« It will come to an end.
RSA Schadenfreude #1 »
h1

Wasn’t lies, it was just…

January 24, 2011

A friend recently posted about being stonewalled by vendors when asking them how they deal with employee turnover.  The odds are that you have procedures of your own to handle terminations and job changes.  It’s reasonable to hold vendors that run your infrastructure to a similar standard.  Read it for why.

When you outsource infrastructure administration, or when you end up hosting important data under outside control, you definitely want to set up the agreements so they follow your existing security policy.  An honest outsourcing vendor who wants your business is going to agree with some few exceptions where the two of you negotiate to a middle ground.

If you aren’t getting the right to inspect the systems (or portions thereof) moving, storing, and processing your data, there’s a chance that important security requirements you negotiated for, maybe even that you paid extra for, aren’t being met.  In fact, if you didn’t nail down the right to audit, you probably didn’t get security goals in the SLA to penalize incentivize the vendor.

I’ve had the pleasure of performing investigations on behalf of clients who entered into agreements with vendors that held all the cards.  Every single time, the vendor “had not been forthright about the security posture they claimed to hold”.  Each one was lying about their security situation, in significant ways that ranged from not patching when they said they patched to sharing infrastructure they claimed wasn’t shared.   It isn’t a large or scientific sample — there were already suspicions that led to my arrival on-scene.  Surprisingly, these weren’t small-time infrastructure outsourcers…these were the big names with the big price tags.

The moral of the story:  If they promise it to you, but won’t let you see it, smell it, or touch it…it probably doesn’t exist.  Honest vendors will be up-front about how they operate, explain the limits of how far they can conform to your policies and expectations, and most of all will want you to be able to check so there’s no ambiguity haunting anyone down the road.

Less-than-honest vendors will prevaricate, hide their operations, and when caught claim that they weren’t actually technically violating the contract, or trot out the old line that “everyone does it this way”.  They’ll pull an Elwood Blues on you.

Posted in Security |

%d bloggers like this: