AXA Business Services, the Bengaluru-based business process outsourcing company, has decided to develop in-house capabilities for its internal vulnerability management program. The company is a 100% subsidiary of the AXA Group which operates in 56 countries, and offers insurance as well as banking services.
Earlier, AXA Business Services locations at Bengaluru and Pune were dependent on third-party providers for penetration testing and vulnerability management. However, as part of its IT security strategy, the company decided to reduce its third-party exposure as much as possible. "We need to manage cost pressures, as well as ensure that our protection goals are met. That's why we're getting internal technical staff to develop skills in the area of vulnerability management," explains Satyam Das, the associate vice president of risk management at AXA Business Services Pvt Ltd.
But wasn't the earlier outsourcing of vulnerability management a cost-effective option? "Outsourcing provides cost arbitrage to the organization only when it involves significant scope. Here we are talking about a very small scope compared to the overall IT security program. Besides, we have internal resources that can be trained in this skillset. It also provides an opportunity for our people to develop skills in a new domain," replies Das.
By developing vulnerability management capabilities, AXA Business Services is mainly looking at protecting its internal infrastructure
and business critical servers. "It's well-known that insider threats lead to more exploits than hacks coming from the outside world. Hence in terms of priority, and considering the fact that we don't have significant Internet exposure, we are looking at managing vulnerability within the internal infrastructure," remarks Das. According to Das, vulnerability management helps an organization to proactively look at inadequacies in its infrastructure security posture and automate security assessment of the network. It helps the organization create a security baseline of its internal infrastructure and security risks can be managed on a prioritized basis in line with asset criticality.
AXA Business Services has decided to deploy an application from QualysGuard for its vulnerability management program. This application will automate the organization's lifecycle of network auditing and vulnerability management across the enterprise. Das informs that this application will scan the entire network and find deficiencies within configuration settings and patches. It will inform the systems administrator in the event of internal environment issues which can threaten service continuity. AXA Business Services can now completely automate the process of network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to the business risk policy. Thus the security team will have a detailed view of vulnerabilities—including the security threat, consequences of an exploit, and the recommended solution to fix this vulnerability, along with links to the appropriate patches.
AXA Business Services started the vulnerability management project in December 2009, and is planning to go live from April 1, 2010. "The internal security staff is being trained on the product along with our global colleagues. The staff had to undergo initial training of three days in vulnerability management, and will have on-the-job training for two months," says Das.
Apart from employees' schedules getting stretched a bit, Das does not see any major challenges to the vulnerability management project. Das feels that self-sufficiency is the key advantage of this project. "We can address issues at a much shorter notice than if we involve third parties." Along the way, this vulnerability management project has also helped the company offer lateral growth to its employees.