How to protect your network when outsourcing

Computerworld - Outsourcing, right-sourcing, best-sourcing -- does anyone know what the latest buzzword is for this practice? No matter what the neologism is, it presents real issues that many of us in the network security field face every day.

How do we allow offshore workforces into our domestic systems securely? This seems like a simple question with a simple answer: Set up a VPN or a Web service and call it a day. I wish that was the case, because it would give me more time to improve my golf game.

But before you make a tee time, beware that there are a number of serious problems you can face that never seem to materialize until 2 a.m. the night before you go on vacation.
 
The offshoring of technical jobs means that corporations need to connect their domestic network with a foreign network. Making this connection raises real security concerns.

Fear of the unknown

The foreign network represents a vast unknown. You have no idea what -- if any -- policies the partner company actually enforces, how aggressive it patches systems and what the overall state of its network is. Regardless of what is discussed in contracts, wide-open access is extremely insecure.

And because most offshore work is actually taking place in the middle of your night, if something goes wrong you get the pleasure of waking up to a BlackBerry alerting you in the wee hours of the morning.

The type of work the offshore group is contracted to do will influence how you extend your network. If the offshore group only needs to check code in and out, a full VPN would be overkill. Most major code repositories have built-in Web interfaces and username/password protection.

Your network only needs to be extended to allow the front-end Web piece to access the back-end code repository. Using the popular Concurrent Versions System (CVS) as an example, there are several free, commercial-grade Web front-ends available. By setting up a publicly available Web site, using Secure Sockets Layer and relying on the built-in username/password protection in CVS, all that is required is a public IP address and fully qualified domain name.

This is a simple solution that will let you sleep at night and play an uninterrupted round of golf on the weekend. It also applies to offshore work that doesn't require live access to your internal systems. Building on the above concepts will work for any access requirements that don't involve live, real-time access to systems.
 
If the business requirements are more involved than simple code check-in and check-out, then put the clubs aside. because you are faced with a more complex problem. In my experience, management has demanded that an offshore team be completely integrated with an in-house development team and systems. This requires complete access to many systems and services. This is where things turn more complex, and there's more of a chance of exposing your network to unwanted threats.