Offshore security: Considering the risks

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/managementtopics/outsourcing/story/0,10801,84671,00.html

Story by Mark Willoughby
SEPTEMBER 15, 2003 
COMPUTERWORLD 

The economics driving the globalization of IT infrastructure is 
putting the spotlight on the security of offshore IT operations, 
primarily in India. Huge investments are being made that assume that 
the risk of offshore security can be managed, as long as the necessary 
homework is done. 

Certainly offshore service providers have the financial muscle to 
provide secure offshore IT infrastructure. One of the most popular 
nations for outsourcing is India, which is recording double-digit 
growth in revenues from IT services, which are expected to reach $57 
billion in 2008, according to a joint study by McKinsey & Co. and 
Nasscom, an Indian software association. Based on a U.S. model of 
spending 5% to 7% of the IT budget on security, and with the IT budget 
consuming 15% of a service company's revenue, India should be ramping 
up to spend $450 to $600 million on information security and assurance 
by 2008. 

"The distance and different laws and government philosophies can 
create more risk," said Rich Mogull, research director for information 
security and risk at Gartner Inc. in Stamford, Conn. Otherwise "the 
security risks offshore generally aren't any different than the 
security risk you face onshore." 

Let the buyer beware 

Caveat emptor is the guiding principle for securing offshore IT 
operations, Mogull said. "It really comes down to doing an 
investigation of who you're doing business with, exercising good due 
diligence and due care." Mogull said those contemplating a move 
offshore should have an understanding of the host country's legal 
climate, in addition to a thorough understanding of their security 
needs. "You must write specific [offshore] requirements into your SLA 
[service-level agreement] for vulnerability assessments and audits," 
he said. 

Information security for U.S. clients is part of the cost of doing 
business offshore, said Avinash Vashistha, a Bangalore, India-based 
project manager for NeoIT Inc., a San Ramon, Calif.-based consultancy 
whose 62 employees (20 in the U.S.) help U.S. companies move IT 
operations outside the country in a process dubbed offshoring. 

NeoIT worked with 40 U.S. clients that resulted in more than $250 
million in total offshore services contracts in 2002. Last year's 
volume was exceeded in the first quarter of 2003 when NeoIT sent more 
than $300 million in IT outsourcing contracts offshore. 

The steps involved 

Security offshore begins onshore, Vashistha said. "None of these 
companies want us to mention their names," he said, referring to 
clients that include large banks and financial institutions and about 
25 companies in the Fortune 500. U.S. companies moving offshore 
routinely enter into confidentiality agreements with their Indian 
service providers to tighten security with a veil of secrecy. 

"We have a well-defined planning process that will show the [U.S.] 
client what can be achieved for cost and quality," Vashistha said. 
Security is tightly woven into the planning process, which begins with 
an executive workshop. "At the end of the workshop, senior management 
is on a level field with their understanding of offshoring." 

The workshop gets U.S. companies comfortable with offshoring and 
stresses security so clients can focus on the potential benefits of 
the project. The next step in securing the move and subsequent 
operations is a detailed, four-step planning process "to define what 
is done onshore and offshore," Vashistha said. 

The NeoIT planning processes starts with a U.S.-based team identifying 
and transferring knowledge for work done in the U.S. This is the 
dreaded step that has produced numerous examples of U.S. employees 
training their foreign replacements. 

The second phase is an IT portfolio assessment to identify processes 
and operations suitable for moving offshore. The third step is 
acquiring the software, hardware and other resources needed for the 
offshore operation, from both U.S.-based and offshore suppliers. The 
final phase is the actual operational management, which includes 
supervision of the offshore program. 

Manoj David, a Bangalore-based information security analyst for NeoIT, 
said his company's well-defined security framework addresses strict 
U.S. privacy requirements for protected financial and health 
information. 

"We have 23 chapters in our security framework," David said. "The 
first thing we do is a gap analysis, to find gaps between existing 
security policies and what will be required for offshore." This 
analysis helps to determine the client's security readiness and sets 
expectations for securing the offshore operation. 

"The key areas are access control, network security, facilities and 
operations, and applications security," David said. NeoIT makes 
recommendations for such security services as "vulnerability 
assessments from third parties, penetration assessments, external 
audits, and security process audits, and for policies and tools such 
as handling of backups and remote access." 

Authentication for offshore IT operations is similar to what you see 
in the U.S., David said. "Currently, we see mostly passwords. 
Biometrics are very rare offshore, only for selected transactions. 
Smart cards are used for physical access," he said, adding that 
public-key infrastructure is typically used only to secure 
transactions, such as in securely transmitting software. 

Wipro IT Services, India's third-largest outsource provider, recorded 
$670 million in revenue in 2003, with 70% coming from the U.S., 
Pazhamalai Jayaraman, Wipro's Bangalore-based IT security director, 
said Wipro has been investing in information security for six years 
and was the first company in the world to be certified for the 2002 BS 
7799 security standard. Wipro's security services include a global 
consulting practice of 220 employees. 

"We were able to minimize the impact of the Code Red and SQL Slammer 
viruses," containing the infection to less than 5% of Wipro systems, 
Jayaraman said. 

Most U.S. companies do thorough security evaluations and tests for 
regulatory compliance of their offshore operations before signing 
service agreements, and periodically thereafter. Wipro conducts two 
additional levels of audits and tests, Jayaraman said. These are 
internal audits and tests conducted by Wipro staff and third parties. 

"In most of these [customer] audits, we have come out with flying 
colors," Jayaraman said. "We have been rated best in class in security 
since 1999 by our customers," when ranked against larger companies 
including Infosys Technologies Ltd. ($754 million in 2003 revenue) and 
Tata Consultancy Services (part of the $13 billion Tata Group). 

Some offshore concerns 

Not all agree that the Indian IT services providers are ready for 
end-to-end support for large and sophisticated IT infrastructures, 
particularly those that include mainframes. It's prudent to wait until 
the economics are more compelling and Indian offshore service 
providers have matured their services, according to an August 2003 
report by outsourcing analyst Stephanie Moore at Cambridge, 
Mass.-based Giga Information Group Inc. 

Moore said many Indian IT outsourcing companies haven't developed the 
infrastructure, process and knowledge necessary to fully support a 
sophisticated IT infrastructure. A primary reason, according to Moore, 
was a 1977 IT industry nationalization by the Indian government. This 
protectionist act forced multinational IT companies, namely IBM, to 
withdraw from India and resulted in a shortage of mainframe computing 
infrastructure and operational skills that persists today. 

"Moreover, the expense contribution of labor to total expense [labor 
expense plus other expenses plus capital depreciation] for IT 
operations is significantly less than for the application development 
and maintenance," Moore said, which is almost all labor expense. "The 
savings from offshored infrastructure will be significantly less than 
the savings seen from offshored application development and 
maintenance" when depreciation and other expenses are factored in. 

Companies outsourcing end-to-end IT infrastructure operations to India 
will have to deal with "accountability and responsibility issues" and 
assume the role of a prime contractor while realizing a savings in the 
neighborhood of 20%, Moore said. Increased operational risk, weighed 
against the modest potential expense reduction promised by offshored 
IT infrastructure operations, "will limit their market appeal in the 
near term." 

India has no shortage of information security skills, however. The 
International Information Systems Certification Consortium in Dunedin, 
Fla., which administers the Certified Information Systems Security 
Professional exam, has 175 Indian CISSPs who have voluntarily 
registered on its Web site, from a broad mix of both U.S. and local 
Indian companies. Wipro boasts nine CISSPs, most of whom work in 
Wipro's security consulting business. China has 465 registered CISSPs, 
with approximately 90% based in Hong Kong and also representing a 
broad mix of local and foreign companies. 

Prasenjit Saha, the director of Wipro's security consulting practice, 
said the security consulting business is growing at a 70% annual rate. 
Wipro is adding 35 security consultants every quarter, almost all 
boasting security certifications, and agreements are in place with 
almost all major security vendors. Most of these new employees will be 
in India, but some will be in the U.S., which accounts for 45% of 
Wipro's security consulting business, Saha said, with Europe 
contributing 42%. 

-=-

Steps to Minimize Risk and Secure Offshore Operations

1. Know your security and privacy requirements before you start. 

2. Do a thorough security evaluation before signing any agreements 
that include regulatory compliance. 

3. Include stringent security measures in the SLA, including periodic 
assessments, audits and tests.  
 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.