Who Watches the Watchers when You Outsource?

Written by

A January 2015 study by PAC found that 79% of companies outsource all or part of their cybersecurity operations. While outsourcing can take away some of the pressures, responsibility for maintaining IT security can never be fully outsourced. It’s important to consider qui custodiet ipsos custodes, or ‘who watches the watchers?’ Should a data loss occur, the breached company holds the ultimate responsibility, whether their security infrastructure is managed in-house or externally.

Responsibility for Security

Many security standards are being updated with outsourcing trends in mind. For example, the Payment Card Industry Data Security Standard (PCI-DSS) v3.1 includes guidance on responsibilities for security and outsourcers. The retailer has to validate that their outsourcers are compliant. Ultimately, any retailer involved in selling a product to their customers has to be responsible for the whole chain of their suppliers as well. They must watch the watchers.

While this seems like a straightforward concept, retailers often use many third parties and outsourcers at various levels of their business. For example, individual stores often outsource support of their point-of-sale (POS) systems to external vendors, who may neglect security best practices in order to deliver services at a lower cost.

One common issue is that vendors use low-cost, unsecured remote access tools to update and troubleshoot POS systems remotely. According to the 2015 Verizon PCI Compliance Report, “Remote access vulnerabilities continue to be a primary cause of data breaches, especially for brick-and-mortar merchants.”

De-risking suppliers that have access to sensitive areas of the IT network is therefore essential when it comes to remaining compliant with PCI-DSS and other regulations. Making sure that all these companies meet minimum levels of security standards is a big task, but it’s essential.

Some of the most high profile attacks on retailers in the past eighteen months – US retailer Target for example – have occurred through a mix of hacking methods that started with compromising a third party.

Even if these external suppliers are not connecting directly to payment systems, holes in the network can be exploited to access the payment system infrastructure. In fact, according to Trustwave, 63% of 450 data breaches studied were linked to a third-party component of IT system administration, meaning an external party had introduced security deficiencies easily exploited by hackers.

"Making sure that all these companies meet minimum levels of security standards is a big task, but it’s essential"

Applying the Theory

Mitigating risk through proper access control is essential. This is especially true for vendors with access to a company’s privileged accounts. Employees with privileged access can include IT administrators and line of business team members through to external vendors, particularly when IT functions are outsourced. Members of the service department or outsourcing provider often have admin rights and access to numerous IT systems, making them an attractive target for hackers looking for the ‘keys to the kingdom’.

Managing the audit process for vendor access is therefore key. If the audit logs are saved locally on an outsourced technician’s machine, the company does not have full control over those records. Capturing the audit logs in a secure, centralised location can ensure audit logs are not deleted or tampered with. Privileged access demands more information over what was done to the system, as well as how and why. This is in addition to common employee access, where the data tends to be limited to when and who.

This meets two needs. For the outsourcer, it gives them a tamper-proof record of what they actually did. For the CISO, it demonstrates that policies around access were followed. For both sides, this ensures that all updates are made in a secure way. This is essential for maintaining control and trust around privileged access.

Improving Security without Stifling Productivity

While security and compliance are top priorities, it’s essential that technologies and processes don’t reduce the productivity of the various stakeholders and suppliers involved. If security professionals make access too limiting or cumbersome, users will find workarounds that could potentially introduce new security gaps.

When a company doesn’t have full visibility or control over system access, their knee-jerk reaction can be to remove or restrict access rights across the board. With a more comprehensive view of access requirements, CISOs can implement processes that not only secure that access but also potentially improve it. When users are given secure tools that make their lives easier, they are less likely to revert to insecure methods or workarounds.

Looking ahead, IT will only continue to get more complex and companies will require the services of third parties to help them achieve their objectives. However, managing the privileges around access for third parties is essential if companies are going to outsource their IT operations effectively. CISOs will have to watch the watchers, retaining control even as the operations are moved outside the business.


Stuart Facey is VP of international at Bomgar Corporation — a company that specializes in providing remote support solutions for easily and securely supporting remote computers and mobile devices

What’s hot on Infosecurity Magazine?