and reporting features. With this model, IT organizations would need to control the lines and determine when MSOs can access their remote assets. Depending on the number of outsourced devices in the network, this could end up requiring a full-time dedicated internal resource to provide a physical line connection (and subsequent removal) to target devices in order to avoid security risk associated with unattended dial-in access.

In addition to absorbing all personnel and administrative costs, IT organizations might also be responsible for the recurring line charges from local telephone carriers. Further, the lack of constant connection to target devices makes this service a break/fix one versus a proactive maintenance one and therefore makes it impossible to meet a company's monitoring needs.

Realizing the limitations of the line approaches, many MSOs have considered VPNs as a transport method between their Operations Center and customer sites.

While VPNs offer remote access between trusted parties (i.e. remote employees access a corporate mail server), they do not meet most IT organizations' stringent security requirements for untrusted users (i.e. an MSO with a business arrangement). When connecting from network edge to network edge, VPNs provide adequate protection. However, when corporate security requirements include limiting untrusted MSOs' visibility to only those devices under outsourcing contracts, VPNs fail.

VPNs fail because they require organizations to manage and maintain the MSOs' datacenter visibility and access privileges. This continuous maintenance includes managing/modifying multiple network components firewall rules and access control lists. Ultimately, this presents significant time and resource costs and security concerns to IT organizations. The costs and concerns are compounded if the VPN solution includes the use of agents on target devices. In this scenario, enterprise IT departments lose the ability to monitor the traffic entering and leaving the equipment as well as losing local audit trail activity. In addition to these burdens, IT organizations now have to manage the equipment resources on company devices to ensure adequate support for VPN agents.

When used by MSOs for proactive monitoring, VPNs must be kept open at all time. These "nailed-up" VPNs introduce additional security vulnerabilities due to constant open holes in datacenter firewalls and the resources needed to maintain these firewall rules.

Homogenous Control

For enterprise IT organizations to fully achieve the cost savings associated with outsourced IT services, they must be able to reduce the labor costs associated with managing all service vendors concurrently, without compromising organization security requirements.

Achieving this requires a universal method of controlling all outsourcing vendors' visibility and accessibility to a company's network. This universal method should include a single, centralized point of administration to reduce the resources typically required by enterprises to manage multiple third party vendors. By standardizing on a single platform that outsource vendors can utilize to win service contracts, control is placed back with the IT department.

A centralized solution allows enterprise datacenters to maintain local control of their assets with all outsourcing vendors.  Further, enterprise datacenters can now grant permission to outsourcing vendors to access specific network devices in their datacenters that need maintenance or repair on an as needed basis.

A centralized solution also establishes dynamic policies as to where, who, and when outsourcing technicians can perform remote management to specified devices. It provides enterprise datacenters with the ability to immediately terminate any remote management sessions that may be seen as a potential security violation.

It is important that the remote access solution support both the enterprise datacenter requirements and MSO requirements. MSOs need the ability to:  

• Proactively monitor devices to meet enterprise SLA's
• Rapidly deploy with minimal technical expertise
• Require no uplift/forklift changes to current Network Operations Center
• Utilize solution across multiple enterprise customers
• Support multiple locations for each enterprise customer
• Maintain independent, local audit trail for regulatory compliances

VSIenterprise

Summary

If outsourcing simply shifts internal resources from managing the corporate network directly to managing the outsourcing vendors' visibility and access to the network while introducing security concerns, then outsourcing becomes a very undesirable solution.

However, companies that pick solutions that require minimum management of third parties can experience outsourcing agreements that provide effective and cost efficient outsourced services that meet or exceed SLAs and regulatory compliance standards.

When contemplating security concerns of outsourcing, IT organizations must evaluate the impact that various solutions will have on internal resources. Ideally, organizational focus will be on using internal resources for future innovations and initiatives, versus the day-to-day needs of managing datacenters.

Dave Boulos is VP Product Management and ComBrio, Inc.  He has 20 years of experience defining and implementing solutions for the service provider market and understands how to deliver products that meet customers' needs and timelines. Prior to joining ComBrio, Dave held responsibility for all product development and marketing at Telco Systems, which included the introduction of multiple market leading products. Dave was part of the management team at Telco that sold it to BATM for $326 million.

 

 

 

 

 

Forward this page to a friend

Your Email: *

Your Name: *

Send To: *

Enter multiple addresses on separate lines or separate them with commas.

Message Subject: (Your Name) has forwarded a page to you from NaSPA.com

Message Body: (Your Name) thought you would like to see this page from the NaSPA web site.

Your Personal Message: *

Your vote:

1

2

3

4

5

No votes yet