Many enterprise customers are increasingly evaluating the benefits of infrastructure outsourcing (ITO) to their businesses. In the past year, several CIOs have expressed concerns around the impact to the security and privacy of digital assets resulting from infrastructure outsourcing. In this post I will discuss the business drivers and security concerns around ITO and propose safeguards that enterprises can consider.

The drivers for infrastructure outsourcing stem from the impact of global delivery and economies of scale driven by standardization.  Additional benefits can be had from consolidating and sharing power-hungry data centers located in regions better suited to service the data centers' unique power needs.

Non-technology companies have been early adopters of the ITO model so as to focus on core businesses rather than technology support. In particular, financial services and government organizations have experimented to various degrees with the ITO model.  I am also observing a trend for companies actively pursuing M&A activities increasingly turning to this model as well. Clearly ITO has multiple benefits to businesses and this market can be expected to see healthy growth in the next few years.

The ITO model does have some challenges when it comes to the risk an enterprise faces from letting a third party have access to its digital assets. The areas of concern include:

• Regulatory compliance
• Intrusion monitoring and prevention
• Incidence response
• Validation of hosted environment
• Adherence to corporate standards and policies
• Liability resulting from an attack

While each organization will need to do compare the benefits and risk of outsourcing, there are some safeguards  that can mitigate the risk. I recommend that organizations examine the following third-party services:

1. Technical Compliance Management (TCM): These solutions aim at defining from an audit perspective the IT controls that need to be maintained for an organization. They can then periodically collect evidence of compliance for each compliance condition. TCM solutions evaluate system states in order to measure the level of adherence to standards and policies .
2. Security Deployment Assessments: These security assessments focus on evaluating the security posture of the infrastructure before any major system goes live. These may include checks against baseline configurations provided by the product vendors (like Microsoft's MBSA)  and IT policies
3. Periodic Vulnerability Scans and Pen-tests: In order to verify that the current state of the system are relatively free of known issues, vulnerability scans and pen tests can be used. This is definitely a recommended step but does not supplant the need for securely designed architecture
4. Managed Security Services: Some organizations have used managed security service providers to provide an additional layer of security to their outsourced infrastructure. These providers offer services including intrusion prevention/detection (IPS/IDS), firewalls etc. This may be difficult to negotiate with your vendor as it makes them dependant on managed security service providers. The trend will be for ITO providers and Managed Security Service providers to form strategic partnerships and offer comprehensive solutions.
5. "In the cloud" services: These services encompass email spam filtering, anti-virus services for desktops. These can be used to bolster any existing ITO providers offerings. Look for partnerships in this space as well.
6. Performance Reviews and Availability Services: Availability is a cornerstone of trustworthy computing and cannot be overlooked in any risk based discussion. Uptime will be a key metric for measuring the quality of service provided. Security services like load balancing, stress testing and active performance monitoring will be crucial to the reliability of the service.
7. Forensic Analysis: In case anything should go wrong, enterprises should invest in forensic analysis services to get to the bottom of an incident. This may also be needed from a liability perspective. It is generally advisable to identify a forensic analyst firm before hand and brief them about operational aspects to minimize on lead time to bring them up to speed during an incident.

Thanks to Roger Grimes and Mark Curphey to help me create a more comprehensive list of solutions.