Outsourcing demands more open approach to security, says Jericho

Delegates at last week's IT security show discussed liability, how to protect systems in an outsourced environment, and warnings...

The growth of outsourcing will drive demand for a more open approach to IT security, a panel of chief security officers told last week's Infosecurity conference in London.

The panel, representing IT security user group the Jericho Forum, comprised heads of security from investment bank Dresdner Kleinwort Wasserstein, pharmaceutical firm Eli Lilly, Qantas Airways, Royal Mail, Rolls-Royce and Standard Chartered Bank.

It said current IT security strategies did not fit well with outsourced services. The panel warned that IT security risk was increasing as businesses moved large chunks of their operations to outsourcing suppliers connected via the internet rather than a private network.

Andrew Yeomans, vice-president, global information security, at Dresdner Kleinwort Wasserstein said business drivers were moving organisations towards opening up their systems.

"We are seeing [IT] helpdesks being outsourced to other countries, and these helpdesks can access our PCs," he said. Such a set-up needs to allow the outsourcing supplier easy access to the company's desktop and server hardware, while retaining tight control over what data is visible.

The group said that deperimeterisation of security, as proposed by the Jericho Forum, could offer a way for businesses to safely open their networks to outsourcing suppliers while keeping the data secure.

The approach relies on data encryption, fine-level access control to secure individual items of data, rather than a whole document, and digital rights management to control how access rights to a document change over time.

John Meakin, global chief of information security at Standard Chartered Bank, said, "One option for business would be a cleansed IP stream." In other words, the ISP would offer virus-free, protected network access.

Adrian Secombe IT director, global information risk management at Eli Lilly, said US ISP AT&T is running a project called Gemini, which is looking at macro-level deperimeterisation, where the ISP takes up much of the work in securing the network.

'Lawyers little help' in international minefield

Brace for web worm chaos, users warned

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.