« The Security Roundtable Podcast | Main | Its time to get real about agentless NAC and Nessus »

June 21, 2006

If security is control, how can you be secure and not in control?

Byron Sonne over on the nCircle blog has an excellent article up titled "Security is Control".  The point of his article is that how can you trust a 3rd party to scan and keep your vulnerability data.  The nature of the data is a blueprint of how someone can infiltrate your network and cause lots of damages.  No matter who the company, this is a huge leap of faith you have to make to put this data out of your control.  I assume he is referring to Qualys, a software as a service vulnerability management company, that both Byron's nCircle and our VAM product compete against.  At StillSecure we have been making this point forever.  Nevertheless, it still amazes me that this is just not an issue to some companies.  I don't mean to just single out Qualys either, there are other MSSPs that are now performing this type of service using a variety of vulnerability management tools.  It used to resonate much stronger with customers.  However, with the outsourcing trend and the increased acceptance of the SaaS model, companies are more and more inclined to trust this data being out of their control.  When you have the credit card companies certifying this model, I think it goes a long way towards legitimizing it.  There are still certain verticals that will not accept this.  The Federal Government for example generally speaking will not consider such an option.  Others in the financial industry will not either.  We have found that if the corporate culture is one of outsourcing already, this issue is just not a factor.  I wonder what type of homework these companies do to see how secure this information is at the 3rd party.

Byron cites another example of this outsourcing mania, specifically in the CRM arena.  Certainly all of your customer data is something you would not want falling into the wrong hands either.  However, in the way of full disclosure, I have to admit that like nCircle, we are salesforce.com customers as well.  I know we supposedly did a lot of due diligence on the security of our data and our sales management and security people were satisfied commensurate with the risk.  So, I guess people in glass houses, . . . .   Anyway, point is before you put valuable information in a 3rd parties hands, you should at least think about these issues and do your due diligence.

Posted at 11:32 AM in other security companies, StillSecure stuff, VAM |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200d8349a2a3b53ef

Listed below are links to weblogs that reference If security is control, how can you be secure and not in control?:

Comments

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Blog Networks

  • Find the best blogs at Blogs.com.

StillSecure, After all these years, the podcast

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About