Outsourcing – Potential Security Nightmare?
by TJ Dale - Managing Director of ArmourSoft - Tuesday, 24 June 2003.
The outsourcing graveyard is littered with companies that ‘almost’ took the plunge. A recent case in point involves a major British performance-car manufacturer that had conducted an evaluation demonstrating an almost overwhelming case in favour of outsourcing. Then at the last moment they got cold feet, simply because they were reluctant to hand over their business strategies, details of their future models or their research and development to another company. The risk was too great.

To put a figure to the problem, an IDC report asking top company executives about outsourcing, reveals that 87% believe that security was the dominant issue. In more than 50% of instances where companies pull back from the outsourcing decision, it is simply because of the security exposure.

Where’s the problem?

In fact, it is dangerous to assume that the problem is unique to outsourcing; companies are equally vulnerable internally. Today, every organisations’ life-blood information is stored electronically and is then administered by whom? Typically, their corporate information is routinely backed up and administered by an 18 year old. It is hardly surprising, therefore, that most board members keep sensitive information - acquisitions, mergers, potential redundancies, poor company performance and so on - on their laptops as a rudimentary protection from prying eyes. Stated simply: whoever has administrative access to the infrastructure, has access to the data content. In all currently available systems – everything from mainframe legacy systems to fileservers and client workstations – whoever has administrative rights to the operating systems, has access to the data content. Even using Microsoft’s encrypted file system (EFS), if you are an administrator of the operating systems or Domain, you either have automatic access, or can get access, to the data content, encrypted or not.

This is no third division, technical issue. It is not simply a case of the network (be it outsourced or in-house) being vulnerable – we’re really talking about the future of the whole company being vulnerable. Outsourcing simply brings the problem into focus.

What’s the solution?

What is desperately needed is a wall between the administration of access to data content and administration of the IT infrastructure and Operating Systems. In fact, such a wall is possible. Inevitably, the first step is encryption of all data for individuals or, possibly, groups of users. Next, comes ownership and control of the encryption ‘key’. Generation of encryption / decryption keys, as well as end user assignment and the recovery process have to be divorced from the IT department, whether systems are outsourced or not.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th