Outsourcing – Potential Security Nightmare?

The outsourcing graveyard is littered with companies that “almost’ took the plunge. A recent case in point involves a major British performance-car manufacturer that had conducted an evaluation demonstrating an almost overwhelming case in favour of outsourcing. Then at the last moment they got cold feet, simply because they were reluctant to hand over their business strategies, details of their future models or their research and development to another company. The risk was too great.

To put a figure to the problem, an IDC report asking top company executives about outsourcing, reveals that 87% believe that security was the dominant issue. In more than 50% of instances where companies pull back from the outsourcing decision, it is simply because of the security exposure.

Where’s the problem?

In fact, it is dangerous to assume that the problem is unique to outsourcing; companies are equally vulnerable internally. Today, every organisations’ life-blood information is stored electronically and is then administered by whom? Typically, their corporate information is routinely backed up and administered by an 18 year old. It is hardly surprising, therefore, that most board members keep sensitive information – acquisitions, mergers, potential redundancies, poor company performance and so on – on their laptops as a rudimentary protection from prying eyes. Stated simply: whoever has administrative access to the infrastructure, has access to the data content. In all currently available systems – everything from mainframe legacy systems to fileservers and client workstations – whoever has administrative rights to the operating systems, has access to the data content. Even using Microsoft’s encrypted file system (EFS), if you are an administrator of the operating systems or Domain, you either have automatic access, or can get access, to the data content, encrypted or not.

This is no third division, technical issue. It is not simply a case of the network (be it outsourced or in-house) being vulnerable – we’re really talking about the future of the whole company being vulnerable. Outsourcing simply brings the problem into focus.

What’s the solution?

What is desperately needed is a wall between the administration of access to data content and administration of the IT infrastructure and Operating Systems. In fact, such a wall is possible. Inevitably, the first step is encryption of all data for individuals or, possibly, groups of users. Next, comes ownership and control of the encryption “key’. Generation of encryption / decryption keys, as well as end user assignment and the recovery process have to be divorced from the IT department, whether systems are outsourced or not.

If all data, whether on the desktop or a server, on-site or outsourced, is encrypted – so long as the key creation and recovery process is managed by a non-IT security manager:

  • The outsourcer (or internal IT department) sees only encrypted data
  • Network administrators (internal or external) can never gain access to data
  • The outsourcer (or IT department) can still backup and restore data.
  • The Outsourcer (or IT department) can still administrate the infrastructure
  • Cross administration becomes so much easier. The outsourcer simply receives a list of users that need access to the storage infrastructure. These users are given read-write access to all data storage areas. If they do not have the appropriate encryption / decryption keys for specific data, they are automatically denied access. The Outsourcer does not need to set-up complex permissions.v
  • The Outsourcer never has access to encryption / decryption keys.
  • The client company retains complete control over who can see what.
This delightfully simple concept even solves some of the politics between corporate divisions. Let’s face it, it is not uncommon for a division or a country to want to run its own infrastructure rather than sharing a central system, with the associated risk of another division gaining access. No longer a problem!

Armoursoft is a leading data security organisation, specialising in encription and data access solutions. Company web site: http://www.armoursoft.com.