This is what it’s like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big American insurance company (in this case CNA):
When you come to work, your bag is searched. You may be too. You hand in your cell phone to the security guard, to be picked up when you go home.
When you arrive at your desk, there are no traces of the papers you worked on yesterday — they got shredded last night. Don’t bother trying to copy a digital picture of your kids onto your work screen (you can’t copy or move files). There’s nothing but a phone (which can’t call anyone but the insurance company’s help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail.
And taking home a copy of CNA’s confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.
“The data and our processes are too sensitive. We can’t afford to be lax,” says Scott Sysol, director of infrastructure and security architecture for CNA.
While experts disagree widely about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)
And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcing — scale, sharing and repeatability — they are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes.
Risk is in the eye of the beholder
Not all companies need the kinds of security measures that CNA has in place. It is up to CSOs and CIOs in the companies sending work offshore to define what’s an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.
“I’d say fewer than 20 percent of my clients audit the security of their providers,” says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. “They just accept the suppliers’ defined security plan and don’t check to see if they are living up to it.”
Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. “Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren’t putting [audits] into the contract,” he says.
U.S.-based companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don’t line up with Western practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. “People are so focused on saving money and shifting operations that they don’t think about the safeguards that need to be put in place,” he says. “They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that’s just not the case.”
In reality, the case varies by the legal and workplace environment of the host country. Take India, for example. The country’s IT industry, acutely aware of Western companies’ security concerns, has been working since 1998 to get India’s legislature to pass general data protection and privacy laws like those in the United States and Europe, without success. Though laws have been passed that prohibit tampering with computer source code and hacking, intellectual property and data protection lag behind the West.
Even if stricter laws eventually pass — and most experts predict they will, given the importance of outsourcing to India’s economy — translating them across borders will still be difficult. Besides, relying on the legal system of any country to protect your corporate assets is misguided. Only your relationship with the vendor matters. “Laws only provide punishment,” says Venugopal Iyengar, practice director of e-security consulting for TCS. “Ultimately what we need is the assurance of safety through processes and best practices. Assurance is more important than punishment.”
Even the most elaborate security measures will not erase the significant cost savings of going offshore. But companies are inviting disaster if they don’t assess their risks up front and factor the security they want into the cost equation.
Below, we look at the security risks of offshore outsourcing and offer best practices for assessing them and mitigating them.
Risks to mitigate
CSOs should consider these four major categories of risk before negotiating security practices with an offshore vendor.
— The type of work being done offshore. Of the two main categories of IT-related offshore work — software development and business process outsourcing (BPO) — BPO is considered riskier because it requires more human interaction and often focuses on sensitive data. In software work, the primary risk is intellectual property theft. Few developing countries — with the notable exception of Singapore — have mature intellectual property protection laws. But intellectual property can be more easily protected with good physical and IT security measures than the BPO data.
— The importance of the work to revenue or innovation. For data, the risk is measured mostly in terms of regulatory weight — the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act being two hefty examples — and the financial loss that could result if the data is compromised or stolen. Is this new software product that you are developing offshore a bet-the-company innovation? If so, you will want to take every possible security precaution. Are you a manufacturing company outsourcing maintenance and support for a legacy system that is not critical to operations and does not process sensitive data? If so, your security risk is much lower.
— The structure of your offshore services model influences how much security you need. Offshoring pioneers GE and Citibank built their own “captive” subsidiaries in India in the 1990s because they did not consider the local third-party providers mature enough to meet their needs. Experts still consider it safer to hire your own employees and dictate your own policies and procedures than to trust them to outsiders, even though service providers — especially in India — have matured to the point where they are on par with Western outsourcers in terms of quality, process and security capabilities.
Captive locations — which today account for 30 percent of outsourcing employment and 50 percent of outsourcing revenue in India, according to consultancy A.T. Kearney — are expensive, requiring staff from headquarters to train employees, monitor management and build up the corporate infrastructure. They also face challenges in retaining local talent as competition for that talent grows. Some companies have created joint ventures with offshore providers to use the providers’ access to local talent and later sell services to others.
More companies sending work offshore today are going to third parties than setting up either captive operations or forming joint ventures, A.T. Kearney says. These still require check-ins by customers. Some third-party vendors use subcontractors to perform work — sometimes without their clients’ knowledge. Without direct accountability to the customer, subcontractors can be a big security risk.
— Every organization has its own risk tolerance. Companies outside the software, financial services and health-care industries (such as manufacturing and retail) generally face less risk in sending IT and BPO work offshore. But some set up extensive security measures because their culture demands it.
BNSF Railway, which offshores some system maintenance work, has a low risk tolerance and takes extra security steps as a result. The company does not send BPO work offshore, and most of its capital is tied up in locomotives, not mainframes. Yet BNSF doesn’t feel comfortable with generally accepted security standards for offshore security. One example: network lines to its offshore providers. Most customers of outsourcers accept shared data pipes that segregate and shield each customer’s work from the others. Security experts agree that shared lines are safe if managed properly.
But not BNSF. “We started out with a shared line, and it really limited us,” says Beth Bonjour, assistant vice president, technology services for BNSF. “We weren’t comfortable letting the outsourcer have access to our production systems over that line.” Finally, an agreement was reached with the outsourcer to include a BNSF-managed dedicated line (these lines typically cost 50 percent more than shared lines, according to Forrester Research). BNSF began outsourcing a portion of its support and maintenance for some production systems at a significant cost savings, Bonjour says. “We’re getting more value out of the relationship now than we were at the beginning,” she says.
Once you’ve got a handle on your outsourcing relationship, follow these five best practices.
Best practice one: Keep control
In their relationships with offshore outsourcers, companies such as BNSF and CNA have retained control over security. They make the rules, they spec out the infrastructure, and they monitor their outsourcers. They write contracts that spell out how their vendors’ employees will use computer networks and how much IT infrastructure will be set aside specifically for their outsourcing work. They perform periodic audits on outsourcers’ security measures and background checks on outsourcers’ employees after the outsourcers performs their own checks.
The goal: to ensure outsourcers practice the security that they preach. But getting such control isn’t always easy. “With large [vendors], there is an assumption on their part that they have good practices and policies in place” — and they often do, says Sony’s Wheatley. Yet when Wheatley asks for details, “they will take issue with us coming in to have the discussion. The inference is, ‘Hey, we’re doing business with — whatever famous company you want to name. How dare you come and ask us to do certain things?’ But when we’ve gone in and tested their policies, 100 percent of the time we’ve found serious issues.”
Both CNA and BNSF have staff who work on securing and monitoring the outsourced work. Both manage the networks that the outsourcers work on and provision the servers and PCs used by the providers with software they assemble and update themselves. They monitor network usage themselves and audit that usage as they would for internal employees.
It ain’t cheap. For business process outsourcing, which can involve highly sensitive data, risk management measures can eat up 15 percent to 19 percent of the cost savings of going offshore, according to researchers at Tower Group. For software development, which involves less access to sensitive data, due diligence and risk management eat up 6 percent to 10 percent of the savings. Yet even then, the overall savings are there.
Best practice two: perform due diligence work up front
Due diligence does not mean reading a provider’s customer list and watching a PowerPoint show about its security practices and metrics. Nor does it mean accepting claims that the vendor adheres to international security standards like COPC, an industry quality standard for customer service contact centers, and Safe Harbor, which covers European Union data privacy protection rules.
Given the dramatic growth and turnover in many offshore companies, customer references age quickly. Worse, customers may not admit to security problems they’ve experienced offshore because they fear bad publicity if word of the problems reached their own customers and the media. Indeed, very few companies were willing to go on the record for this story or discuss their offshore security practices.
Companies we spoke with said they hire security consultancies that have employees in various offshore destinations to check out the local reputations of the providers and do employee background checks. These companies also hire lawyers in the outsourcing destination country who have a good knowledge of data protection and intellectual property laws. They check up on the outsourcing companies and examine provisions in the contract to see if they will be legally enforceable.
Security due diligence takes time, cautions Sony’s Wheatley. “People watch too many cop shows. They think we can find answers to security issues in 12 hours,” he says. “It doesn’t work that way. Seventy to 80 percent of the time we find something that is bad enough not to do the business or get out of it if we’re in it. Then we need time to figure out a solution or have the ability to walk away from the deal. Sometimes two weeks turns into four months when we find problems. It can take time to check these things out.”
Best practice three: lock down the infrastructure
From the moment CNA began sending BPO and software development work offshore in 2002, it took full control of the computing infrastructure at its outsourcers. CNA configured servers, laptops and PCs in the United States with all the software that CNA’s outsourcers’ employees would use. CNA sent staff along with the computers to set them up in India and connect them with CNA’s dedicated network connection. Firewalls at the provider location and back in the United States help prevent any viruses on the local network at the provider, or from the network back home, from getting through to the hardware. When the outsourcer’s employees log in to the CNA network, software and security updates are automatically loaded onto their machines from CNA after a process of software inventorying and validation has taken place.
New virtualization software from Microsoft and VMware takes this control to a new level. CNA uses VMware’s ACE software to create an image — in effect, a working duplicate — of a secure CNA desktop on a CD that it sends to the outsourcers, which load the images on their own servers and PCs. Employees working for CNA double click on the image’s icon on their machines, the CNA desktop appears, and the image takes control of the PC and its peripherals. Employees cannot copy anything onto the encrypted CNA desktop nor take anything from it. The images can be set to lock out peripherals like USB flash drives. They can also be set to disappear from the computer on a specified date — handy if the employee leaves or the development project ends.
The images also help the offshore provider save money because it can load multiple images onto a single machine. The images give offshore employees more control. They can do CNA work without being connected to the CNA network, and if CNA allows it, they can still use the PCs for their own internal e-mail. “It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail,” says CNA’s Sysol. “Now they can do it on their own machines.”
Best practice four: audit processes and facilities regularly
An outsourcing contract is like a diplomatic treaty. Trust is present, but it’s vital to verify you’re getting what your agreement calls for.
BNSF conducts independent audits of its offshore contractors’ security processes once per quarter, according to Bonjour. The company also does an independent review of access rights that the offshore employees have to applications on BNSF’s and the providers’ internal networks to see if the employees are able to go where they shouldn’t or if they have moved on to a new project and still have access to the systems they used to work on. There are standards to help guide the audit process, such as the International Organization for Standardization (ISO) 17799 standard and the Statement on Auditing Standards No. 70, Service Organizations (SAS 70 Type II).
Yet because of the extra effort and expense of external audits, offshore providers may resist them, says Tatum Partners’ DeLaCastro. “If each customer has the right to audit, and each demands specific security measures, it becomes a thousand variations on a theme and takes away from the providers’ ability to standardize practices and swap people in and out from one customer to the next,” says DeLaCastro. It’s better to set up audits before a contract is signed; done after the fact could cause the provider’s costs to rise.
Auditing should cover physical security too. It’s important to tour the building where the work is done and make sure it is secure. “Big-name providers will put you in a modern, secure building, but you have to make sure that the work will actually be done in that building,” says DeLaCastro.
Old buildings may not be earthquake resistant or have reliable power supplies, fire suppression systems, or alarms tied to police and fire headquarters, he says. The provider should also show you a backup facility where work will carry on if the primary site has a problem.
In addition, your offshore employees should not share space with employees working on other customer accounts. There should be a physical barrier to the work area with pass-card entry and video surveillance of employees and maintenance staff. At the end of each day, any memos containing sensitive information should be destroyed. And devices such as cell phones, pagers and PDAs that can record or send information should be prohibited.
Most countries do not have the kind of information access that the United States enjoys, which means that it can be difficult to do independent background checks on offshore employees, verify past employment, search for criminal records or do the other kinds of checks considered routine in the States. Consider hiring a security consulting firm to check out references independently.
Lastly, look in the mirror. If you demand extraordinary precautions from your offshore vendor, make sure you maintain good security practices at home. “If you run a slovenly shop here, then you will run a slovenly one offshore,” says Richard Isaacs, vice president of security consultancy Lubrinco Group.
Best practice five: understand where your work gets done
With markets throughout Asia and Europe offering services, the world can seem like one big outsourcing oyster. But it’s important to understand the political context of your contractor’s work situation.
So while it’s hard to conceive of a foreign government stepping in and demanding disclosure of your proprietary software and data, it’s important to know it has happened. According to Gartner, in 2000 the Chinese government decreed that any software using encryption had to be registered with the government, along with anyone using it. The government also said that any software used in China must include encryption software manufactured in China. The government eventually rescinded the decree, but if it had remained, foreign companies would have faced the threat of industrial espionage by the government.
Security consultants specialize in tracking offshore political risks. “You want to understand the powers and predilection of the national government to look at your data and the chance that the service provider would comply,” says Kelly Kavanaugh, a Gartner analyst. “Some country is always getting caught doing some industrial espionage against U.S. companies. It’s nothing new.”