 
|
|
In partnership with:
March/April issue Saving Private Ryan — but losing the war?Outsourcing is gaining ground as companies try to cut costs, but are they paying enough attention to security? Danny Bradbury reports. Intel CEO Andy Grove is the skunk at the high-tech industry's garden party. He said so himself last October at the Global Tech Summit in Washington DC. The event, organised by the Business Software Alliance, drew senior executives from some of the top technology firms. Grove refused to join the other CEOs' back-slapping. Instead, he said that outsourcing offshore would do to the high-tech sector what commoditisation did earlier to the US steel industry. Is Grove right? Or has he lost the plot? Companies already hurt by the downturn in the technology sector are looking to cut costs. Farming out parts of the business, especially to offshore companies, is one way to do it. The result? Lots of empty cubicles. US market researcher Gartner predicted last July that one in 20 IT jobs in US customer organisations would move offshore by the end of this year. And when the US does something, the UK generally follows. If you're a director of a publicly listed company, responsibility to your shareholders may give you no choice. But companies that hope to use outsourcing to slash costs are missing a key point — the need for security. Governance regulations such as the US's Sarbanes-Oxley Act and the UK's Joint Committee report, which incorporate the Higgs and Turnbull reports, insist on tighter internal controls. Like it or not, data security is now high up the corporate agenda. The question is, can you outsource business functions and still be secure? Marry in haste ...?Marrying the two is not impossible, says Samir Kapuria, director of strategic solutions at security consultancy @stake, but you have to manage the risks. He identifies some key steps. Firstly, the parts of the business that you outsource affect the types of risk you face. He identifies four main areas where outsourcing is common: development projects, operations (where some back office operations such as payroll are moved outside the company), manufacturing, and analytics, where transaction-oriented functions such as call centres are handled by a third party. Analytical business functions deal with information integrity, he explains. Companies should be asking themselves about the integrity and quality of information that they receive from outsourcing partners. Companies that outsource back-office operations face infrastructure risk, because their external partners often have access to key parts of the information infrastructure, such as customer and production databases. Outsourcing software development brings risks to the firm’s intellectual property. What if a partner's development team uses an inadequate methodology and opens an application to attack? Or worse, deliberately injects a Trojan or a back door into your code? Code review
This was one of the problems facing Paul Kelsall, head of technical development for ebusiness at the Royal Mail. He chose services company Sapient to help redevelop the online portal for the Royal Mail, Parcelforce and Post Office Ltd. Sapient has an office in India that it used to help revamp the system, which was originally developed by another third party supplier, ATG. His internal team did a peer review of the code that Sapient's offshore team wrote, but Kelsall also bought in ATG for an independent code review. "We needed to know," he explains, "is (the new code) fit for purpose, but also is it doing what it's meant to do, and only what it's meant to do?" Once you identify the risks, you can begin to build an evaluation matrix that will help you assess them in terms of probability and impact, explains Angela Shutt, director of outsourcing consultancy Orbys. This matrix can help you to develop a mitigation strategy, she says. Once you understand how likely each risk is to occur, and the financial effect that it could have on your business, you can identify ways to manage them. It also sketches a framework for due diligence standards with your outsourced service provider. Due diligence should include physical site visits, not only to reference sites but also to the provider's facility. If the provider is offshore, your costs will be higher. But it is a necessary expense, says Kelsall. Royal Mail team members visited the Indian office as part of the due diligence process, and they will return, unscheduled, in future. Chinese patience
Many outsourcing and security experts feel that taking projects offshore introduces extra risk. This makes due diligence inspections even more important. Peter Tippett, founder of security services company TruSecure, recalls an investigation that his company conducted into a potential Chinese supplier for a Western financial services customer. The customer wanted to use the Chinese company to administer its Unix systems. This would have meant granting its employees a high level of access. TruSecure monitors underground hacking groups by infiltrating newsgroups, and it has a database of over 10,000 “black hat” hackers. When it checked the staff of the prospective supplier against this database, it found that at least three were members of a Chinese hacking group. Forewarned, the customer passed. The political infrastructure in burgeoning outsourcing economies can make things worse. As Tippett explains, "Most people who worked for this group were members of the Communist Party. Despite the fact that China is now much more open economically, politically the government there, like most governments, remains somewhat paranoid," he says. "If I was a Chinese state offical trying to figure out how to conduct IT espionage, I wouldn't hesitate to hire hacker kids to work for me." This is something that @Stake's Apuria also highlights, adding that in certain countries with reputations for eavesdropping, the states maintain strict control over their ISP infrastructures. Vetting staffEven when outsourcing to a UK company, where the political and economic situation is more familiar, it's important to vet your outsourced suppliers' staff, says David Roberts, CEO of The Infrastructure Forum (TIF), a group of blue-chip IT customers that run workshops to share their experiences. Granting high level access to your information makes staff vetting very important, he says. This applies also to contractors who work for outsourced suppliers. The truly security-conscious will want to verify a provider's recruitment processes. Are all references properly checked? Are periods of employment on CVs verified to ensure that there are no inexplicable gaps? Due diligence is all very well, but without a benchmark to measure a potential supplier's security processes, it is difficult to do it effectively. The BS7799 standard (or its international equivalent, ISO/IEC17799), can help. It provides a checklist that embraces the human element of a company as well as its technical information infrastructure and processes. Finding a supplier with a 17799 certificate doesn't eliminate the need for due diligence, but Gavin Fulton, senior security consultant at Computacenter, argues that it reduces some of the elementary spadework. Growing to trust
Sometimes the relationship between customer and supplier grows over time. When it asked IT services company Attenda to manage its server infrastructure, Reed Online, the electronic division of IT recruitment giant Reed, started small. As Reed Online gained more confidence in its provider, the relationship grew, explains Reed Online's head of technology, Mark Ridley. The deal first covered basic monitoring of its servers and network infrastructure. Now it includes security scans and database monitoring. Attenda is now BS7799-certified, says Ridley, but adds his team still audits the security procedures regularly to ensure Attenda hits the mark. The audit includes regular physical visits and checks against the BS7799 framework. "We have worked on our own change controls to ensure that our processes and theirs tie up," he says. For example, change requests are approved by a change board inside Reed Online and then fed to Attenda. Attenda staff review them using their own procedures and respond to Ridley's team. The companies continually review their procedures against each other. "Probably these processes weren't as firm in the past as they currently are, and we continue to see them evolve." All of the issues discussed above are poison to companies that use outsourcing purely to save money, because meeting each extra security risk trims the potential savings. But these overheads may be only the start. To truly secure the organisation you must drive security to its heart. The way to do this is deperimeterisation, which Computacenter's Fulton sees as vital to any outsourced process. But for the unprepared company, this could dramatically increase the cost of an outsourcing project. The d-wordDeperimeterisation is a new word for a very traditional approach. It involves switching from the 'ring of steel' model, in which the outer perimeter of your organisation is protected but the internal components of your IT infrastructure are vulnerable. Instead, advocates such as David Lacey, director of security and risk management at the Royal Mail, argue that every system inside an organisation should be security-hardened against threats from an increasingly connected world, especially where service-oriented process architectures make internal company resources available to external business partners. The savvy company will already have built its systems in this way. So even if hackers break through your firewall, they still have to crack each system inside your company in turn. But if you haven't deperimieterised your infrastructure, then you have a lot of work to do before you can reap the benefits of outsourcing. This could be expensive, and outsourcing opportunities notwithstanding, it's becoming increasingly important as the boundaries between companies become more fluid. Danny Bradbury is a technology journalist who writes for the Evening Standard, Computing, Computer Weekly and Microscope.
|
|
