Security, assurance and the division of labor

Abstract

The Enterprise Security Architecture for Reliable ICT Services (ESARIS) that is described in this book is built for an ICT Service Provider that delivers ICT services to user organizations. ESARIS is intended to facilitate the exchange of information between the two parties and serve as a means of balancing security issues or the treatment thereof, respectively. This chapter explains the reasons for the ongoing trend to buy ICT services instead of producing them (Sect. 2.1). It outlines the trade-off between diverging concerns of security or assurance on the one hand and the economies of scale on the other (Sect. 2.2). There are different definitions and understandings of “security” and factors that affect security and risk. The meanings or aspects that are most important in our context will be discussed briefly (Sect. 2.3). Third-party ICT services seem to feature an unfavorable proportion of security and risk. This is to be solved by adding security measures and by providing assurance (Sect. 2.4). User organizations can outsource ICT services to providers but they keep the associated risks for their business. Some general aspects that are to be considered by user organizations are summarized and briefly discussed (Sect. 2.5). This Chap. 2 is not specific to ESARIS; instead it provides an introduction to the context for which ESARIS is built. This introduction focuses to some extent on cloud computing, the emerging ICT service provisioning and deployment model that has the potential to cause a tectonic shift in ICT production and the relation between the provider and the user organization.