Security Experts:

Three Questions to Ask Before You Outsource

Recently, I’ve read a number of reports on IT outsourcing. From those reports, one clear thing has emerged: North American companies have begun to outsource a part — or all — of their IT more in the past two years than they have at any previous time.

Despite its popularity, security issues exist with outsourcing; to avoid trouble down the road, a proactive, thoughtful and thorough approach at the beginning of the process usually helps.

My company works on Internet security and infrastructure issues, so keeping data safe and secure while also accessible is always top of mind for me. And when it comes to outsourcing IT, security should be front and center for you as well. If your company is moving to an outsourcing model, you need to ensure that all functions to be outsourced are discussed, defined and documented, especially in relation to privacy, backup and disaster recovery. It’s critical to have in-depth discussions about these topics with any outsourcing provider on your short list.

Risks of OutsourcingPrivacy

Legally speaking, once privacy is gone, it’s gone. If your data is shared with the world, your corporate privacy cannot be rectified or retrieved. Ensuring the responsibility for its protection is well worth the time required at the initial stages of outsourcing.

Privacy of corporate data is a complex subject. It’s vital to establish who will have access to your data, and that conversation is one that touches on both technical and legal issues. If you’re outsourcing to the cloud, which is often a given in today’s outsourcing scenarios, does that mean law enforcement can access your data since it’s technically in the “public sphere”? If so, under what circumstances? If your data is private and confidential, what can you do — if anything — to protect it? Your legal advisors need to help you and your providers measure liability against risk. And your technical team should demand a detailed explanation of what the provider puts in place to enforce privacy policies.

If you’re outsourcing, you’re likely using shared resources, and that means there is shared risk. For example, if hackers access the data stored by your provider, what happens if those hackers discover your data and inflict collateral damage against you? While that’s an extreme example, most outsourcing scenarios will involve more people than before having access to your data.

Backup

How do you currently handle your company’s backup needs? Today, you likely have in place corporate-wide rules, policies and procedures. So, before you settle on a particular outsourcing provider, make sure their backup methods align with yours. An especially important point is the issue of external devices. If your vendor backs up to external devices that are then shipped offsite for storage, you are faced with a risk of losing your data physically in transit. And it’s possible, depending on the type of data being stored, that someone could access it while it is shipped across town on a disc. To avoid these possibilities, you need to understand how external devices are kept safe and secure while in transit as well as in storage.

Disaster Recovery

Another critical topic to discuss with your outsourcing provider is disaster recovery. Many first-time outsourcing users assume that the cloud resolves disaster recovery issues. That, unfortunately, is not true. The cloud can crash. And if it does, you’re out of luck unless you have a copy of your corporate data. In fact, getting a copy of your data on a regular basis – monthly, daily or weekly – allows you to be prepared for disasters, such as a catastrophe in the cloud. It also helps ensure that you can quickly change outsourcing vendors if the need arises.

Another item to consider under “disaster recovery” is how your outsourced services are bundled. Outsourcing providers may offer a set of services as a bundle to increase customer loyalty; users of outsourced services are often glad to take advantage of the cost savings that come with bundling. Although the cost savings make sense, be sure to ask if your provider has procedures to address cross-functional failures. Your company may be able to tolerate a potential failure, but it may not. In these circumstances, it’s important to determine ahead of time what level of failure you can tolerate rather than discovering your tolerance level in the midst of a failure.

For example, at my company (Afilias), we have different network connectivity for each communications channel like video conferencing and email. That way, if our internal network were to have an issue, our customers would not be affected since we’ve designed our systems expressly to not be tied together. When things are tied together, they can fail together. While outsourcing has many benefits on logistical and economic levels, making sure you understand how your provider parallels — and differs from — your IT model will help ensure your company gets the most from outsourcing.

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.