[ISN] How To Assess Offshore Data Security

From: InfoSec News (alerts@private)
Date: Mon Jun 02 2008 - 00:09:52 PDT


http://www.informationweek.com/news/services/outsourcing/showArticle.jhtml?articleID=208400731

By Adam Ely
InformationWeek
May 31, 2008 
(From the June 2, 2008 issue) 

The global IT outsourcing trend shows every sign of continuing, with 
two-thirds of the 2007 InformationWeek 500 tapping offshore outsourcing. 
With experience, companies get confident in moving ever-more-sensitive 
IT or business processing work abroad. One of the foremost concerns for 
business technology managers is exposing data, so here we provide a 
broad overview of key areas to watch and delve deeper with offshore 
partners.

For starters, don't lose perspective. Data sent offshore faces the same 
basic risks as data kept in-house, including theft by employees, 
compromise by intruder, exposure by error or loss, and corporate 
espionage. Yet given the sensitivity to offshore data and likely 
resulting backlash, plus the different legal standards companies may 
face, the problems caused by data loss abroad could be amplified. Use 
the heightened sensitivity around offshoring as a reason to thoroughly 
test partners--and assess in-house operations.

Security concerns surrounding offshoring aren't all xenophobia, since 
legal recourse around data and intellectual property can vary greatly 
country to country. Gartner, for example, gave India a "good" rating for 
data and IP protection, China "poor," Brazil "fair," and Mexico "very 
good" in a series of reports in November. And the gap between the letter 
and reality of law as it's enforced can be vast. Brad Peterson, a lawyer 
at Mayer Brown, whose 1,800 lawyers include 300 in Asia, shares the 
story of a U.S. company, which he declines to name, that spent more than 
$2 million in India fighting intellectual property theft by a 
competitor. It won at all levels of the legal system, but the rival 
continued to operate with the stolen property. Any country offers 
benefits and drawbacks to be weighed case by case. In all, contracts 
should spell out security standards and recourse, but technical and 
physical controls are the front-line defenses to rely upon.


CERTIFIABLE IS GOOD

The larger, better-known names in outsourcing will have all their 
certifications, such as ISO 27001, to boast of, but that doesn't mean 
they should get the benefit of the doubt on information security. A 
small firm may offer even more specialized attention and experience.

ISO 27001 is certification that a company documents and follows 
information security practices and controls. Take note of the auditor's 
findings to ensure that the controls you most value are part of the 
certification. Review the firm that conducted the audit. Also make sure 
the outsourcer follows your industry's best practices and the compliance 
guidelines of your home country, and that it has a real understanding of 
them. Does the company live and breathe U.S. HIPAA or Payment Card 
Industry standards, which apply to health care and credit card data, 
respectively?

Under PCI, a company must ensure that third parties it hires adhere to 
the requirements. Often overlooked areas when using offshore companies 
are enforcing proper access controls and network segmentation. With 
offshore firms servicing multiple clients, a company must fully ensure 
that no administrative networks span clients and jeopardize data 
privacy.

When planning a controls strategy, a company must take the time to 
assess the data type and where it originated. Bridget Treacy, a 
London-based lawyer with the U.S. firm Hunton & Williams, routinely 
advises clients on the European Union's data privacy requirements, which 
are among the toughest. U.S. companies may opt into a Safe Harbor 
program to meet EU requirements, which can carry over to data being 
offshored.

Subcontractors present another operational risk to data privacy and 
compliance. If an offshore partner is using a third-party firm, it 
should be audited with the same vigor as the primary offshore company.


TECHNICAL CONTROLS

A classic error, says Al Smith, an engineering director for IBM data 
privacy offerings, is cloning data from production systems to send for 
development, quality testing, or some other purpose without vetting the 
recipient's standards for handling sensitive data. Smith says companies 
should use data sanitized of sensitive information unless there's a 
compelling case for using real data. It's also an example of an 
information security best practice a company should implement when 
offshoring data--and then apply to all its operations, if it isn't 
already.

When giving scrubbed data to an offshore partner, be sure it can't be 
easily mapped back to the real data--such as a simple pattern of 
changing characters by one (A is B, B is C, etc.). Completely false data 
should be used when possible.

Additional technical controls that deserve close scrutiny--and could be 
required depending on regulations--are access controls, logging, and 
encryption. In most cases, the strategy will closely follow a company's 
domestic policies, unless those are weak. Controls should be applied 
around data to provide assurance of who has access to the data, 
assurance that data isn't compromised, and reports on actions taken 
against data.

Companies must decide whether to encrypt offshore data. Consider whether 
the need is for file-based encryption, transport, or database 
protection. With all, the key areas to discuss with an outsourcer are 
the encryption algorithm, how the keys are stored, and the audit trail. 
One caveat: Make sure you're aware of encryption laws. The U.S. Commerce 
Department regulates the export of encryption. And the Chinese 
government, for example, demands a way to access encrypted data if 
needed.

Assess how a vendor enforces access controls within operating systems, 
applications, and databases, and how it ensures that these controls are 
working properly and are updated as employees change jobs or leave the 
company. Outsourcers can face turnover of 25% or more annually, so a 
client company might learn something by evaluating how this is done.

Access control can be complex and burdensome if it isn't set up to be 
flexible enough for inevitable business requirement changes. Systems 
that allow group permissions to assets can be invaluable--applying group 
permissions and assigning individuals to groups. Access control should 
be managed by a team that doesn't have direct access to the data or 
system.

Almost as important as these protections is the audit trail that proper 
logging provides. Centralized logging is part of PCI, in U.S. audits for 
the Sarbanes-Oxley and Gramm-Leach-Bliley acts, and in just about any 
information security strategy. The theory is that actions affecting 
sensitive data or systems should be logged, then stored in a secure, 
centralized location away from where the action happens.

When introducing centralized logging across countries, don't overlook 
time-zone management. Logs will appear out of order unless you set all 
systems to the same time zone, such as UTC. Some centralized logging 
software also can apply an offset as logs come in.

Depending on the environment and strategy, there are numerous acceptable 
ways to achieve these objectives, from off-the-shelf products for 
control, encryption, and logging requirements, to piecing together 
multiple solutions. Offshore firms will enforce most any control 
requested, as long as the client pays. The best value will come with 
those companies that have a high-quality base control system they apply 
as a standard.

The reality should be that, if sensitive data is stored in the United 
States, Canada, China, or England, it should be protected and treated 
the same. Retailer TJX's data-loss debacle happened within the United 
States. So while the recourses and risks vary from country to country, 
different technical controls generally aren't required.

That doesn't mean companies should let down their guard in assessing 
offshore outsourcers' security. In fact, information security pros 
should should tap into the fear, uncertainty, and doubt surrounding 
outsourcing; use it to insist on proper controls and standards; and 
bring those practices in-house where their own are lacking. The reality 
is that a Social Security number is a Social Security number, no matter 
where you store it or where the access threat comes from.

Copyright 2007 CMP Media LLC


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 02 2008 - 00:23:22 PDT