[ISN] Offshore security: Considering the risks

From: InfoSec News (isnat_private)
Date: Tue Sep 16 2003 - 04:26:52 PDT

  • Next message: InfoSec News: "[ISN] Yoran named head of national cybersecurity"

    Story by Mark Willoughby
    SEPTEMBER 15, 2003 
    The economics driving the globalization of IT infrastructure is 
    putting the spotlight on the security of offshore IT operations, 
    primarily in India. Huge investments are being made that assume that 
    the risk of offshore security can be managed, as long as the necessary 
    homework is done. 
    Certainly offshore service providers have the financial muscle to 
    provide secure offshore IT infrastructure. One of the most popular 
    nations for outsourcing is India, which is recording double-digit 
    growth in revenues from IT services, which are expected to reach $57 
    billion in 2008, according to a joint study by McKinsey & Co. and 
    Nasscom, an Indian software association. Based on a U.S. model of 
    spending 5% to 7% of the IT budget on security, and with the IT budget 
    consuming 15% of a service company's revenue, India should be ramping 
    up to spend $450 to $600 million on information security and assurance 
    by 2008. 
    "The distance and different laws and government philosophies can 
    create more risk," said Rich Mogull, research director for information 
    security and risk at Gartner Inc. in Stamford, Conn. Otherwise "the 
    security risks offshore generally aren't any different than the 
    security risk you face onshore." 
    Let the buyer beware 
    Caveat emptor is the guiding principle for securing offshore IT 
    operations, Mogull said. "It really comes down to doing an 
    investigation of who you're doing business with, exercising good due 
    diligence and due care." Mogull said those contemplating a move 
    offshore should have an understanding of the host country's legal 
    climate, in addition to a thorough understanding of their security 
    needs. "You must write specific [offshore] requirements into your SLA 
    [service-level agreement] for vulnerability assessments and audits," 
    he said. 
    Information security for U.S. clients is part of the cost of doing 
    business offshore, said Avinash Vashistha, a Bangalore, India-based 
    project manager for NeoIT Inc., a San Ramon, Calif.-based consultancy 
    whose 62 employees (20 in the U.S.) help U.S. companies move IT 
    operations outside the country in a process dubbed offshoring. 
    NeoIT worked with 40 U.S. clients that resulted in more than $250 
    million in total offshore services contracts in 2002. Last year's 
    volume was exceeded in the first quarter of 2003 when NeoIT sent more 
    than $300 million in IT outsourcing contracts offshore. 
    The steps involved 
    Security offshore begins onshore, Vashistha said. "None of these 
    companies want us to mention their names," he said, referring to 
    clients that include large banks and financial institutions and about 
    25 companies in the Fortune 500. U.S. companies moving offshore 
    routinely enter into confidentiality agreements with their Indian 
    service providers to tighten security with a veil of secrecy. 
    "We have a well-defined planning process that will show the [U.S.] 
    client what can be achieved for cost and quality," Vashistha said. 
    Security is tightly woven into the planning process, which begins with 
    an executive workshop. "At the end of the workshop, senior management 
    is on a level field with their understanding of offshoring." 
    The workshop gets U.S. companies comfortable with offshoring and 
    stresses security so clients can focus on the potential benefits of 
    the project. The next step in securing the move and subsequent 
    operations is a detailed, four-step planning process "to define what 
    is done onshore and offshore," Vashistha said. 
    The NeoIT planning processes starts with a U.S.-based team identifying 
    and transferring knowledge for work done in the U.S. This is the 
    dreaded step that has produced numerous examples of U.S. employees 
    training their foreign replacements. 
    The second phase is an IT portfolio assessment to identify processes 
    and operations suitable for moving offshore. The third step is 
    acquiring the software, hardware and other resources needed for the 
    offshore operation, from both U.S.-based and offshore suppliers. The 
    final phase is the actual operational management, which includes 
    supervision of the offshore program. 
    Manoj David, a Bangalore-based information security analyst for NeoIT, 
    said his company's well-defined security framework addresses strict 
    U.S. privacy requirements for protected financial and health 
    "We have 23 chapters in our security framework," David said. "The 
    first thing we do is a gap analysis, to find gaps between existing 
    security policies and what will be required for offshore." This 
    analysis helps to determine the client's security readiness and sets 
    expectations for securing the offshore operation. 
    "The key areas are access control, network security, facilities and 
    operations, and applications security," David said. NeoIT makes 
    recommendations for such security services as "vulnerability 
    assessments from third parties, penetration assessments, external 
    audits, and security process audits, and for policies and tools such 
    as handling of backups and remote access." 
    Authentication for offshore IT operations is similar to what you see 
    in the U.S., David said. "Currently, we see mostly passwords. 
    Biometrics are very rare offshore, only for selected transactions. 
    Smart cards are used for physical access," he said, adding that 
    public-key infrastructure is typically used only to secure 
    transactions, such as in securely transmitting software. 
    Wipro IT Services, India's third-largest outsource provider, recorded 
    $670 million in revenue in 2003, with 70% coming from the U.S., 
    Pazhamalai Jayaraman, Wipro's Bangalore-based IT security director, 
    said Wipro has been investing in information security for six years 
    and was the first company in the world to be certified for the 2002 BS 
    7799 security standard. Wipro's security services include a global 
    consulting practice of 220 employees. 
    "We were able to minimize the impact of the Code Red and SQL Slammer 
    viruses," containing the infection to less than 5% of Wipro systems, 
    Jayaraman said. 
    Most U.S. companies do thorough security evaluations and tests for 
    regulatory compliance of their offshore operations before signing 
    service agreements, and periodically thereafter. Wipro conducts two 
    additional levels of audits and tests, Jayaraman said. These are 
    internal audits and tests conducted by Wipro staff and third parties. 
    "In most of these [customer] audits, we have come out with flying 
    colors," Jayaraman said. "We have been rated best in class in security 
    since 1999 by our customers," when ranked against larger companies 
    including Infosys Technologies Ltd. ($754 million in 2003 revenue) and 
    Tata Consultancy Services (part of the $13 billion Tata Group). 
    Some offshore concerns 
    Not all agree that the Indian IT services providers are ready for 
    end-to-end support for large and sophisticated IT infrastructures, 
    particularly those that include mainframes. It's prudent to wait until 
    the economics are more compelling and Indian offshore service 
    providers have matured their services, according to an August 2003 
    report by outsourcing analyst Stephanie Moore at Cambridge, 
    Mass.-based Giga Information Group Inc. 
    Moore said many Indian IT outsourcing companies haven't developed the 
    infrastructure, process and knowledge necessary to fully support a 
    sophisticated IT infrastructure. A primary reason, according to Moore, 
    was a 1977 IT industry nationalization by the Indian government. This 
    protectionist act forced multinational IT companies, namely IBM, to 
    withdraw from India and resulted in a shortage of mainframe computing 
    infrastructure and operational skills that persists today. 
    "Moreover, the expense contribution of labor to total expense [labor 
    expense plus other expenses plus capital depreciation] for IT 
    operations is significantly less than for the application development 
    and maintenance," Moore said, which is almost all labor expense. "The 
    savings from offshored infrastructure will be significantly less than 
    the savings seen from offshored application development and 
    maintenance" when depreciation and other expenses are factored in. 
    Companies outsourcing end-to-end IT infrastructure operations to India 
    will have to deal with "accountability and responsibility issues" and 
    assume the role of a prime contractor while realizing a savings in the 
    neighborhood of 20%, Moore said. Increased operational risk, weighed 
    against the modest potential expense reduction promised by offshored 
    IT infrastructure operations, "will limit their market appeal in the 
    near term." 
    India has no shortage of information security skills, however. The 
    International Information Systems Certification Consortium in Dunedin, 
    Fla., which administers the Certified Information Systems Security 
    Professional exam, has 175 Indian CISSPs who have voluntarily 
    registered on its Web site, from a broad mix of both U.S. and local 
    Indian companies. Wipro boasts nine CISSPs, most of whom work in 
    Wipro's security consulting business. China has 465 registered CISSPs, 
    with approximately 90% based in Hong Kong and also representing a 
    broad mix of local and foreign companies. 
    Prasenjit Saha, the director of Wipro's security consulting practice, 
    said the security consulting business is growing at a 70% annual rate. 
    Wipro is adding 35 security consultants every quarter, almost all 
    boasting security certifications, and agreements are in place with 
    almost all major security vendors. Most of these new employees will be 
    in India, but some will be in the U.S., which accounts for 45% of 
    Wipro's security consulting business, Saha said, with Europe 
    contributing 42%. 
    Steps to Minimize Risk and Secure Offshore Operations
    1. Know your security and privacy requirements before you start. 
    2. Do a thorough security evaluation before signing any agreements 
    that include regulatory compliance. 
    3. Include stringent security measures in the SLA, including periodic 
    assessments, audits and tests.  
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 16 2003 - 07:17:14 PDT