Should you outsource the administration of the Information System?

externalisation de l'administration de son SI
As mentioned in some of my articles ([01], [02]), IT security is not an option and must be a strategic focus for any organization. Indeed, in my opinion, IT security is both essential and fundamental in order to, among other things, protect the information assets of an organization.
Now, let’s focus only on outsourcing the administration of a network or part of a network. Indeed, due to a lack of human or financial resources, the executive committee of an organization may decide to entrust the administration of its Information System or dedicated applications to an external service provider (outsourcer).
Outsourcing is a fast way to improve performance, reduce costs or increase flexibility, but it must not be implemented without a minimum level of security and guarantees. Outsourcing administration does not clear customs or remove responsibility from the outsourced organization.
The following questions should be asked when outsourcing the administration of the Information System (non-exhaustive list):

  • Has the scope of actions entrusted to my external service provider been properly defined?
  • What is valuable for my organization?
  • What are the risks involved?
  • To what extent do I control these risks?
  • What are the feared threats?
  • What are the “security measures” taken by my service provider?
  • Does my service provider have (or should have) limitations concerning his actions?
  • To what extent can I control, monitor, and manage my service provider?
  • How should I manage (and protect) login credentials and authenticators?
  • How not to lose control of my IS?
  • Is my service provider familiar with IT security?

When it comes to risk management, the loop “know yourself – estimate yourself – insure yourself – reassure yourself” must always be the center of reflections and actions. To answer some of the previous questions, article [03] refers to the Security Assurance Plan as an important step to implement within an outsourced/outsourcer relationship.
In articles [04] and [05], I presented Systancia Cleanroom solution, which provides an answer to the remote administration issue and therefore to the need for controlled, managed, monitored and supervised outsourcing services.
The principle of Systancia Cleanroom solution is to provide a privileged user with virtualized environments (which are controlled, managed and initialized at each connection), in order to perform resource administration tasks in a secure, logged and monitored environment.
This disruptive solution therefore makes it possible to protect and supervise the privileged users’ work, but also to guarantee the security of the information assets of the outsourced organization.
Outsourcing the administration of all or part of your information system to a third party is therefore possible from a technical point of view (with a solution such as Systancia Cleanroom) but must not exempt the outsourced organization from having to ensure compliance with good security practices and a seamless collaboration with its external service provider. In the cybersecurity field, “trust” is the key word and it is not contradictory to outsourced administration activities. Finally, the contractor’s vigilance must be materialized by drafting the most explicit and exhaustive contractual clauses possible, whose application and rigorous monitoring are essential to the success of this collaboration.
Antoine COUTANT – Chief Cybersecurity Officer
[01]       Security is not an obstacle, Antoine COUTANT, November 2018.
[02]       Once upon a time in Cyberland, Antoine COUTANT, October 2018.
[03]       PAM should not exclude SAP, Antoine COUTANT, March 2019.
[04]        How to secure IT administrators’ desktops?, Antoine Coutant, February 2018
[05]        The Cleanroom concept for a safe and secure administration, Antoine COUTANT, January 2019