Security in software outsourcing
May 07, 2015
One of the first things that comes to mind when thinking about outsourcing a software project is related to data security, and this is exactly what we're going to cover today.
Outsourcing started to rise in the mid '80s due to companies' needs to get rid of non-essential processes (in order to be able to focus more on core activities), to cut costs and improve production quality. So instead of having, for example, an in-house software development department, some companies decided to delegate this process to an external provider, which was specialized in this area.
Is software outsourcing secure?
Over the years, the software outsourcing market has evolved rapidly, and now entire projects are being outsourced to third party software companies, and of course this has raised security concerns for prospective customers. So taking this into consideration, what are the main security concerns out there?
1. Physical security – Although not as prevalent as others threats listed below, physical security might pose a problem, due to the fact that laptops, PCs, servers, hard-drives that contain important data can be stolen. However, this can be prevented by using security measures such as: alarm systems, video surveillance cameras, locked server rooms. So nothing new here...
2. Logical security – Outsourcing a software project will provide the third party company with access to a series of information about the customer’s infrastructure, security measures, and internal resources. Protecting this type of information can be easily done, by asking the outsourcing provider to follow strict contractual obligations (which also includes enforcing and maintaining well documented information control procedures).
If this is too vague, here's what I wanted to say by "information control procedures":
- Using a proxy application which restricts inbound and outbound traffic, and allows only for certain ports to function, depending on the particular needs (Port 80, anyone?)
- Preventing or restricting the usage of USB Storage Devices
- (if the provider has a work-from-home policy) Remote work must be regulated by strict access procedures
- Updating credentials based on a periodical schedule (and also in certain particular situations, for example when an employee that leaves the company)
- Permanently monitoring the direct internet connections
3. Legal consequences – “Outsourcing involves two entities entering into an extremely intimate commercial relationship... which in itself is a recipe for legal complications.”. A way of avoiding the risks involved by such a partnership is to sign an NDA document (more details below).
Overall, it's quite obvious that every company is liable to such security issues (even if it does not outsource any project!) and this is demonstrated by the recent Sony hack, which resulted in a huge theft of confidential data and cost Sony over $15 million (and A MASSIVE reputation damage).
Looking for a secure outsourcing partner?
After tackling the above concerns about security, we should now determine what characteristics should a software company have, in order to be considered a reliable software outsourcing provider.
In an outsourced environment, the customer is no longer in direct control of the IT functions, so the outsourcing provider must prove that it retains certain procedures and controls in order to secure the customer’s needs. In relation to this, 3rd party security certifications (such as ISO 27001 or ISO 20000) are definitely a plus for any software outsourcing company.
Another way to ensure that things go smoothly is to make sure that the software outsourcing provider is willing to sign an NDA (Non-Disclosure Agreement), an agreement which will greatly benefit the customer (as the outsourcing company is legally bound to comply with the agreement) and this in turn will greatly diminish the probabilities of running into an unfortunate situation. For example, European Union countries have a strict body of law, which in combination with various legal documents (such as an NDA) will secure the intellectual property of the customer.
Last but not least, the customer should look for an experienced software outsourcer, one that has proved itself in the past by providing reliable outsourcing services (and is able to present a portfolio that reflects this fact).
It's clear that there are many procedures and legal means through which a software outsourcing company can guarantee security for its customers, and considering the above, it feels like an overstatement to say that software outsourcing is not secure. What is your opinion on that?
 Source: Gay, Charles E.; James Essinger; Inside Outsourcing: The Insider's Guide to Managing Strategic Sourcing, London, Nicholas Brealey Publishing, 2000