Security and Offshoring IT
A few weeks ago I was speaking with an IT director at a firm that has been sourcing software application development to us for a few years. The discussion was in the context of a security audit they had undergone. Though the discussion was primarily around the impact of the audit recommendations and how we could work to ‘harden’ the application the Director was also interested in knowing more about the security practices we brought to the table as a part of our services.
Queries like these are increasingly common as clients engage with service providers who in turn leverage globally distributed teams to ensure successful architecture, design, development and delivery of software systems.
IT executives and business stakeholders are increasingly getting paranoid about security, and rightly so. Though there are several dimensions to the issue, my colleagues in the application development space focus on the aspects as they pertain to the “Secure by design” paradigm.
What it essentially means in our context is simple: it does not matter if the design and construction is done onsite or offshore, industry best practices will override personal preferences when it comes to security. This is also a topic I dealt with in my book (Offshoring IT Services) where I ideated on pertinent topics on offshoring security with inputs from Prof. Nancy Mead of Carnegie Mellon university.
Designing and developing secure code should be inherent in any application development process, so why should offshoring be any different? Mark Hillary, in his recent blog touches on some of these aspects
I think there are three quite separate areas you need to audit and examine if you have an existing commitment with an offshore supplier that involves the processing of sensitive data, or if you are considering which supplier to use:
Legal: In the legislative environment you have chosen, what kind of deterrent is there from the law to help prevent information theft? If there are measures in law to protect you then what actual case precedents exist – it may be that the law exists, but the process of going to court takes many years or is just too painful for other reasons so try to determine how well the law really protects you.
Process frameworks: You want the supplier to guarantee it will use process frameworks such as BS7799 to ensure that the business processes are secure, according to internationally agreed guidelines.
Additional measures: On a company-by-company basis you will observe that some suppliers go much further and are more secure than the process frameworks require. Make sure you determine how secure you need to be and work with a supplier who understands that data will not be secure, just because they passed a security audit.
Similarly Mark Willoughby highlights some aspects in his Computerworld article “Offshore security: Considering the risks” He summarizes a few steps to Minimize Risk and Secure Offshore Operations
1. Know your security and privacy requirements before you start.
2. Do a thorough security evaluation before signing any agreements that include regulatory compliance.
3. Include stringent security measures in the SLA, including periodic assessments, audits and tests.
I couldn't have summarized it better. Footnote: Further references on the topic:
Enterprise Security Solutions
Extracting value of Information Security through IT service management
