The Standard

Introduction

IT production and industrialization

Today’s IT provisioning is characterized by a high degree of division of labor. Many hardware manufacturers, software manufacturers, system integrators and service providers are involved for an IT service provided to and consumed by a user organization. The latter demand getting secure IT services. It is a challenge to orchestrate the provisioning of IT services in a way that every constituent contributes to the overall security so that a secure integrated whole is delivered to the user organization.

The industrialization of IT is going on and has intensified during the recent years. As a result, the IT industry is highly specialized and characterized by a high degree of division of labor and by intensive networking and interdependencies between companies working together in a global supplier network. Hardware components and software systems are provided by vendors. Moreover, such components are managed by different companies after their initial installation. This means that IT service management activities are not only part of the IT service but provided by companies different from the primary IT service provider holding the contract with the user organization. – Today vendors also deliver their systems as a managed service and no longer as a product that is basically managed by the IT service provider. Storage systems, for example, are offered “as-a-Service”. The IT service provider purchases the “Storage as-a-Service” from the manufacturer that is now fully responsible for many IT service management activities relating to the storage system. Typical examples are diagnosis and repair services. This is quite more than software for which the vendor delivers updates and patches. The supplier has direct access to the storage system in the infrastructure of the IT service provider. The same holds for large networks.

IT products and services exchanged in the IT supply chain

It is rather impossible to draw a map of a “typical” supply chain in the IT industry that considers most business relations. Nevertheless, Figure 1 shows a decomposition of computing, workplace and network services (red boxes) into typical services and components which are or may be provided by other companies than the IT service provider being the primary contracting party of the user organization (customer; shown as dark grey box). The figure shall mainly demonstrate that the supply chain is complex and composed of multiple tiers.

Figure 1: Services and components of the IT industry (illustrative)

There are many interdependencies between the highly specialized companies in the supplier network. Hence, it is very important to deal with these relations. Every component, technology or service, may guarantee an appropriate level of security or even have vulnerabilities. The chain is only as strong as its weakest link. Eventually, it is the IT service provider being responsible for all IT services according to the contract with the user organization regardless if the services and components are produced by the IT service provider or by one of its subcontractors. The situation is as follows:

  • The IT service provider purchases products and services from 3rd parties (suppliers).
  • These 3rd party products and services are integrated into IT services of the IT service provider.
  • The composite IT services are delivered to customers (user organizations).
  • The IT service provider is responsible for the composite IT service including the 3rd party products and services.

Challenges and solution

Without a methodology it is likely that security gaps are introduced in such a complex environment. Even if security specifications exist, there is the risk that they are inconsistently applied, interpreted differently, or incompletely implemented. Even if all involved parties do their best with respect to integrating security, there is the risk that not all relevant security requirements are considered and that the combination of components and services is not secure or does not meet the expectations of the consuming party. Current security standards do not provide sufficient guidance to deal with this situation.

Main problems with respect to IT security include:

  • The consuming party
    • assumes that the supplying party has integrated a technical security measure appropriately,
    • assumes that the supplying party has performed activities to provides a security configuration (often called hardening), or
    • assumes that the supplying party performs activities to uphold the required level of security (e.g. through patching).
  • The supplying party
    • has not implemented a certain technical security measure since it is not known that the consuming party expects this,
    • assumes that the consuming party will configure the product appropriately (e.g. since requirements must be met which are not known to the supplier),
    • assumes that the consuming party will care for upholding the required level of security (e.g. since this is seen to be out-of-scope and not covered by the contract).
  • The consuming party uses the products or service from the supplying party in an unsecure way since
    • the consuming party is not aware that guidance needs to be observed,
    • no guidance was exchanged.

Note that it is not obvious identifying the right and relevant security measures for a given product, component or service. Their identification depends e.g. on the application context, on risk appetite and often different solutions are possible. Moreover, in many cases security measures relating to activities during development, integration and operations/maintenance are forgotten; or different scenarios exist since depending on the division of labor (provisioning model) either the consuming party or the supplying party is responsible for implementing security. It may also happen that both parties share this task.

The model described in this paper shall provide a solution for managing security in complex supplier networks so that gaps and overlaps are avoided or reduced appropriately. It adds significant factors to existing schemas and standards shown in Figure 2. Each of these five aspects is detailed in Chapter 2 of this paper:

  1. A classification and organization schema is required in order to keep the overview of security measures. The ESARIS Security Taxonomy fulfills the requirements and was introduced through Release 1 of the association.[1]
  2. A schema is required which supports selecting security measures from security standards which are relevant for the product, component or service being provided by the supplying party and purchased by the consuming party. This method is called Provider Scope of Control.
  3. The expected technical security measures as well as those relating to activities of IT service management (during development, implementation and operations) are made explicit. The consuming party must define security requirements for the 3rd party products and services (purchased from the supplying party). To this end, existing security standards are used. The security measures are classified and organized using the ESARIS Security Taxonomy. They are agreed by the two parties in advance. The means used for this is called Product Requirement Document (PRD).
  4. The security measures described in the Product Requirement Document (PRD). Their specification must meet several conditions so that both the consuming and the supplying party can agree upon them. E.g., the specification of security measures must leave the supplying party enough freedom for technical progress. More detail is provided in the specification of the PRD.
  5. The consuming party must have a plan how to organize the purchasing process accordingly. This does not only relate to the provisioning of security requirements and to the agreement with the supplying party. Earlier activities include market research activities. Later activities include acceptance testing. A more detailed specification shall be given by one of the ICT Security Standards called Systems Acquisition and Contracting (SAC) relating to one area in the ESARIS Security Taxonomy published in Release 1 of the association.

Figure 2: Elements required for managing the supplier network

The details form the so-called ESARIS Third Party Integration Model.


[1] ESARIS Security Taxonomy – Synopsis, Scope and Content; Zero Outage Industry Standard, Release 1 about Security, February 2017, zero-outage.com/security [2]