Security Expectations, Response Rise in India

Increasingly tough demands from U.S. clients spark change.

BANGALORE -- A tall electric fence secures the perimeter of Wipro Technologies' main campus in Bangalore's Electronic City. Inside, just behind the sliding steel gates, is a checkpoint where security personnel issue photo-ID badges to all visitors.

Card keys and biometric authentication devices control access to the various development centers in sleek buildings dotting the landscaped campus. Closed-circuit TVs provide constant surveillance.

At the same time, an invisible perimeter of event logging and monitoring tools, intrusion-detection systems, firewalls and encryption technologies protects the company's information infrastructure.

Such measures are what's needed to allay security concerns for U.S clients outsourcing work to Wipro, said J. Pazhamalai, information security manager at the $1 billion IT services vendor. "Data security and privacy used to be an afterthought," Pazhamalai said. "Now customers are talking about it right at the RFP stage itself. They want a security plan with the proposal."

Wipro and other Indian outsourcing vendors are bolstering their security and privacy practices in response to U.S. concerns stemming from the compliance requirements of laws such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA. The key threats include unauthorized data access, accidental information loss and sabotage, loss of intellectual property, and damage from worms and viruses.

A growing number of companies "are seeking stringent contractual guarantees related to the security and privacy of data that could be remotely accessed as part of IT application development, testing or [business process outsourcing]," said Rusi Brij, CEO of Hexaware Technologies Ltd., a Mumbai-based service provider with facilities in Bangalore. "They are demanding documented, auditable procedural controls."

Regulatory compliance is what's driving much of the need for such measures, agreed Ram Mouli, vice president of technology planning and development at T. Rowe Price Group Inc. The Baltimore-based investment management firm, which manages assets worth more than $206 billion, has outsourced several application development projects to India.

"New regulations from the SEC and other regulatory agencies have created a need for several internal controls for application development, change control and maintenance," Mouli said. "These controls have to be extended offshore and monitored."

Is Your Data Safe Offshore?
Image Credit: Matthew Faulkner
Video Monitoring is used extensively by Indian service providers.

Video Monitoring is used extensively by Indian service providers.

Image Credit: Hexaware Technologies Ltd.

Physical security measures at major outsourcing service providers include guarded entrances.
Physical security measures at major outsourcing service providers include guarded entrances.
Physical security measures at major outsourcing service providers include guarded entrances.

Image Credit: Jaikumar Vijayan

At Wipro, a fortified physical perimeter is complemented by an invisible perimeter of intrusion-detection systems, firewalls and encryption.
At Wipro, a fortified physical perimeter is complemented by an invisible perimeter of intrusion-detection systems, firewalls and encryption.

Image Credit: Wipro Technologies Ltd.

The result is "tremendous scrutiny right now on data security, access controls and privacy" related to offshore work, said the chief technology officer of a Chicago-based service provider for the financial industry who spoke on condition of anonymity. "Some of our customers have asked us to fill out extraordinarily detailed questionnaires in which they ask us to attest to our security controls so they in turn can include that in their compliance documents," he said.

The trend is resulting in a much greater focus by both U.S. companies and their Indian vendors on issues such as security certifications and audits, identity management and application provisioning, and on detailed event logging and monitoring activities.

There's no question that security expectations have risen sharply, said S. Gopalakrishnan, chief operating officer at Bangalore-based Infosys Technologies Ltd., one of India's largest IT services vendors, with revenue of more than $1 billion. "It's become a lot more explicit now. We've had to improve on and formalize a lot of things" from a data security standpoint, he said.

One example is a backup storage site that Infosys recently established outside India in nearby Mauritius. All client backup tapes are shipped weekly to the site as a precaution. In addition, each client has been assigned a standby backup facility in an alternate location, Gopalakrishnan said.

Indian business process outsourcing (BPO) companies, which typically handle a lot more sensitive information when servicing their clients than pure IT development shops, take extra precautions.

Wipro Spectramind, a $95 million BPO subsidiary of Wipro, prohibits employees from carrying mobile phones or pens and paper to their work areas. "The ability for employees to carry data out of the facility is minimized to what they can carry in their heads," said Sunil Gujral, vice president of technology.

As with other BPO outfits and many IT development shops, at Spectramind, any ports and devices that can be used to store or copy data are disabled on all PCs and notebooks that employees might need to use to deliver services for U.S. clients. A majority of its call center agents access customer systems via bare-bones Citrix Systems Inc. terminals that provide no avenue for data to be stored or copied.

"[Spectramind] only has the ability to view [our] data," said Chris Larsen, CEO of E-Loan Inc., a Pleasanton, Calif.-based online provider of consumer loans that has outsourced a portion of its back-office home-equity underwriting functions to Spectramind. "They do not have the ability to store, share, print or retain data in their India-based computers and systems."

E-Loan also uses a variety of technologies from companies such as Tripwire Inc. and open-source tools like Nagios to monitor and log activity at Spectramind, Larsen added.

Ongoing Risks

Despite the measures to bolster security, the relative dearth of security professionals in India, the breakneck growth of its IT industry and an onerous legal system continue to pose risks that must not be overlooked, cautioned Samir Kapuria, an analyst at @stake Inc., a Cambridge, Mass.-based consultancy.

Much of the growth in Indian IT jobs over the past few years has been in areas such as application development and maintenance, rather than in a "niche job" such as IT security, Kapuria noted.

On paper at least, India has several laws that cover data security and privacy issues. The most prominent one is the Indian Information Technology Act of 2000, which makes the unauthorized use of data a punishable offense. But timely enforcement of such laws could prove difficult, given the excruciatingly slow pace of the country's legal system. That poses a significant threat from an intellectual property protection standpoint, Kapuria said.

Moreover, the distance factor can help conceal risky practices, especially when dealing with smaller firms. For example, a fast-growing BPO company that was recently moving to a larger facility decided to move some of its servers to a nearby Internet cafe, where it connected to its U.S. clients, because of a delay in the opening of its new facility.

And although the practice appears to be rare, Indian firms have been known to subcontract work out to companies in other countries without the knowledge of the U.S. client and with none of the security measures that might have been originally agreed upon.

But the reputable providers appear to have gotten the security message from their clients. It's no longer enough for Indian companies to "simply say they are addressing the issue," Gopalakrishnan acknowledged. "They've got to be able to show how they are addressing it."


Security Checklist

REQUIRE Indian vendors to have their development centers audited by established firms or be certified under international data security and audit standards such as BS7799 or SAS70. Many companies also reserve the right to do spot audits and checks.

ENSURE the use of encryption, firewalls and intrusion-detection systems to deal with malicious attacks. To watch for insider threats, companies have begun mandating content-filtering tools and event logging and monitoring technologies on the networks connecting U.S. clients with their Indian providers.

CONDUCT rigorous background checks on employees and require them to sign confidentiality agreements prohibiting the disclosure of proprietary information when they leave the company.

FOCUS on physical security and access-control systems, business continuity and disaster recoverability. Many companies insist on off-site storage and alternate sites.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon