This article can also be found in the Premium Editorial Download "Information Security magazine: Mission critical: Securing the critical national infrastructure."
Download it now to read this article plus other related content.
Offshore production of clothing brands like Wrangler, Lee and Nautica is an easy fit for VF Corp. But, after many years' experience manufacturing designer jeans and lingerie in Latin America and China, VF--like so many companies that outsource operations and services abroad--is dealing with a new wrinkle: infosecurity.
"We design our security infrastructure to support the business need," says Eric Anthony, VP of IT services for North Carolina-based VF, the world's largest apparel maker. "And no part of the business operates without proper security oversight."
That may sound familiar, but many companies are just waking up to the unique threats inherent in overseas operations. And some just don't get it at all. The normal caveats in dealing with service providers are compounded by time, distance, divergent laws and regulations, and, sometimes, hidden layers of contractors, subcontractors and sub-subcontractors. A misstep at a factory might mean a missed stitch in a pair of jeans; mistakes in security can spell disaster for finances and corporate reputations.
VF is one of the companies that gets it. So does its IT services provider, Patni Computer Systems of Mumbai, India, which manages VF's networks, develops its applications and provides help desk services. VF has worked with Patni to build security from the ground up.
"We partnered with Patni on the design of our space in Delhi. You've got to go see this stuff, look at how they're doing security, look at the practices they're going through," Anthony says.
Patni's IT staff ensures that the keycards work, employee screenings are performed and people follow approved access procedures. VF monitors the results from the U.S. and, if necessary, has domestic resources to back up or assume control.
Nailing overseas security
VF's thoroughness is atypical, says Satish Joshi, Patni's senior VP and CTO. Many of Patni's clients are remarkably lax in their requirements and fail to ask even obvious security, infrastructure and governance questions.
"Almost 90 percent have a question related to disaster recovery in their [outsourcing] questionnaire, but 35 to 40 percent don't check or verify the answers," he says. "Half of the companies don't check the contracts that they are signing; and only one-third, at most, bother to ask if the company requires employees to submit to a criminal background check and drug test.
"Only one or two [companies] have actually asked us to show the records to them," Joshi says.
And only half of the companies that offshore operations and support adequately plan for security, according to Debashish Sinha, managing director of San Ramon, Calif.-based offshoring consultancy neoIT. "It comes down to the way they set down the communications, the networks, the virtual LANs, the desktop security," he says. "It's a whole host of things."
Offshoring started as departmental initiatives not involving the typical enterprise infrastructure--infosecurity was left out of the loop. At many companies, departments faced with budget cuts recognized that vendors in India, China and other countries were offering business services--such as first-line technical support or telemarketing call centers--at substantially discounted prices. Now, infosecurity is playing catch-up.
"Most organizations didn't have a comprehensive view of IT security as it relates to offshoring," says Sinha. Only in the last two years, he says, have companies even begun to consolidate IT security.
He cautions that the rapid pace of offshoring has given birth to legions of immature service providers that may not be able to provide adequate security. Choosing the right provider--and holding it to established security standards and policies--requires particular diligence. Here are some basic guidelines:
Visit the facilities. Seeing a picture and hearing about the security isn't enough. There have been cases where vendors mention one facility, which is actually devoted to one large client, and house a new customer's business on a separate, less secure site.
Conduct security audits and penetration tests. Just like checking a job applicant's references, you should check service providers' previous security audits to see how they've done in the past. Even if the previous audits are sterling, have a reputable third party check the vendor's current security through audits and penetration tests.
Review all IT and physical security procedures. From technology preferences to policies for physical and electronic access, review each aspect of the service provider's security. Don't assume that the outsourcer applies the same rules or takes the same approaches as you do.
Require contractual restraints on people working for competitors. Make sure that the service provider has the employees working on your account sign nondisclosure and noncompete agreements, if acceptable under host nation laws.
- Provide only the access required. Minimize exposure by giving data access only to those service provider employees working on your account, and only give them enough clearance to do their jobs--nothing more.
Alternatively, some companies host their own offshore services, giving them greater control.
"We're forced into [offshoring] by competitive issues," says Chris Wong, executive VP and chief products officer at Agile Software. The company maintains its own development centers in China, Germany and India, which connect to corporate headquarters through VPNs. The work resides on the company's home servers, with document control systems managing and auditing access; everyone is behind the firewall and monitored by the same IDS.
About half of the employees in Agile's Asian offices are Chinese or Indian and have spent years working at the company's San Jose, Calif., office; that goes a long way towards instilling Agile's corporate security culture and policies in its foreign operations.
Not in Kansas anymore?
The caliber of a foreign service provider's security is merely one of the offshoring risks. Many countries don't have the same legal restrictions on the use of data as the U.S., and enforcement is often lax.
Laws and regulations can differ to such an extent that a security compromise that lands a U.S. client in hot water--say, for an SB 1386 violation--might have no ramifications for the foreign service provider.
The guaranteed level of service contracted with the offshore provider may not hold up in a particular country's legal environment. In the U.S., providers that allow data or intellectual property to be compromised would be subject to both state and federal laws, regulations and courts. That's not necessarily the case in other countries. A company must know the laws of the host country and understand the extent--and limits--of its recourse if there's a breach of contract or criminal violation.
"Enforcement is a nightmare if you have to go to the foreign jurisdiction," says Paul Roy, partner in the outsourcing practice of law firm Mayer, Brown, Rowe & Maw. India, for example, has no data privacy laws (it's just now considering legislation), so there's real uncertainty over how vigorously authorities will pursue offenders. Lawyers can draft contracts to cover all aspects of the relationship; a service agreement could state, for example, that both parties are covered by U.S. law and are even under U.S. jurisdiction. But, that contract may prove unenforceable if the service provider doesn't have significant assets in the U.S. that could be used as leverage in a U.S. court.
Enforcement is a nightmare if you have to go to the foreign jurisdiction.
Mayer, Brown, Rowe & Maw, LLP
If that weren't trouble enough, foreign governments ignore--or are even complicit in--violations of signed agreements that put intellectual property at risk. Recently, the Chinese government allowed a manufacturing partner of pharmaceutical giant Pfizer to ignore the patent on Viagra and go into competition. If U.S. companies are vulnerable to this kind of blatant theft, think about important company information that doesn't fall so neatly under patent or copyright law. Most of it's in customer profiles, the mechanics of business processes and accounting details?information that's almost routinely outsourced, and inherently sent unprotected, to third parties in countries with even fewer legal protections than the U.S.
It's difficult for a company to outsource code development without giving away sensitive information, says Bharat Khatau, founder and CEO of Massachusetts-based Trigent Software, which has development centers in India.
"Business rules are proprietary to [businesses like] insurance companies and mortgage companies," Khatau says. "They don't want to let the information out to somebody else."
As with most outsourcing issues, this type of problem applies domestically as well as abroad, the difference being that, as legal protections change overseas, the contracting company's proprietary data and business processes become increasingly vulnerable to theft and misuse. The company contracting offshore services may not even know what's embedded in the code.
Regulations--foreign and domestic--can also complicate offshoring, sometimes in unexpected ways. With HIPAA, GLBA, Sarbanes-Oxley and other regulations touching a broadening range of U.S. businesses, the pressures on data security are becoming even more critical. Now, for global companies, European privacy laws can be more stringent than any in the U.S.
A company might even find itself under unexpected regulation in the course of conducting routine business.
"For example, [consider] the average company with pension and health care programs. They offshore the HR component; all of a sudden you have a HIPAA issue," Roy says.
The subcontractor culture
Sensitive information can repeatedly cross borders, which means security managers must not only focus on traditional security technologies but also on proper employee screening and physical security. This requires that the offshoring company either find an agent in the country or, far better, send representatives to make a proper evaluation. Not doing background checks can be disastrous; if a disgruntled employee decides to blackmail an employer by holding data hostage, there may be no legal impediment. Layers of subcontractors--or what some call re-offshoring--can make this an even messier proposition.
The warning signs have already appeared. UCSF Medical Center in San Francisco outsourced medical transcription to a company in Canada that, in turn, subcontracted much of the data entry. The agreement with the organization's subcontractor required all work be done domestically, but, as assignments passed through several layers of subcontractors, some of the work wound up in Pakistan. In October 2003, when a woman in Pakistan had been waiting for overdue paychecks and could not reach her contractor, she e-mailed UCSF, threatening to post patient records on the Internet unless they helped remedy the situation. Eventually, a payment of a few hundred dollars defused the threat.
It was a nightmare for UCSF, patient confidence and the reputations of the transcription outsourcing firms involved. And, this was just a trickle in the river of sensitive data traveling overseas. Banks, mortgage firms, credit card companies, large tax preparation businesses, insurance companies, electronics manufacturers and other corporations are sending sensitive customer information--belonging to individuals and businesses--overseas. Every party handling the data is another potential security breach.
Don't let up
Even a sound outsourcing relationship can go sour without continued vigilance. A vendor might even have so many clients that it can't keep all their different security procedures straight. The only solution for the info-security group is to continue monitoring the service provider through audits and penetration tests. neoIT's Sinha says that only about 20 percent of the companies he's dealt with actually have plans for ongoing infosecurity compliance testing of offshore partners.
Even if you're half a world away, there are always questions--such as whether those working on your account stay in the same, secure facility over the life of the contract--that you can only answer through an on-site inspection.
"We have contracts with our partner that holds them accountable for any malicious attacks," says VF's Anthony. "When you work with these vendors--and there are hundreds of them--you have to narrow it down to the vendors you are comfortable with."
About the author:
Erik Sherman is a Massachusetts- based freelance writer and regular contributor to Information Security.
This was first published in September 2004