[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Offshore security: Considering the risks
Story by Mark Willoughby
SEPTEMBER 15, 2003
The economics driving the globalization of IT infrastructure is
putting the spotlight on the security of offshore IT operations,
primarily in India. Huge investments are being made that assume that
the risk of offshore security can be managed, as long as the necessary
homework is done.
Certainly offshore service providers have the financial muscle to
provide secure offshore IT infrastructure. One of the most popular
nations for outsourcing is India, which is recording double-digit
growth in revenues from IT services, which are expected to reach $57
billion in 2008, according to a joint study by McKinsey & Co. and
Nasscom, an Indian software association. Based on a U.S. model of
spending 5% to 7% of the IT budget on security, and with the IT budget
consuming 15% of a service company's revenue, India should be ramping
up to spend $450 to $600 million on information security and assurance
"The distance and different laws and government philosophies can
create more risk," said Rich Mogull, research director for information
security and risk at Gartner Inc. in Stamford, Conn. Otherwise "the
security risks offshore generally aren't any different than the
security risk you face onshore."
Let the buyer beware
Caveat emptor is the guiding principle for securing offshore IT
operations, Mogull said. "It really comes down to doing an
investigation of who you're doing business with, exercising good due
diligence and due care." Mogull said those contemplating a move
offshore should have an understanding of the host country's legal
climate, in addition to a thorough understanding of their security
needs. "You must write specific [offshore] requirements into your SLA
[service-level agreement] for vulnerability assessments and audits,"
Information security for U.S. clients is part of the cost of doing
business offshore, said Avinash Vashistha, a Bangalore, India-based
project manager for NeoIT Inc., a San Ramon, Calif.-based consultancy
whose 62 employees (20 in the U.S.) help U.S. companies move IT
operations outside the country in a process dubbed offshoring.
NeoIT worked with 40 U.S. clients that resulted in more than $250
million in total offshore services contracts in 2002. Last year's
volume was exceeded in the first quarter of 2003 when NeoIT sent more
than $300 million in IT outsourcing contracts offshore.
The steps involved
Security offshore begins onshore, Vashistha said. "None of these
companies want us to mention their names," he said, referring to
clients that include large banks and financial institutions and about
25 companies in the Fortune 500. U.S. companies moving offshore
routinely enter into confidentiality agreements with their Indian
service providers to tighten security with a veil of secrecy.
"We have a well-defined planning process that will show the [U.S.]
client what can be achieved for cost and quality," Vashistha said.
Security is tightly woven into the planning process, which begins with
an executive workshop. "At the end of the workshop, senior management
is on a level field with their understanding of offshoring."
The workshop gets U.S. companies comfortable with offshoring and
stresses security so clients can focus on the potential benefits of
the project. The next step in securing the move and subsequent
operations is a detailed, four-step planning process "to define what
is done onshore and offshore," Vashistha said.
The NeoIT planning processes starts with a U.S.-based team identifying
and transferring knowledge for work done in the U.S. This is the
dreaded step that has produced numerous examples of U.S. employees
training their foreign replacements.
The second phase is an IT portfolio assessment to identify processes
and operations suitable for moving offshore. The third step is
acquiring the software, hardware and other resources needed for the
offshore operation, from both U.S.-based and offshore suppliers. The
final phase is the actual operational management, which includes
supervision of the offshore program.
Manoj David, a Bangalore-based information security analyst for NeoIT,
said his company's well-defined security framework addresses strict
U.S. privacy requirements for protected financial and health
"We have 23 chapters in our security framework," David said. "The
first thing we do is a gap analysis, to find gaps between existing
security policies and what will be required for offshore." This
analysis helps to determine the client's security readiness and sets
expectations for securing the offshore operation.
"The key areas are access control, network security, facilities and
operations, and applications security," David said. NeoIT makes
recommendations for such security services as "vulnerability
assessments from third parties, penetration assessments, external
audits, and security process audits, and for policies and tools such
as handling of backups and remote access."
Authentication for offshore IT operations is similar to what you see
in the U.S., David said. "Currently, we see mostly passwords.
Biometrics are very rare offshore, only for selected transactions.
Smart cards are used for physical access," he said, adding that
public-key infrastructure is typically used only to secure
transactions, such as in securely transmitting software.
Wipro IT Services, India's third-largest outsource provider, recorded
$670 million in revenue in 2003, with 70% coming from the U.S.,
Pazhamalai Jayaraman, Wipro's Bangalore-based IT security director,
said Wipro has been investing in information security for six years
and was the first company in the world to be certified for the 2002 BS
7799 security standard. Wipro's security services include a global
consulting practice of 220 employees.
"We were able to minimize the impact of the Code Red and SQL Slammer
viruses," containing the infection to less than 5% of Wipro systems,
Most U.S. companies do thorough security evaluations and tests for
regulatory compliance of their offshore operations before signing
service agreements, and periodically thereafter. Wipro conducts two
additional levels of audits and tests, Jayaraman said. These are
internal audits and tests conducted by Wipro staff and third parties.
"In most of these [customer] audits, we have come out with flying
colors," Jayaraman said. "We have been rated best in class in security
since 1999 by our customers," when ranked against larger companies
including Infosys Technologies Ltd. ($754 million in 2003 revenue) and
Tata Consultancy Services (part of the $13 billion Tata Group).
Some offshore concerns
Not all agree that the Indian IT services providers are ready for
end-to-end support for large and sophisticated IT infrastructures,
particularly those that include mainframes. It's prudent to wait until
the economics are more compelling and Indian offshore service
providers have matured their services, according to an August 2003
report by outsourcing analyst Stephanie Moore at Cambridge,
Mass.-based Giga Information Group Inc.
Moore said many Indian IT outsourcing companies haven't developed the
infrastructure, process and knowledge necessary to fully support a
sophisticated IT infrastructure. A primary reason, according to Moore,
was a 1977 IT industry nationalization by the Indian government. This
protectionist act forced multinational IT companies, namely IBM, to
withdraw from India and resulted in a shortage of mainframe computing
infrastructure and operational skills that persists today.
"Moreover, the expense contribution of labor to total expense [labor
expense plus other expenses plus capital depreciation] for IT
operations is significantly less than for the application development
and maintenance," Moore said, which is almost all labor expense. "The
savings from offshored infrastructure will be significantly less than
the savings seen from offshored application development and
maintenance" when depreciation and other expenses are factored in.
Companies outsourcing end-to-end IT infrastructure operations to India
will have to deal with "accountability and responsibility issues" and
assume the role of a prime contractor while realizing a savings in the
neighborhood of 20%, Moore said. Increased operational risk, weighed
against the modest potential expense reduction promised by offshored
IT infrastructure operations, "will limit their market appeal in the
India has no shortage of information security skills, however. The
International Information Systems Certification Consortium in Dunedin,
Fla., which administers the Certified Information Systems Security
Professional exam, has 175 Indian CISSPs who have voluntarily
registered on its Web site, from a broad mix of both U.S. and local
Indian companies. Wipro boasts nine CISSPs, most of whom work in
Wipro's security consulting business. China has 465 registered CISSPs,
with approximately 90% based in Hong Kong and also representing a
broad mix of local and foreign companies.
Prasenjit Saha, the director of Wipro's security consulting practice,
said the security consulting business is growing at a 70% annual rate.
Wipro is adding 35 security consultants every quarter, almost all
boasting security certifications, and agreements are in place with
almost all major security vendors. Most of these new employees will be
in India, but some will be in the U.S., which accounts for 45% of
Wipro's security consulting business, Saha said, with Europe
Steps to Minimize Risk and Secure Offshore Operations
1. Know your security and privacy requirements before you start.
2. Do a thorough security evaluation before signing any agreements
that include regulatory compliance.
3. Include stringent security measures in the SLA, including periodic
assessments, audits and tests.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.