According to an ITtoolbox Outsourcing Survey, 2004 saw a three times increase in the number of companies that said "lack of control" was among the major reasons they chose not to outsource. Are these fears warranted, or can parts of IT be safely outsourced? In this article I provide tips for determining the level of security exposure you could risk when outsourcing and suggest specific IT activities that probably pose the lowest risk. I suggest you use a simple four step process: 1) Classify the data; 2) Categorize your company; 3) Select your vendor; 4) Gravitate towards lower risk activities.
–>STEP #1: Classify the data.
Organizational security depends on a mesh of enterprise efforts focused on protecting sensitive information during manipulation, in transit and at rest. So before you jump at an attractive outsourcing offer, focus full attention on the data involved. Your first step is to classify it. Here are some questions you might ask:
- Is this data mission critical?
- Does this data represent private customer information?
- Does this data represent proprietary company secrets?
- Is this data used in calculating corporate financial performance?
- Would public trust be significantly damaged if this data were exposed?
If you answer yes to any of these questions, then the IT function you're considering outsourcing is dealing with sensitive data that will require the service provider to guarantee high security. This may help narrow your field of suppliers by clarifying the trust level that will be required by the service provider. These requirements should be built into your vetting process. Some companies are even requiring independent audit of security functions be performed on suppliers as a pre-requisite to doing business. Not a bad idea.
What kinds of information would not be considered sensitive? Anything you typically make available to the public: newsletter contents, public announcements, the contents of your external facing Web site, and copies of your public reports are among them. That's a small fraction of the data generated by your company. On the other hand the largest volume of data your company generates in a day is probably email and — comparatively speaking — the bulk of it is fluff. Losing control of a day's worth of corporate email might interrupt, but probably wouldn't stop business, though it could prove embarrassing. So your email usually falls into the private, rather than sensitive category, where the risk imposed by lesser control might be acceptable.
–> STEP #2: Categorize your organization.
Now that you have an idea of the kind of data you need to protect, let's talk about your company obligations. Here are a few questions that will help determine what level of control you will need to consider when outsourcing:
- Are you a public company?
- Are you a healthcare company?
- Are you an international banking institution?
- Are you a health care organization or do you manage your own health care program?
- Do you collect and store personal data on customers or individuals residing in California?
- Is your company considered part of US critical infrastructure?
Regulations governing data control are thick, and getting thicker. The Sarbanes-Oxley Act (otherwise known as "SOX") is meant to keep public companies required to file performance reports with the SEC honest. This government mandate grew out of the ENRON debacle that exposed collusion for fraud among senior executives and the company's external audit agent.
While much of the act provides expectations around accounting accuracy, section 404 holds senior executives accountable for the integrity of the financial controls. What this means is that the CEO and CFO of the company need to submit an affidavit asserting that they believe their financial systems are sound and being well managed by staff.
By extension, this means that they believe security controls are in place that would prohibit tampering with the data. It's easier to do that when the staff and systems are under your direct control rather than managed by a third party halfway around the world. If you choose to outsource, the notion of periodic external audit of the supplier is not only warranted, but should be considered mandatory in your contracting.
Healthcare companies or companies that choose to manage their own health care programs are subject to HIPAA guidelines requiring the proper handling and protection of personal healthcare data.
International banking institutions will soon need to comply with Basel II, an international regulation that ensures banks maintain a requisite level of equity when trading so they don't over-extend credit and potentially destabilize the global money market.
Any company that collects and stores personal information on any California citizen is subject to California 1386, which requires senior executives to report suspected intrusions that may have compromised this information to law enforcement officials — and to immediately inform the customer. Several other states, such as Washington, have adopted customized versions of the law to protect consumer privacy and the Fed is swiftly moving to make it a national law. So it’s best you consider it that, and recognize that you’ll probably be compelled to take some publicly visible action should outsourced consumer private data be lost or stolen.
–> STEP #3: Choose the right vendor.
Companies subject to any of these regulations should be increasingly wary of outsourcing any IT function that deals with these data. That's not to say outsourcing is out of the question, but its viability depends greatly on the relationship you have with your service providers and their proven trust level.
Undoubtedly, going offshore poses greater risk than does outsourcing to companies within the national border. A general rule of thumb is, don't outsource any part of your IT function that handles sensitive data or business functions outside the country. International law is simply too immature to provide any recourse if a problem occurs.
Some big money companies have found ways around this — by setting up subsidiaries in third-world countries that they completely own and control (captives) or creating equity partnerships with foreign organizations. Both of these offer greater direct control over who will do the work and how it will be handled, as well as a legal presence in the foreign country that allows for prosecution under local law. Those laws, however, will probably favor the domestic company in disputes. Some foreign companies maintain a subsidiary presence in the US, allowing the locale of jurisdiction to be named in the US. This affords reasonable protection, as long as it's not subject to conditions elsewhere in the contract.
Here are some questions you can ask when vetting a service provider to ensure they fully appreciate their security obligations to you:
- Will you submit to an external security audit on your company?
- Will you agree to contract terms stipulating that you will not re-outsource or sub-contract our function?
- Can you supply us with direct contacts at other companies with whom you do business?
- How many, and what kinds, of material security breaches have you experienced over the last year? What measures were taken to correct the exposure?
- Will you agree to a jurisdictional locale in the US (or whichever country you're in)?
If the vendor is noticeably uncomfortable about discussing these matters with you, move on. They don't appreciate your problem in theory and won't care about it in practice. That the outsourcing company has gained a reputation in their area of expertise should not raise your confidence. It only proves that they are successful in business, not necessarily in security. Just like you, service providers are struggling with the issue of internal security, and the more aggressive they are in business may actually indicate less, rather than more, attention to security where their own internal controls are concerned.
–> STEP #4: Choose the right IT activities to outsource.
So now that we know what kind of data you are dealing with, what regulations you are subject to, and how to pick a good vendor, let's explore some common IT activities that lend themselves to outsourcing, and how they affect security.
As a general rule, companies outsource to cut costs, free up staff or augment staff skills. Therefore areas of professional specialty — especially those that require significant personal investment in skills and tools — are good candidates for outsourcing. Hackers and criminals don't usually have the patience to actually become certified professionals; so use certification as one means of determining the character and trust of the outsourcing professionals you hire.
Penetration testingThis not only could, but should be outsourced. Your staff knows too much about the inner workings of your IT to get a real measure of how secure your company is from hacking. Leave it to the professionals, but take immediate action on the results to plug the holes as soon as they're found. This ensures that should information about your vulnerabilities fall into the wrong hands, you'll be protected. Use only a company with a longstanding reputation in this area, and insist on certified professionals.
Security consultants and auditorsRegulatory compliance depends on real-time knowledge of changing US mandates. Using a security consultant or auditor from outside the country is probably not the best choice, since these people are probably most familiar with international best practices and may not fully appreciate US directives you need to adhere to. Choose personnel accredited as a Certified Information Systems Auditor (CISA) and do a full background check.
Business continuity and disaster recovery planning; process analysis and re-engineering While not specifically security activities, these can expose information about your security infrastructure. Although these activities require deep inspection of your IT infrastructure, its systems and policies, it need not require unsupervised access to production systems. Since the actual implementation of a backup facility is usually handed off to internal staff, these activities usually pose a low risk to organizational security.
System performance/load testingThese functions require specialist knowledge and a high level of personal investment in skills and tools. And while testers may have access to sensitive data and systems, it is usually only for a short time. These folks are usually applied late in projects, when time and budgets are already strained. Typically, they barely have time to think a malicious thought, let alone carry out one. Nevertheless, look for candidates certified in the tools that will be used and make sure they're coming from a trusted service provider.
Hardware and software support, and development and integration activitiesThese remain the top outsourced areas for IT. However, we now understand that security greatly depends on how we code, test and implement systems. Lack of secure coding and testing, and of poor attention to security during installation can be traced back as the root cause of most security problems.
It might seem like a good idea to save costs by outsourcing coding, but CIOs in an eWeek article pointed out that the cost savings during development are often offset by the difficulty of obtaining prompt attention for fixes when the project is done.
Imagine a serious security flaw was discovered in one of your financial or CRM systems. Would you be willing to wait for the service provider to pull their resource off another customer job to fix and test your problem? Where do you think their priorities will lie?
If a backdoor were found on the server that houses one of your mission critical applications at an outsourced facility, would you be willing to wait until the vendor obtained authorization from other customers that share space on that server before interrupting service to fix it?
To avoid problems, reconsider outsourcing any IT function considered mission critical or dealing with sensitive data. The potential pain is not worth the gain.
Automation scriptingScripting is used to accelerate testing, and requires deep knowledge of systems. Efficiencies can be gained by automating some of your testing through scripting, but scripting is a powerful tool that also can be easily misused and it is the chief tool used by hackers in attacks. The viability of outsourcing scripting depends a lot on what functions, systems and data it will touch. Be sure you trust your supplier when outsourcing scripting responsibilities and avoid access to mission critical data, such as accounting or personal data whenever possible. Make sure the resource is a staff professional — not someone contracted to the vending company — and that their background checks out.
Intrusion detectionwhich has been a strong area of outsourcing in the past, has lowered in value over the past few years. Cryptographic guru Bruce Schneier broke the mold years ago with his Counterpane service which monitored corporate sites and alerted client emergency response teams when anomalies were found in logs. Unfortunately, hackers have become smarter, and the time to react to sophisticated intrusions has shrunk to the point that the environment is completely compromised before an alert can even be issued, let alone a virus signature solution distributed. Therefore, in today's world the only practical solution for outsourcing for intrusion detection are companies that would pre-filter all traffic through coming into and out of a corporate site — which is more efficiently handled by an installed security appliance like an application aware firewall rather than an outsourced vendor service.
In the end, the security risk factors related to outsourcing most IT activities will, in almost every case, outweigh the benefits. If doing business effectively depends on cutting costs, don't be fooled into thinking your only costs is what you will pay an offshore vendor for services rendered. If you aren't sure your project won't raise regulatory suspicions, the costs you save are likely to be overwhelmed by remediation costs and regulatory penalties. Choose your projects wisely and think through all the security risks and costs before committing. Compare rates you would get if you choose a respected intra-national provider or keep the service in house. The difference may well be negligible when you factor in the potential legal liability and compliance risks.
Quality IT/Security Process Professional
IT Toolbox Outsourcing survey 2004 and 2003: