Friday, March 7, 2008

Outsourcing: Data Security’s new untamed frontier

March 7, 2008

By Frank Teruel, CFO, Vormetric Inc.

Lost to the almost unanimous enthusiasm over the economic benefits of outsourcing and off shoring, is the harsh reality that sensitive data is leaving the trusted confines of your paternalistic and protective IT environments and embarking on a journey fraught with peril. Your sensitive data may well travel to environments where loyalty to your data and customers is not certain, where data is a soft target, and where recourse is sadly often nothing more than marketing spin by jurisdictions or companies anxious to solicit your business. Yet, it is impossible to ignore the economic reality of outsourcing. Accordingly, prudent executives must factor in the hidden costs associated with potential data breaches. After all, what good is realizing economic benefit which may be more than offset by significant data breach costs, diminished customer loyalty, and the lasting digital taint prominently displayed to any affected or potential customer astute enough to do a Google search? Candidly, any benefit may pale in comparison to the hidden costs resulting from cavalier data practices by your chosen outsourcer. The answer to this data security/outsourcing conundrum is actually quite simple – make sure that your data security policies and solutions travel with your data and that you factor in the potential cost of a breach into your deliberations.

Paper Contracts and Empty Promises

Many outsourcers that recognize the impact of data breaches and are reluctant to make the salient investments in true data security solutions, have instead sought to calm executive’s anxiety with lofty contractual promises dressed in the form of impressive indemnity provisions and guarantees. “We ensure that our employees sign confidentiality arrangements” and “our employees are monitored daily to ensure the integrity of your data” is the common mantra of many outsources. Some even tout the fact that their employees are bonded. Regretfully, such grandiose gestures and contractual promises are often not worth the paper on which they are written. The rub is that enforcing these protections is no small matter. Moreover, even if you can enforce them your data has already leaked and the damage to your company may be incalculable and insurmountable. How do you compensate for the loss of critical intellectual property which is the lynchpin for your next product line or the foundation on which you have built your competitive differentiation? How do you console a customer whose medical records have been compromised? How do you explain to a level-one merchant that their payment card industry data security standards (PCI-DSS) efforts have fallen short because the outsourced call center that was recording their customer support calls lost media files rich with personally identifiable information including credit card numbers? The harsh reality is that the damages often far exceed the amount of compensation available through the contract. Equally daunting is the consternation that you will face as the steward of your customers’ data in the event that it is mishandled in faraway places. As an executive intent on realizing the outsourcing boon, you must insist on more than paper promises to ensure the security of sensitive data…you must have complete confidence that your data is as secure abroad as it is at home.

Trust but verify

Such confidence cannot be borne through paper alone. Rather, executives must insist that their outsourcers adhere to a consistent and robust set of data security practices. Moreover, outsourcer data security policies must be tested and validated ensuring the appropriate level of accountability and governance in the relationship. In a very real sense, trust the contractual promise but verify its implementation and insist on congruent data practices both at home and abroad. At a minimum, your contract should specify that any Payment Card Industry (PCI) data, Personally Identifiable Information (PII), patient records, intellectual property in digital form, or any other data that you or your customers deem sensitive must be encrypted and subject to robust access control. The salient point here is that only those individuals with a need to access and work on your data should be allowed to do so. Further, insist that the outsourcer deploy the same data security infrastructure that you have at home. Any outsourcer serious about developing a long term relationship with you will not baulk at protecting your data with equal, if not more rigorous, diligence. Finally, ensure that appropriate governance procedures are incorporated into your contract including, quarterly reporting of the state of your data, who and what accessed it, and whether any data leakage occurred.

Data Security Ecosystem

In so doing, you are taking the first important steps in creating a consistent data security ecosystem so that your data remains secure irrespective of where it travels. Bolstering the contract is a critical step. However, creating a congruent data security environment is integral to ensuring that data security is a consistent and persistent attribute of all of your data and thus protected irrespective of how it’s used and where it lives. Your ecosystem must contain the following elements:

· Ongoing Data Sensitivity Analysis to ensure that the all data that is sensitive to the organization is designated as such and subject to appropriate use rules.

· Data Security Policies that are authored and managed at home while enforced in the outsourcers environment and on their host machines. This step is critical in ensuring appropriate separation of duties with respect to data security policies and instilling appropriate data governance into the relationship. Authoring the policies at home ensures that your security administrator is creating the rules by which your chosen outsourcer can access and use your data.

· Strong Access Control enforced with high-performance encryption. The data policies will determine which users can access data. All other users or unauthorized applications are prohibited access and data is never in the clear so that in the unlikely event of unauthorized access or even loss of archived data, the data remains encrypted and unreadable.

· Scalable Nonintrusive Solutions that can function irrespective of data and application type. Few outsourcers will agree to solutions that will necessitate customization of applications or significant changes in how they do their work. Creating an ecosystem standard that is application and data type agnostic will ensure that your data rules are transparent and not an impediment to productivity.

· Timely Unalterable Reporting that captures all attempts to access the data and reports those attempts to your governance team. Ensuring that the logs are recorded in an encrypted fashion away from the outsourcer’s environment will mitigate the tamper risk associated with logs that are in the clear.

· Auditing to intermittently challenge the integrity of your data security ecosystem to ensure that the policies in place continue to satisfy the use case and the security needs.

Data Security – Don’t leave home without it

Unquestionably, the challenges associated with data security are magnified in an outsourcing environment where data is no longer within the trusted confines of your organizations. The risks of unauthorized access and use of data are real enough at home and only greater abroad. Yet, combining strong contractual mandates with an extension of your security ecosystem to the outsourcer will help mitigate the heightened data breach risk in any geography. The bottom line is that if your sensitive data is important to you and your customers, you must protect it. Before jumping into any outsourcing relationships, consider the potential cost of a data breach, wordsmith the outsourcing contract to ensure requisite protection, and extend your data security ecosystem to ensure congruity both at home and abroad. Your data is important…don’t allow it to leave home without its personal security.