These days we have seen service providers (Salesforce.com), and 3rd party hosting sites become unavailable. This has been the fault of a lack of internal controls, but also as a result of the associated risks of that provider. SixApart, a hosting provider, was brought down due to an attack.
Much of the conversations related to this topic berate http://blogs.zdnet.com/threatchaos/wp-trackback.php?p=325 the provider and recall past troubles with scaling. A parallel discussion is appearing where a certain client that moved to this provider, because they themselves were the target of an attack, was the target and not the hosting provider. See Law of Unintended Consequences
The greatest risks are those unknown to us. In the risk management world we consider risks and determine how they should be addressed (mitigated, reduced, transferred, and eliminated). Each option has its own pros and cons, and through an evaluation of the threats, risks, and a standard cost/benefit analysis the best action is chosen. It is these unknown risks that cause the greatest pains, because we do not employ any type of controls on them.
So, how does one identify if the 3rd party service providers (web hosting companies, credit card processing firms, backup storage companies, etc…) have accepted a risky business posture? The first step would be to require the service providers, at least have some sort of 3rd party audit of their operations, security, availability, and integrity. A SAS 70 is a wonderful report to work from if it provides sufficient detail, and requires the necessary controls.
Ok, what about those unsavory clients certain companies accept “as part of business”, and have ratcheted up the threats of attack (DDOS, physical, man-made, natural) without fully disclosing these to the other companies? The best thoughts on this threat that I can consider as feasible and reasonable is simply requiring them not to accept unnecessary risks / clients. The contract would have penalties for the service provider if they violate the agreements. This will provide some compensation and a escape route should the current provider shift their operations, become the target of hostile aggressions, or simply attract undesirable media attention.
I would be curious to hear what others think of this risk that is really a result of 2 degrees of separation. Any ideas on how to further protect the organization? What other indirect risks exist? What are the mitigation options?
Special thanks to those who have posted in the blog-o-universe on this difficult topic.
James DeLuccia IV
A quick update:
It seems that Blue has closed up shop, and that the spammers won the war. There is rumor that the project may go underground and become an open source solution. This will not address the weakness in this model, the central server (i.e. bulls eye), that the spammers attacked.
Here Schneier talks about the end of Blue: