The global IT outsourcing trend shows every sign of continuing, with two-thirds of the 2007 InformationWeek 500 tapping offshore outsourcing. With experience, companies get confident in moving ever-more-sensitive IT or business processing work abroad. One of the foremost concerns for business technology managers is exposing data, so here we provide a broad overview of key areas to watch and delve deeper with offshore partners.
For starters, don't lose perspective. Data sent offshore faces the same basic risks as data kept in-house, including theft by employees, compromise by intruder, exposure by error or loss, and corporate espionage. Yet given the sensitivity to offshore data and likely resulting backlash, plus the different legal standards companies may face, the problems caused by data loss abroad could be amplified. Use the heightened sensitivity around offshoring as a reason to thoroughly test partners--and assess in-house operations.
Security concerns surrounding offshoring aren't all xenophobia, since legal recourse around data and intellectual property can vary greatly country to country. Gartner, for example, gave India a "good" rating for data and IP protection, China "poor," Brazil "fair," and Mexico "very good" in a series of reports in November. And the gap between the letter and reality of law as it's enforced can be vast. Brad Peterson, a lawyer at Mayer Brown, whose 1,800 lawyers include 300 in Asia, shares the story of a U.S. company, which he declines to name, that spent more than $2 million in India fighting intellectual property theft by a competitor. It won at all levels of the legal system, but the rival continued to operate with the stolen property. Any country offers benefits and drawbacks to be weighed case by case. In all, contracts should spell out security standards and recourse, but technical and physical controls are the front-line defenses to rely upon.
CERTIFIABLE IS GOOD
ISO 27001 is certification that a company documents and follows information security practices and controls. Take note of the auditor's findings to ensure that the controls you most value are part of the certification. Review the firm that conducted the audit. Also make sure the outsourcer follows your industry's best practices and the compliance guidelines of your home country, and that it has a real understanding of them. Does the company live and breathe U.S. HIPAA or Payment Card Industry standards, which apply to health care and credit card data, respectively?
Under PCI, a company must ensure that third parties it hires adhere to the requirements. Often overlooked areas when using offshore companies are enforcing proper access controls and network segmentation. With offshore firms servicing multiple clients, a company must fully ensure that no administrative networks span clients and jeopardize data privacy.
When planning a controls strategy, a company must take the time to assess the data type and where it originated. Bridget Treacy, a London-based lawyer with the U.S. firm Hunton & Williams, routinely advises clients on the European Union's data privacy requirements, which are among the toughest. U.S. companies may opt into a Safe Harbor program to meet EU requirements, which can carry over to data being offshored.
Subcontractors present another operational risk to data privacy and compliance. If an offshore partner is using a third-party firm, it should be audited with the same vigor as the primary offshore company.
A classic error, says Al Smith, an engineering director for IBM data privacy offerings, is cloning data from production systems to send for development, quality testing, or some other purpose without vetting the recipient's standards for handling sensitive data. Smith says companies should use data sanitized of sensitive information unless there's a compelling case for using real data. It's also an example of an information security best practice a company should implement when offshoring data--and then apply to all its operations, if it isn't already.
When giving scrubbed data to an offshore partner, be sure it can't be easily mapped back to the real data--such as a simple pattern of changing characters by one (A is B, B is C, etc.). Completely false data should be used when possible.
Additional technical controls that deserve close scrutiny--and could be required depending on regulations--are access controls, logging, and encryption. In most cases, the strategy will closely follow a company's domestic policies, unless those are weak. Controls should be applied around data to provide assurance of who has access to the data, assurance that data isn't compromised, and reports on actions taken against data.
Companies must decide whether to encrypt offshore data. Consider whether the need is for file-based encryption, transport, or database protection. With all, the key areas to discuss with an outsourcer are the encryption algorithm, how the keys are stored, and the audit trail. One caveat: Make sure you're aware of encryption laws. The U.S. Commerce Department regulates the export of encryption. And the Chinese government, for example, demands a way to access encrypted data if needed.
Assess how a vendor enforces access controls within operating systems, applications, and databases, and how it ensures that these controls are working properly and are updated as employees change jobs or leave the company. Outsourcers can face turnover of 25% or more annually, so a client company might learn something by evaluating how this is done.
Almost as important as these protections is the audit trail that proper logging provides. Centralized logging is part of PCI, in U.S. audits for the Sarbanes-Oxley and Gramm-Leach-Bliley acts, and in just about any information security strategy. The theory is that actions affecting sensitive data or systems should be logged, then stored in a secure, centralized location away from where the action happens.
When introducing centralized logging across countries, don't overlook time-zone management. Logs will appear out of order unless you set all systems to the same time zone, such as UTC. Some centralized logging software also can apply an offset as logs come in.
Depending on the environment and strategy, there are numerous acceptable ways to achieve these objectives, from off-the-shelf products for control, encryption, and logging requirements, to piecing together multiple solutions. Offshore firms will enforce most any control requested, as long as the client pays. The best value will come with those companies that have a high-quality base control system they apply as a standard.
The reality should be that, if sensitive data is stored in the United States, Canada, China, or England, it should be protected and treated the same. Retailer TJX's data-loss debacle happened within the United States. So while the recourses and risks vary from country to country, different technical controls generally aren't required.
That doesn't mean companies should let down their guard in assessing offshore outsourcers' security. In fact, information security pros should should tap into the fear, uncertainty, and doubt surrounding outsourcing; use it to insist on proper controls and standards; and bring those practices in-house where their own are lacking. The reality is that a Social Security number is a Social Security number, no matter where you store it or where the access threat comes from.