To put a figure to the problem, an IDC report asking top company executives about outsourcing, reveals that 87% believe that security was the dominant issue. In more than 50% of instances where companies pull back from the outsourcing decision, it is simply because of the security exposure.
Where’s the problem?
In fact, it is dangerous to assume that the problem is unique to outsourcing; companies are equally vulnerable internally. Today, every organisations’ life-blood information is stored electronically and is then administered by whom? Typically, their corporate information is routinely backed up and administered by an 18 year old. It is hardly surprising, therefore, that most board members keep sensitive information - acquisitions, mergers, potential redundancies, poor company performance and so on - on their laptops as a rudimentary protection from prying eyes. Stated simply: whoever has administrative access to the infrastructure, has access to the data content. In all currently available systems – everything from mainframe legacy systems to fileservers and client workstations – whoever has administrative rights to the operating systems, has access to the data content. Even using Microsoft’s encrypted file system (EFS), if you are an administrator of the operating systems or Domain, you either have automatic access, or can get access, to the data content, encrypted or not.
This is no third division, technical issue. It is not simply a case of the network (be it outsourced or in-house) being vulnerable – we’re really talking about the future of the whole company being vulnerable. Outsourcing simply brings the problem into focus.
What’s the solution?
What is desperately needed is a wall between the administration of access to data content and administration of the IT infrastructure and Operating Systems. In fact, such a wall is possible. Inevitably, the first step is encryption of all data for individuals or, possibly, groups of users. Next, comes ownership and control of the encryption ‘key’. Generation of encryption / decryption keys, as well as end user assignment and the recovery process have to be divorced from the IT department, whether systems are outsourced or not.