Welcome to Volume 4, Issue 5 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!
Enjoy, and be safe,
Dave
David Piscitello and
Lisa Phifer, Core Competence
With a heightened awareness of just how quickly organizations can be crippled by a terrorist attack or natural disaster, many CIOs are reconsidering outsourcing at least some of their network and information operations and administration. A previous issue of Insight recommended a list of questions CIOs ought to consider when they evaluate managed or application service providers. Todayís questions are more sensitive to the needs of business continuity and disaster recovery than the more technology- and skill-oriented original list, and are a complement to, rather than a substitute for, the initial list.
MSPs should be willing to reveal critical aspects of their contingency and continuity plans. You should quickly dismiss protests and claims that such information is strategic and proprietary by offering to sign a (mutual) NDA. The MSP must appreciate that Ý you are trying to decide whether to place your critical assets and Internet ìpersistenceî under the administration of the MSP. If you canít establish trust, thereís little point in engaging the MSP. If you choose to trust the MSP without insisting they reveal this information, have the MSP provide evidence that it has been independently audited, and ask that they share the results of the audit with you. While independent auditing has lost some luster in the accounting world, third party evaluation of operating policy and practice is still a legitimate means of verifying a companyís ability to perform.
If the MSP hasnít had its contigency and continuity plans audited, leave the meeting room at once and find another MSP that has.
An MSP is likely to be responsible for some aspects of your overall data preservation. Whether backup only covers security and network configuration data or mission critical databases depends on how much of your business you expect the MSP to operate and protect. Ask the MSP to describe its data preservation methodology.
Archival. Ý What accommodations has the MSP made to archive and restore data following disaster, to assure uninterrupted or timely resumption of business? What is the frequency of archival? What facilities a does the MSP have to restore data to usable form? Too often, organizations and individuals back up data but fail to archive applications and working configurations. Is the MSP a victim of such oversight? Moreover, if there is no system on which to restore the data or applications to correctly access that data, it doesnít really matter that the MSP has a CD, tape, or disk with bits that last 10 years. What is the mean time to restore data after an incident? Does the MSP offer data mirroring? If so, how is mirroring provided?
When you choose to host application servers at an MSPís location, the MSP is responsible for provisioning and operating part of your private network topology. Have the MSP describe how it expects to provide uninterruptible network service. Among the items to discuss, you should consider:
Path diversity. A full disclosure of an MSPís path diversity plan entails a detailed analysis of every component (access circuit and switching element), from your premises and wiring closet, through a local loop, to central and trunking offices inside a telecommunications carrier network. Ý And of course the same rigor must apply from the carrierís network to your MSP. Path diversity is a big-ticket item, but if your business requires it, be certain your critical communications paths are completely diverse across all these elements. You may also want to inquire whether the MSP has provisions to adopt interim technology such as free space optical or fixed wireless, should your local loop be inaccessible for indeterminate period.
Redundancy. Ask what provisions the MSP has made for equipment and network infrastructure replacement, should one of its sites be rendered incapable of supporting operations. What is the state of standby for equipment and power? What practices are in place to maintain accuracy in configuration, software currency (security patches and hot fixes), and data accuracy on standby systems? Anytime you introduce redundancy, you create a huge number of problems, um, challenges. Differences in network addressing, routing, ACLs, firewall and application server filters are the first that come to mind. If your MSP has a redundancy plan, evaluate whether they have considered and resolved all of the factors required to turn that plan into an operating network. Ask the MSP if they routinely test their redundant connections on a regular basis ñ not just from site to site, but from end to end?
Provider Dependency Chain. What carriers or service providers does the MSP rely upon for services it does not provide? What are the business continuity and disaster recovery plans of these providers? Do these match what the MSP promises?
You may engage an MSP to manage security and connectivity at sites you select. For example, you may have the MSP operate security, Internet access, web switching, caching, content networking, and load balancing equipment at your premises, in front of your server farms. Path diversity, redundancy, and provider dependency chains often apply equally to managed services performed on premises.
One of the reasons CIOs engage MSPs is to acquire presumably greater expertise in security, storage, and Internet operations than they are able to hire and maintain internally. CIOs should always assess an MSPs staffing and appraise the skill sets and experience the MSP brings to the table. But 911 illustrated in the harshest of ways how important staffing contingency planning is to maintaining business continuity in the face of a disaster. An MSP ought to be able to explain where they expect to acquire interim and replacement staff should they experience loss of staff in a disaster. While any recruiting plan an MSP might have may become entirely moot depending upon the exact nature of the disaster, learn what steps the MSP routinely takes to avoid over-dependence on individual staff members. Is there only one person with the keys to the kingdom in his or her head? Does the MSP have succession plan such that every employee has at least one other employee ready and able to do his/her job in a pinch?
CIOs must consider the financial condition and insurability of MSPs they engage. Insist on suitably audited financial statements and insurance policies, to determine if the MSP can stay in business following a major disaster. If the MSPís business is disrupted and it cannot resume operations, can you seek financial relief for resources you may have had the MSP host?
You may want to seek certain contingencies to protect your operations should the MSP experience financial difficulties. For example, if you rely on software the MSP develops, be certain you can continue to use the software should the MSP enter bankruptcy proceedings or simply close shop. Seek an arrangement whereby you are contractually permitted to use software you license from the company in such circumstances. In some casesófor example, if you are the single biggest subscriberóyou may want to seek vesting of intellectual property rights to the source. Should the MSP go belly up, you will then have the source to do with as you wish. (This only helps if you also have staff or an applications developer that knows or can quickly learn and make use of the source code.)
Events like 911 are tragic and sobering. Fewer organizations are willing to live in denial that such an incident will never happen again, or to them. Those in areas prone to natural disasters are all too aware of the increasing cost and decreasing coverage provided by federal emergency management funds and complementary insurance policies. In a recession year, outsourcing to an MSP may be more attractive to more organizations. Before entrusting your business to any MSP, it is clearly important to carefully review that MSPís daily operations. As 911 demonstrated, reviewing the MSPís contingency plan is just as essential.
© 2002 - 2006 Core Competence & Mactivity, Inc.