"We will see a dramatic change in security becoming a prevalent component of outsourcing contracts over the next five years," says Jim Motes, Chief Information Security Officer for Dell Perot Systems. As virtualized services in cloud and utility computing technologies become more ubiquitous, they will drive an even deeper focus on security. A virtualized environment will become critical to achieving cost savings, but Motes says it also makes it easier to manage data.
"We're in a unique position now to architect infrastructure, storage, networking, etc. in a very different manner that is more secure than today - but only if we go down this path properly and quickly enough," states Motes. He predicts that the pace of developing solutions for security will change. "To date, new technologies always outpace the security industry; building in security and closing all the back doors typically occurs long after users widely adopt new technologies. But that must change; as technologies expand, our capability to protect data has to expand with the technologies using it."
The pace and scale of change that needs to occur in security makes outsourcing a highly beneficial solution. Motes discussed two areas as examples of where the need for innovation in providing security solutions will increase over the coming years: mobile computing and Internet traffic.
The ability to transfer huge amounts of corporate data to mobile devices has increased the amount of very critical conversations, contracts, data, and other information that people exchange through mobile computing capacities. Over the next five years, more companies will turn to outsourcing as the most effective way of managing mobile devices, from governing the way they encrypt information to remote monitoring and assuring compliance with company and industry regulations, says Motes.
As people's lives become more connected through technology linkages at their home, in their car, through their mobile devices, and the office, it presents opportunities but also poses risks for data leakage. Since iPhones are not secure, should companies block their employees from pulling their mail from the BlackBerry server to an iPhone? Or consider this: could someone hack into a car system to hack into the BlackBerry and pull data down? Motes poses these questions as some of the considerations that companies and outsourcing providers will need to consider in how they handle the security problems arising in the next few years from mobile computing blurring the lines between enterprise data and employees' lives.
Motes points out two other aspects of mobile security for outsourcers as people move further away from desktops: the provider's own data and the data it manages for its clients. "If they don't have programs already in place, service providers must build this mobile computing security now. If they're not careful to build this into their models, they will face exposure and some sort of downstream liability with their clients and others who suffer losses through the provider's security negligence." This is an area that outsourcing providers will focus on heavily over the next five years.
Intelligence around Internet traffic
The other aspect that Motes says will be a huge component in security for outsourced services in the future is the use of intelligence around malicious Internet traffic. Today, companies push inbound and outbound traffic through the same funnel. But leading companies are starting to look at how they can analyze traffic according to destinations, sources, targets, etc. and determine the risk of allowing that traffic to interact with a company's systems.
"In the future, we will be able to analyze traffic by the risk score associated with a particular IP address," Motes explains. Let's say, for instance, that the margin for risk that Dell Perot Systems establishes for itself as a service provider is 700 or that its client establishes its threshold at 700. If inbound traffic arrives from an IP address with a risk score of 300, the service provider would treat data from that IP address differently. "We would treat some addresses and destinations as higher-risk entities and give them a deeper, more thorough look before allowing them to interface with our systems or our client's systems," he states.
Motes says Dell Perot Systems is now talking with a technology partner that has the capability to identify that type of Internet traffic today and discussing how to bring that capability into the provider's outsourced services in the next few months. Dell Perot Systems will work with clients to set up their risk threshold and determine at what point the provider should kill the traffic or at what point it should allow the traffic through after thorough filtering.
"I believe that this type of service is going to be a very, very important aspect of governance and risk management for outsourced services and for transferring data over the Internet," says Dell Perot Systems's CISO.
Though providers will need to invest millions of dollars to provide this capability, Motes predicts that scrubbing data and providing intelligence around Internet traffic is a capability that will become standard with outsourcing providers in the next five years. The cost to deliver this service will require a cash outlay that is prohibitive to many companies, but an outsourcer can split some of that investment in a leveraged model where clients pay only a fraction of the cost.
Some credit card companies and ISPs already block traffic from certain geographic regions where there is a lot of fraud. However, Motes says the tools in place today are not adequate. "They're best practice today, but they can't keep all the malicious traffic out," he warns. He cites an incident with a client that saw outbound traffic to another country and notified the provider. "When we checked it, we found malicious traffic buried within it that an intrusion detection system never would have caught."
"The entire outsourcing industry - and all businesses -- needs to take a more analytical approach to looking at Internet traffic. If we don't identify where risks are, there will be some breaches," says Motes. "We're going to have to start making very intelligent decisions far up front, instead of just looking at packet signatures, if we want to keep the Internet functioning 10-15 years from now. The industry needs to apply a more microscopic view against risks than it does today."
Crucial security considerations in selecting a service provider
Motes advises buyers to consider the following request for proposal (RFP), due diligence, and selection criteria when looking at the security capabilities of a service provider.
- Make sure the RFP includes security language that specifically outlines what the buyer needs and expects from its outsourcer. Obtain advice from a third-party consultant with expertise in security, if necessary, to recommend what the buyer will need from a governance and risk-reduction perspective.
- Choose an outsourcing provider that will conduct a baseline assessment of the buyer's current and future security needs and develop a plan that will fit those needs with the buyer's business model and objectives. Don't allow a provider to embed a blind security proposal into a contract.
- Make sure the language about security needs and expectations is explicit in the contract and leaves no ambiguities that can cause either party to make incorrect assumptions in the future.
Further, if the provider will deliver its services from the cloud, the buyer needs to make sure its due diligence includes assurance around the security of the cloud solution. Motes warns:
- Ask questions to find out what the provider has done around security. "Don't assume an application or tool is safe just because somebody put it in the cloud. A lot of niche vendors provide excellent software, but it has vulnerabilities built into it because the vendor didn't consider security up front. Buyers should be extremely conservative before putting faith in pushing their data out to a cloud site or allowing access into their systems based only on the functionality of an application."
- If the buyer needs to determine the security around a vendor's code, a good resource is Fortify 360. This company will analyze a vendor's code for security risks. For buyers that are smaller companies or are in a tighter time frame for their decision, they should at a minimum do research on news or technical reports about the security vulnerabilities associated with a vendor or its product.
If a buyer can't verify that the solution it wants is secure, Motes advises the company to look for a different solution. The only exception would be if the buyer is pushing non-confidential data into or receiving it from the cloud or a shared-services environment. "If you're dealing with any protected data where you would have to disclose a breach, it poses a risk and you need to be more diligent and focus on security more than the other aspects of an easy-to-access service."
Lessons from the Outsourcing Journal:
- The pace and scale of change that needs to occur in security makes outsourcing a highly beneficial solution. Over the next five years, more companies will turn to outsourcing as the most effective way of managing mobile devices, from governing the way information is encrypted to remote monitoring and assuring compliance with company and industry regulations.
- During the next five years, outsourcing providers will focus heavily on ensuring they build security into their solutions so they don't face exposure and downstream liabilities regarding their own company data and their clients' data.
- Scrubbing data and providing up-front risk intelligence around Internet traffic is a capability that will become standard with outsourcing providers in the next five years. The cost to deliver this service will require a cash outlay that is prohibitive to many companies, but an outsourcer can split some of its investment in a leveraged model where each client pays only a fraction of the cost.
- Buyers and providers need to ensure the language around security needs and expectations is explicit in an outsourcing contract and leaves no ambiguities that can cause either party to make incorrect assumptions in the future.
- Buyers should never assume a cloud or shared-services solution is secure. A lot of excellent software has security vulnerabilities because the vendor did not consider security up front. Be sure to ask questions to find out about the code and security.