Many organizations are looking at outsourcing desktop security to save money and reduce management overhead. However, as my previous article noted, desktop outsourcing can pose risks to the enterprise in the form of financial instability, staff trustworthiness and poorly defined service levels. Still, there are many potential benefits that could outweigh the drawbacks.
Outsourcing desktop security initially caught the attention of many small and medium-sized businesses because of cost savings. When compared with the expenses of an in-house staff, training, software licensing and all the other costs, desktop services represent an attractive alternative.
Yet desktop outsourcing's growing popularity has moved beyond issues of affordability. A service provider can often offer a more secure environment than what some organizations can achieve in-house. At the same time, the organization has access to a level of security expertise that can be difficult to access without hiring consultants.
A provider offering security services can draw on its experiences with customers from across the globe. When the service provider discovers a vulnerability in one customer's system, that information can be applied to all customers.
In addition, the service provider's staff receives ongoing training in the latest threats and technologies, while at the same time facing more frequent and varied threats than the typical organization. This knowledge is aggregated across the organization and available to everyone, yet the costs of all this learning and expertise are shared among customers, making the services relatively cheap.
A service provider is also better equipped to be familiar with and provide state-of-the-art protection to its customers than what many organizations can achieve in-house. The desktop service provider can update its customers' system more frequently and apply what they've learned to their own infrastructure, providing customers with the ability to respond quickly to real threats.
Consider practical security with desktop outsourcing
An organization that's thinking about outsourcing desktop security should do so with no small amount of trepidation. The business should take into account not only any cost savings it might realize, but also whether the service provider can safely deliver security better than what can be achieved in-house.
A Desktop-as-a-Service provider should have a proven track record for delivering a wide range of security services to a broad customer base. It should also have a global presence with multiple security operation centers (SOCs) that can meet an organization's needs in terms of cost, security and functionality.
IT should do a careful risk assessment to determine the potential pitfalls of outsourcing to a particular desktop service provider. The assessment must clearly spell out what the consequences are to the organization if the service provider fails to deliver or in some way compromises security.
The assessment would take into account the consequences of data leakage, how the service provider handles sensitive data, what levels of compliance can be met and whether background checks are performed on the service provider's employees.
Administrators should also review the level of training those employees receive, their areas of expertise, what happens if an SOC goes down, and how much access the service provider will need to the organization's network and desktops.
Corporate IT will also need to determine what services it expects from the service provider and how those services can be delivered while still maintaining oversight of the organization's security. More and more, organizations are able to pick and choose the services they want, but when it comes to security, IT should be thinking about operations over governance.
Specialized security-related tasks, such as scanning desktops or managing antivirus software, are better suited to outsourcing than those related to management and oversight. IT should still control the organization's larger security environment. Admins must be able to ensure that services are being provided as agreed upon and that quality-control measures give full insight into what a service provider is delivering.
Once an IT shop finds a service provider it believes is worth the risk, the next and perhaps the most critical step is to negotiate the service-level agreement (SLA). The SLA defines which desktop services the organization is outsourcing to the service provider and the standards that the service provider must meet in delivering them.
A good SLA should also covers such issues as how long it should take the service provider to identify security breaches, how IT can audit the services and how redress is handled in the event of non-performance. The SLA must describe what constitutes acceptable services and what does not. There should be no question about responsibilities, legal liabilities or consequences.
Part of the desktop outsourcing challenge for IT professionals is to ensure that whatever desktop services they hire out, none of them will conflict with the organization's larger security strategy. IT must retain control of all components of that strategy, whether or not they're outsourced.
Enterprise security requires a comprehensive approach that includes more than just monitoring the network perimeter or scanning desktops for viruses. However, that doesn't preclude outsourcing some or all of the organization's desktop security needs. Any business that considers taking this step should tread carefully, but if IT does its homework, they could find that outsourcing desktop security is well worth the work necessary to put it in place.
This was first published in September 2013