Computerworld - I just returned from Moscow, where I visited a company we outsource some of our software development to. Outsourcing software development can be a risky business. The theft of my company's source code could hit revenue hard. Now that USB pocket drives and other small, removable media have capacities as high as 5GB, it would be scarily easy for someone to put years' worth of software development on an external drive and walk out the door with it.
We entered into this outsourcing arrangement a couple of years ago extremely leery about the potential threat to our intellectual property. The truth is, we would have preferred to maintain software code development in the U.S., but our competitors outsource much of their development in the pursuit of lower costs, so we are pretty much forced to do the same just to remain competitive.
The Russian company we engaged put about 30 software engineers on the job of creating software programs for operating the hardware we manufacture. To facilitate the arrangement, we created a VPN tunnel between the office in Moscow and our data center in the U.S. At our end of the tunnel, we configured strict rules that allow those 30 engineers to access only certain source code repositories, e-mail and the other corporate resources they need to do their jobs. Internet access is almost completely restricted. The lone exceptions are for updates to Microsoft Windows and virus signatures. If the engineers want general Internet access, they can use a few kiosks that have been set up in public areas of the office. These kiosks aren't connected to our point-to-point VPN circuit, but to the Russian company's own network instead. We also mandated the removal of floppy drives and writable CD-ROM drives, and we had the engineers modify the BIOS settings on their machines to disable USB and other external ports.
Our nervousness dissipated as we began to see the quality of the work and the integrity of the engineers. Things were working pretty smoothly until recently, when the engineers started complaining that the lack of Internet access was affecting their productivity. When they wanted to search for common software code modules, troubleshoot problems or collaborate with other software engineers, they had to go to one of the kiosks. So, we've been studying how to give the engineers the Internet access they want while ensuring that intellectual property doesn't leave the company.
Our thinking was that we needed to gauge the trustworthiness of the Russian engineers before we could risk source code exposure as a result of giving them Internet access. As a security professional, it's my job to assume that there is a determined insider looking for a way to steal our intellectual property or conduct some other illicit activity. I also have to assume that we must constantly guard against inadvertent disclosure of our intellectual property. A worm or Trojan horse program designed to compromise a system and the data residing on it could be introduced very easily by a careless engineer with Internet access.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
