Offshore security: Considering the risks

The economics driving the globalization of IT infrastructure is putting the spotlight on the security of offshore IT operations, primarily in India. Huge investments are being made that assume that the risk of offshore security can be managed, as long as the necessary homework is done.

Certainly offshore service providers have the financial muscle to provide secure offshore IT infrastructure. One of the most popular nations for outsourcing is India, which is recording double-digit growth in revenues from IT services, which are expected to reach $57 billion in 2008, according to a joint study by McKinsey & Co. and Nasscom, an Indian software association. Based on a U.S. model of spending 5% to 7% of the IT budget on security, and with the IT budget consuming 15% of a service company's revenue, India should be ramping up to spend $450 to $600 million on information security and assurance by 2008.

"The distance and different laws and government philosophies can create more risk," said Rich Mogull, research director for information security and risk at Gartner Inc. in Stamford, Conn. Otherwise "the security risks offshore generally aren't any different than the security risk you face onshore."

Let the buyer beware

Caveat emptor is the guiding principle for securing offshore IT operations, Mogull said. "It really comes down to doing an investigation of who you're doing business with, exercising good due diligence and due care." Mogull said those contemplating a move offshore should have an understanding of the host country's legal climate, in addition to a thorough understanding of their security needs. "You must write specific [offshore] requirements into your SLA [service-level agreement] for vulnerability assessments and audits," he said.

Mark Willoughby

Information security for U.S. clients is part of the cost of doing business offshore, said Avinash Vashistha, a Bangalore, India-based project manager for NeoIT Inc., a San Ramon, Calif.-based consultancy whose 62 employees (20 in the U.S.) help U.S. companies move IT operations outside the country in a process dubbed offshoring.

NeoIT worked with 40 U.S. clients that resulted in more than $250 million in total offshore services contracts in 2002. Last year's volume was exceeded in the first quarter of 2003 when NeoIT sent more than $300 million in IT outsourcing contracts offshore.

The steps involved

Security offshore begins onshore, Vashistha said. "None of these companies want us to mention their names," he said, referring to clients that include large banks and financial institutions and about 25 companies in the Fortune 500. U.S. companies moving offshore routinely enter into confidentiality agreements with their Indian service providers to tighten security with a veil of secrecy.

"We have a well-defined planning process that will show the [U.S.] client what can be achieved for cost and quality," Vashistha said. Security is tightly woven into the planning process, which begins with an executive workshop. "At the end of the workshop, senior management is on a level field with their understanding of offshoring."

The workshop gets U.S. companies comfortable with offshoring and stresses security so clients can focus on the potential benefits of the project. The next step in securing the move and subsequent operations is a detailed, four-step planning process "to define what is done onshore and offshore," Vashistha said.

The NeoIT planning processes starts with a U.S.-based team identifying and transferring knowledge for work done in the U.S. This is the dreaded step that has produced numerous examples of U.S. employees training their foreign replacements.

The second phase is an IT portfolio assessment to identify processes and operations suitable for moving offshore. The third step is acquiring the software, hardware and other resources needed for the offshore operation, from both U.S.-based and offshore suppliers. The final phase is the actual operational management, which includes supervision of the offshore program.

Manoj David, a Bangalore-based information security analyst for NeoIT, said his company's well-defined security framework addresses strict U.S. privacy requirements for protected financial and health information.

"We have 23 chapters in our security framework," David said. "The first thing we do is a gap analysis, to find gaps between existing security policies and what will be required for offshore." This analysis helps to determine the client's security readiness and sets expectations for securing the offshore operation.

"The key areas are access control, network security, facilities and operations, and applications security," David said. NeoIT makes recommendations for such security services as "vulnerability assessments from third parties, penetration assessments, external audits, and security process audits, and for policies and tools such as handling of backups and remote access."

Authentication for offshore IT operations is similar to what you see in the U.S., David said. "Currently, we see mostly passwords. Biometrics are very rare offshore, only for selected transactions. Smart cards are used for physical access," he said, adding that public-key infrastructure is typically used only to secure transactions, such as in securely transmitting software.

Wipro IT Services, India's third-largest outsource provider, recorded $670 million in revenue in 2003, with 70% coming from the U.S., Pazhamalai Jayaraman, Wipro's Bangalore-based IT security director, said Wipro has been investing in information security for six years and was the first company in the world to be certified for the 2002 BS 7799 security standard. Wipro's security services include a global consulting practice of 220 employees.

"We were able to minimize the impact of the Code Red and SQL Slammer viruses," containing the infection to less than 5% of Wipro systems, Jayaraman said.

Most U.S. companies do thorough security evaluations and tests for regulatory compliance of their offshore operations before signing service agreements, and periodically thereafter. Wipro conducts two additional levels of audits and tests, Jayaraman said. These are internal audits and tests conducted by Wipro staff and third parties.

"In most of these [customer] audits, we have come out with flying colors," Jayaraman said. "We have been rated best in class in security since 1999 by our customers," when ranked against larger companies including Infosys Technologies Ltd. ($754 million in 2003 revenue) and Tata Consultancy Services (part of the $13 billion Tata Group).

Some offshore concerns

Not all agree that the Indian IT services providers are ready for end-to-end support for large and sophisticated IT infrastructures, particularly those that include mainframes. It's prudent to wait until the economics are more compelling and Indian offshore service providers have matured their services, according to an August 2003 report by outsourcing analyst Stephanie Moore at Cambridge, Mass.-based Giga Information Group Inc.

Moore said many Indian IT outsourcing companies haven't developed the infrastructure, process and knowledge necessary to fully support a sophisticated IT infrastructure. A primary reason, according to Moore, was a 1977 IT industry nationalization by the Indian government. This protectionist act forced multinational IT companies, namely IBM, to withdraw from India and resulted in a shortage of mainframe computing infrastructure and operational skills that persists today.

"Moreover, the expense contribution of labor to total expense [labor expense plus other expenses plus capital depreciation] for IT operations is significantly less than for the application development and maintenance," Moore said, which is almost all labor expense. "The savings from offshored infrastructure will be significantly less than the savings seen from offshored application development and maintenance" when depreciation and other expenses are factored in.

Companies outsourcing end-to-end IT infrastructure operations to India will have to deal with "accountability and responsibility issues" and assume the role of a prime contractor while realizing a savings in the neighborhood of 20%, Moore said. Increased operational risk, weighed against the modest potential expense reduction promised by offshored IT infrastructure operations, "will limit their market appeal in the near term."

India has no shortage of information security skills, however. The International Information Systems Certification Consortium in Dunedin, Fla., which administers the Certified Information Systems Security Professional exam, has 175 Indian CISSPs who have voluntarily registered on its Web site, from a broad mix of both U.S. and local Indian companies. Wipro boasts nine CISSPs, most of whom work in Wipro's security consulting business. China has 465 registered CISSPs, with approximately 90% based in Hong Kong and also representing a broad mix of local and foreign companies.

Prasenjit Saha, the director of Wipro's security consulting practice, said the security consulting business is growing at a 70% annual rate. Wipro is adding 35 security consultants every quarter, almost all boasting security certifications, and agreements are in place with almost all major security vendors. Most of these new employees will be in India, but some will be in the U.S., which accounts for 45% of Wipro's security consulting business, Saha said, with Europe contributing 42%.

Steps to Minimize Risk and Secure Offshore Operations

1. Know your security and privacy requirements before you start.2. Do a thorough security evaluation before signing any agreements that include regulatory compliance.3. Include stringent security measures in the SLA, including periodic assessments, audits and tests.

What do you think? Post your thoughts and see what others have to say in our outsourcing discussion forum.

Special Report

Offshore Buyer's Guide

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon