PKI In-House or 3rd Party?

The question of taking advantage of a third-party vendor or developing public key infrastructure (PKI) within our your organization is a pretty tough question that doesn’t seem to have a clear-cut answer.  Each method has its own pros and cons that I’ll try to outline for you here, and there are a lot of factors that could go into this decision.

Some of the good points on sourcing a public key infrastructure through a third-party vendor could include:

• Guarantees and service level agreements on uptime and availability of the infrastructure they are providing your organization.
• Pricing is often based on volume where larger organizations can take advantage of better rates than organizations with smaller user populations.
• The majority of companies out there providing this kind of service often have very thorough disaster recovery and business continuity plans that help to ensure that what you’re paying for is always available and remains as secure as possible.
• These vendors can also supply key management services that are streamlined and efficient to help minimize the overhead costs associated with implementing and sustaining the program.

Bad points of using third-party vendors to implement PKI could include:

• You’d have to trust an outside agency to handle a business area of your organization that, if compromised, could be very costly to your company.
• You’ll
• You’d most likely have pay per-user fees.

Research seems to indicate that implementing a solution in-house can be far more costly up front than taking advantage of a third-party solution.  That being said, in the long run, it may be less expense because the only costs associated with the project would be maintenance and sustainment costs long term.  Also keep in mind that if your company experiences heavy growth in personnel in the future, the cost of your PKI would not significantly change if managed in-house.  By implementing a PKI program yourself, you’d also maintain control of how the program is implemented and would not have to necessarily trust anyone outside of our company with something so integral to the overall security posture of your information and resources.

There have been a lot of studies on this particular question, and they do not all agree on a suggested implementation plan.  I suppose the questions that need to be seriously considered prior to making a decision would include:

•  Do we have the capital to invest in an in-house solution at this point in time?
• Can we support the implementation of PKI, and do we have the expertise in-house to stand something like this up?
• Are there vendors that can provide this service to us at a reasonable and affordable cost to our organization?
• Do we expect the size of our employee population to increase or decrease significantly in the foreseeable future?

 

Social Contracts?

Of all of the good client/vendor relations I’ve seen, there seems to be one fundamental trait that each good relationship has had in common – the client knowing exactly what it wants in the short and long term. But how often do we usually run into clients that know EXACTLY what they want?  Most of the time, especially in the information security field, clients understand that they must be compliant, but they don’t necessarily understand how to get there.

So many times the I’ve seen the vendor/client relationship fail because both sides were not on the same page at the onset of partnership.  Almost universally, this has been the result of the client not having a clear and concise picture of what its business requirements are or what the ultimate goals of the partnership entail.

In some regards, one might expect the vendor to be flexible enough to adapt to whatever the client wants, however, in the world of contracting, of course, this is not always the case.  It is sometimes extremely difficult to assign words within a contract to provide clients and vendors the flexibility to adapt to changing requirements.  Having a  heart-to-heart meeting of the minds during the contracting stages of the partnership can help to ensure that both sides understand the intentions and expectations of the other side.

If a client knows exactly what it wants, negotiating the deal can typically be executed rather seamlessly.  However, if the client is unsure of what is needed or desired, or if it lacks long-term foresight, the vendor should have a clear understanding of this fact up front, and a social contract (Google it) of some sort should be established. 

Working through and establishing sound requirements based on the business needs of the client ultimately lends itself to successes for the vendor – and consequently the client as well.  Overall, the fundamental principle that propagates success is that of being open and honest up front so that both parties understand the intentions and ultimate goals of the agreement.

Vendors will continue to offer services and solutions to facilitate the day-to-day operations of businesses and organizations utilizing information technology.  It is important, however, that these vendors and the clients that seek their services understand the fundamental requirements of the agreement they are entering into.  It is crucial to the success of the relationship and to the outcome of the contract that both the client and the vendor are on the same page from the beginning.  If a client is unclear of exactly what it wants and choose to rely on the vendor to tell it what it needs, that needs to be understood via a social contract.  Social contracts will go a long way in securing client/vendor relations; they help to ensure that both sides of the contract understand exactly what it is being agreed to and ultimately provide sound footing for moving forward through the successful execution of the partnership/relationship.

 

The Cost of Protecting Business

Security professionals work in an ever-changing environment where a primary goal is always to be one step ahead of those who might seek to harm the assets and resources they seek to protect.  It is an uphill battle that never ceases and that fundamentally requires planning as well as a multitude of resources – both human and technical. 

At the technical level, security professionals seek to deploy and manage automated systems that through heuristics, known signatures, and specific rules help to protect infrastructure components.  Much of this technology can be expensive to acquire and maintain, however many executive managers have come to the realization that in this technology age of today, investment in security technologies  is part of the cost of doing business.

Accompanying the implementation of automated security solutions comes the requirement (and subsequent cost) of supporting those systems on a daily basis.  This means staff to perform duties like firewall management, audit log review, public key infrastructure management and sustainment, etc.  These folks are responsible for ensuring that the technological solutions in place to protect the company’s assets remain up to date and as comprehensibly functional as possible.  They must have a complete understanding of the infrastructure they are protecting and they must stay on top of the ever changing arena of information security. 

Outside of staff requirements to support automated security investments are those attempting to help mitigate vulnerabilities and risk that cannot be addressed through technical means.  Unfortunately it is tougher to sell executive management on this sort of security investment, because typical mitigation practices on this front include the development of policy and standard operating procedure, training, certification and accreditation, etc.  Part of the reason for this tougher buy-in from executive management is due to the inability to truly assess the return on investment.  With technical solutions, it is easy to see how many viruses were quarantined or how many intruders were stopped at the firewall or the number of packets dropped by the host-based intrusion prevention system.  Those sorts of details are quantifiable and can be presented to management in ways that they can easily comprehend.

How does one talk about the effectiveness of a policy or of certification and accreditation?  Quantifiable results geared toward justifying the investment in these sorts of strategies are attainable, but at a much slower rate than those of a technical nature.  The fact that they are not easily quantifiable or even that they may inhibit some areas of operation does not mean they should be negated or dismissed altogether.

Forward planning through standard operating procedure, policy implementation, awareness and training are all fundamental components of any information assurance or security platform.  Enterprises have to be capable of protecting their assets when technical measures fail.  Management has to realize that threats no longer dominate from outside of the environment, but rather from within.  They have to understand that there are very few technical mechanisms to mitigate the human element of the security equation.

Implementing policy and standard operating procedure not only displays movement towards due diligence, but it also embraces a proactive operational mentality that will inevitably help an organization pull through tough times.  Every security practitioner knows that no enterprise or organization can ever be one hundred percent secure.  Given this fact, it is only a matter of time before an incident or compromise occurs.  Contingency planning, incident response, and other key areas of information assurance can all be planned for and can all help to preserve the operations of the company in times of desperate need.

Organizations that refuse to make the investment in preplanning for future events that are capable of bringing operations to its knees are at the mercy of the technology they employ.  Choosing to believe that they are not a target or that their organization is too small to be concerned with these sorts of policy-based or procedural activities leaves little room for rebound if and when an incident occurs.

 

Compliance = Minimizing Risk?

It has been my experience that the primary accomplishment of compliance endeavors is to keep the notion of security and risk management at the forefront of both technology and business management within an organization.  I’ve worked in and around HIPAA, FISMA, and PCI, and they’re all too high level and nebulous – making them all but pointless.

To pick on one, just as a for-instance,

PCI DSS 2.2 (v1.2) states, “Develop configuration standards for all system components.  Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.”

This is an impractical and not overly useful compliance requirement.  It’s so over-simplified that it’s all but meaningless.   Ensuring that an organization has “a process or architecture” is not the same thing as ensuring that that process or architecture is relevant and effective.   That’s the fundamental problem with FISMA,

Do you have an incident response plan or a disaster recovery plan?  Yes.  Well then you’re solid.  Nevermind that your incident response plan consists of running antiquated anti-malware software and calling it a day, or your disaster recovery plan is comprised of user guides and installation manuals from 6 versions back.

Compliance efforts are good, though – even though much of the work is really just spinning wheels to appease some over-arching governing body.  Whether it’s the Feds for FISMA, or VISA for PCI, it’s easy to meet the letter of the law of compliance and still have an insufficient and flagrantly deficient security program/posture.  Again, to me, the biggest benefit of compliance mandates is that it keeps information security and privacy practices on everybody’s mind.  And, if companies take it seriously and don’t merely treat compliancee efforts as a paper drill (as many, or most, do), compliance efforts really can provide benefit.

One last thought.

IMO, the focus of securing information HAS to be on the users and information handlers.  So much is made of configuration and policy and procedure.  All of which is necessary and valuable.  However, you’re only as good as  your weakest link.  Steve Riley of MS (http://blogs.technet.com/steriley/) made a good point when he wrote, “I don’t know where to direct my ire—at the spammers who litter the Internet with their spew or at the people who still get duped by it.  Spam would wither away if everyone just ignored it.”

The point is that if people wised up and understood the risks, threats, and attack vectors, compliance would come naturally, and the organization’s security posture would be greatly enhanced.  Until companies understand the value in compliance efforts and take it seriously and don’t just “go through the motions”, resources are better spent by focusing more on  users and less on compliance.