SANS InfoSec Reading Room - Managed Services

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 12 papers as of May 25, 2013

Analysis of the building blocks and attack vectors associated with the Unified Extensible Firmware Interface (UEFI)

By: Jean-Franc Agneessens (posted on May 2, 2013)

The Basic Input/Output System (BIOS) is the code that is the closest you can get to the underlying hardware.

Determining the Role of the IA/Security Engineer

By: Brian Dutcher (posted on October 14, 2010)

What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and all endpoints? Is it the systems designer or operator responsible for the security of all clients and servers? Is it a software developer specializing in developing and hardening custom applications? Is the IA/Security Engineer someone who is an expert in all these areas? Is the IA/Security Engineer a specialized single technology (i.e. Cisco) expert, or is the position technologically agnostic, working at a higher level where specific detailed technology is irrelevant in the bigger scheme of things?

Outsourced Information Technology Environment Audit

By: Navaratnasingam Arunanthy (posted on April 27, 2010)

Outsourcing was hyped in the mid 90’s as one way to reduce IT cost, as well as to gain expertise for better business operations. Today some or many of the information technology activities in many organizations are outsourced. “IT outsourcing occurs when an organization contracts a service provider to perform an IT function instead of performing the function itself. The service provider could be a third party or another division or subsidiary of a single corporate entity. Increasingly, organizations are looking offshore for the means to minimize IT service costs and related taxes.”(CICA, 2003) Outsourced environments are complex and highly integrated with organizations and operations. As complexity increases managing relationships with service providers becomes challenging. “A survey performed by the IT Governance Institute indicates that problems with outsourcers increased on year 2007 from 74 Compound Problem Index (CPI) on year 2005 to 127 CPI. The CPI is the result of multiplying the outcomes from the several questions about the IT-related problems experienced by the749 respondents.”(ITGI, 2008)

Identity and Access Management Solution

By: Martine Linares (posted on June 29, 2005)

Companies must be able to trust the identities of users requiring access and easily administer user identities in a cost-effective way.

A Security Guide For Acquiring Outsourced Service

By: Bee Leng Tiow (posted on November 5, 2003)

This guide is an attempt to collate all security requirements relating to outsourcing, for which organisations seeking outsourcing should actively look into.

Requirements For Managing Security Information Overload

By: Sridhar Juvvadis (posted on October 31, 2003)

This paper discusses the important criteria in developing an information management solution. These requirements can be used as a guideline for comprehensive evaluation of various solutions.

Why MSS?

By: William Kinsey (posted on October 31, 2003)

This paper examines Managed Security Services in the context of providing CIA (confidentiality, integrity, and availability).

Security Outsourcing

By: Jonathan S. Faile (posted on October 31, 2003)

The primary focus of this paper is outsourcing security services and therefore most of the discussion will reflect that, though some mention of the other two options will be put forth.

Successfully Managing Cyber Security

By: James B. Johnson (posted on October 31, 2003)

This paper describes how managing a cyber security program involves physically protecting your company's investment in computer hardware, ensuring system availability, verifying information integrity, and securing confidential information.

Web Services Security - An Overview

By: Scott Burns (posted on October 31, 2003)

This paper presents an overview of web services secrity.

Security Issues of Integrating a Stand-alone System into Corporate Network

By: Edward Jirak (posted on October 31, 2003)

This paper describes some methods to improve security on systems that were originally designed as stand-alone or where security issues were ignored. It points out the weaknesses which have to be addressed before integration. It describes various channels into the system and explores ways on how to protect these pathways from being exploited

Extranet Access Management (EAM)

By: Nev Sealey (posted on October 31, 2003)

This document will give an overview of EAM architecture, EAM security, EAM a standard security model, and how EAM integrates with JAVA.