Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Three Questions to Ask Before You Outsource

Recently, I’ve read a number of reports on IT outsourcing. From those reports, one clear thing has emerged: North American companies have begun to outsource a part — or all — of their IT more in the past two years than they have at any previous time.

Recently, I’ve read a number of reports on IT outsourcing. From those reports, one clear thing has emerged: North American companies have begun to outsource a part — or all — of their IT more in the past two years than they have at any previous time.

Despite its popularity, security issues exist with outsourcing; to avoid trouble down the road, a proactive, thoughtful and thorough approach at the beginning of the process usually helps.

My company works on Internet security and infrastructure issues, so keeping data safe and secure while also accessible is always top of mind for me. And when it comes to outsourcing IT, security should be front and center for you as well. If your company is moving to an outsourcing model, you need to ensure that all functions to be outsourced are discussed, defined and documented, especially in relation to privacy, backup and disaster recovery. It’s critical to have in-depth discussions about these topics with any outsourcing provider on your short list.

Risks of OutsourcingPrivacy

Legally speaking, once privacy is gone, it’s gone. If your data is shared with the world, your corporate privacy cannot be rectified or retrieved. Ensuring the responsibility for its protection is well worth the time required at the initial stages of outsourcing.

Privacy of corporate data is a complex subject. It’s vital to establish who will have access to your data, and that conversation is one that touches on both technical and legal issues. If you’re outsourcing to the cloud, which is often a given in today’s outsourcing scenarios, does that mean law enforcement can access your data since it’s technically in the “public sphere”? If so, under what circumstances? If your data is private and confidential, what can you do — if anything — to protect it? Your legal advisors need to help you and your providers measure liability against risk. And your technical team should demand a detailed explanation of what the provider puts in place to enforce privacy policies.

If you’re outsourcing, you’re likely using shared resources, and that means there is shared risk. For example, if hackers access the data stored by your provider, what happens if those hackers discover your data and inflict collateral damage against you? While that’s an extreme example, most outsourcing scenarios will involve more people than before having access to your data.

Backup

How do you currently handle your company’s backup needs? Today, you likely have in place corporate-wide rules, policies and procedures. So, before you settle on a particular outsourcing provider, make sure their backup methods align with yours. An especially important point is the issue of external devices. If your vendor backs up to external devices that are then shipped offsite for storage, you are faced with a risk of losing your data physically in transit. And it’s possible, depending on the type of data being stored, that someone could access it while it is shipped across town on a disc. To avoid these possibilities, you need to understand how external devices are kept safe and secure while in transit as well as in storage.

Advertisement. Scroll to continue reading.

Disaster Recovery

Another critical topic to discuss with your outsourcing provider is disaster recovery. Many first-time outsourcing users assume that the cloud resolves disaster recovery issues. That, unfortunately, is not true. The cloud can crash. And if it does, you’re out of luck unless you have a copy of your corporate data. In fact, getting a copy of your data on a regular basis – monthly, daily or weekly – allows you to be prepared for disasters, such as a catastrophe in the cloud. It also helps ensure that you can quickly change outsourcing vendors if the need arises.

Another item to consider under “disaster recovery” is how your outsourced services are bundled. Outsourcing providers may offer a set of services as a bundle to increase customer loyalty; users of outsourced services are often glad to take advantage of the cost savings that come with bundling. Although the cost savings make sense, be sure to ask if your provider has procedures to address cross-functional failures. Your company may be able to tolerate a potential failure, but it may not. In these circumstances, it’s important to determine ahead of time what level of failure you can tolerate rather than discovering your tolerance level in the midst of a failure.

For example, at my company (Afilias), we have different network connectivity for each communications channel like video conferencing and email. That way, if our internal network were to have an issue, our customers would not be affected since we’ve designed our systems expressly to not be tied together. When things are tied together, they can fail together. While outsourcing has many benefits on logistical and economic levels, making sure you understand how your provider parallels — and differs from — your IT model will help ensure your company gets the most from outsourcing.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem