Weigh risks of offshore outsourcing

Offshore outsourcing might be a good economic decision for some organizations based on lower labor costs. But make sure you carefully consider the security risks of the decision.

Regulations such as the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and California’s SB 1386 require companies to protect privacy and impose stiff financial or disclosure penalties if they do not. Such regulations apply equally to data owners and outsourcers within the U.S., but not necessarily to outsourcers in China or India, which are relatively regulatory-free jurisdictions. Investigate these IT-related regulatory issues with your legal department.

Other risks come from giving outsourced staff access to IT systems within your network. I recently met with a financial services company that gives outsourcers VPN access to development systems for system maintenance, coding and testing.

Although the company had provided network access to vendors before, offshoring cast the practice in a new light: Low-paid, relatively high-skilled unknown workers would be coming right into the soft center of the intranet.

The first line of protection is to set up user authentication and firewall rules that constrain which IP addresses each remote user can access. This method increases management complexity, but the real problem is that firewall rules only lock down the first hop; once a user has access to an internal host, he might gain access to other hosts through telnet, Windows Terminal Server, Internet Explorer, rlogin, rsh or many other facilities. Outsourced programmers also easily can “root” development machines, install Trojan horses, corrupt production databases and cause other problems.

There are no fully satisfactory mitigation strategies for a second line of defense. You can try to use Web access rather than VPN access, but not all applications can be Webified. Hosts can be hardened, but it’s difficult to contain a savvy power user with access to a machine. Development hosts can be zoned off into a private area, but that still leaves all the hosts vulnerable to any one outsourcer. An intrusion-detection system can scan for improper traffic, but IDSs are notoriously expensive and hard to get right.

The irony is that all these countermeasures – several of which might be required – directly contradict the original outsourcing objective to cut costs. In the long run, companies might find it more expensive to outsource than to leave work in-house. How will your company do sufficient background checks on all the offshore outsourcer’s employees? Do you plan to conduct audits of completed code to ensure no back doors have been planted for future access?

Make sure you’re ready with architecture plans, cost estimates and risk assessments before that outsourcing request lands on your desk. There are a number of forums where colleagues in your industry might be studying the minimum required practices for offshore outsourcing. Attend one – and get ready.