The recent wave of network outsourcing is causing some business people, and not just techies, to turn their attention to a seldom mentioned aspect of outsourcing — network security.
In the infancy of technology outsourcing, businesses called in experts to manage their data centers. Businesses retained these experts because they promised to manage information technology with greater efficiency and at a lower cost than the businesses themselves could achieve. Sometimes the experts came to the data center; sometimes the data center was moved to the experts. But the concept was the same: information technology was viewed as residing at one or more specific locations — data centers. The challenge was to find the best way to operate and protect a data center.
In the current adolescence, if you will, of information technology outsourcing, businesses call in experts to transform data centers into information networks or to manage and improve existing networks. Information no longer is viewed as residing at a specific location but as comprised of a complex web of LANs, WANs, intranets and even the Internet. As the complexity of information technology has increased, so too have the dangers and opportunities for breaches of the network. Like people no longer huddled within a single fort but strewn throughout myriad distant hamlets, an information system that resides not in a data center but on a network is more vulnerable to attack.
The Need For Security
Recognizing not only the need to guard against such attacks but also their lack of expertise to provide that protection, businesses have begun to outsource network security. One sign of this growing phenomenon is that security and network management firms have been forming specific professional units targeted to providing such services. Some security firms have even been making acquisitions of firewall, encryption and antivirus firms.
While the outsourcing of a specific element of a network (such as security) may gain some adherents, it may not ultimately appeal to a business seeking to hand over its network in one piece rather than piecemeal. Indeed, outsourcing is so appealing to a business because it offers the promise of simplicity. Rather than dealing with numerous software, equipment and network vendors, a business will only have to deal with one entity that takes responsibility for all facets of that business’ network.
As outsourcing gains appeal and undergoes the increased scrutiny that follows any movement of this magnitude, businesses and their would-be outsourcers will need to focus more and more on addressing the securities issues raised by network-centric outsourcing. Here are just some of the issues and solutions that businesses and outsourcers will want to consider:
1. Confidentiality
Businesses will want to draft confidentiality agreements with outsourcers vying for or ultimately awarded their outsourcing contracts. These agreements serve a number of purposes. They put would-be outsourcers on notice that even in the proposal stage, the outsourcer will be privy to confidential information. The drafting of confidentiality agreements also forces participants to wrestle with and arrive at solutions for security issues. And, of course, confidentiality agreements are indispensable in the event a dispute arises.
2. Network Security
Outsourcers themselves will want to gain the necessary expertise to anticipate and/or address security issues. As a start, outsourcers can begin by subcontracting out such responsibilities to any number of firms specializing in network security. As recently reported, numerous security firms are developing consulting services. Over time, however, outsourcers will want to develop or hire their own in-house security professionals. This will be especially true for outsourcers that want to position themselves as able to manage every aspect of a business’ network.
3. Existing Security
Businesses need to be sure that they are adequately leveraging their existing security experts, whether they are employees or consultants. These experts should monitor every step of the outsourcing relationship from proposal to negotiation to the post-contract operation of the network. Similarly, outsourcers will want, from the very beginning, to identify, listen to and adopt procedures that satisfy the concerns of such security experts.
4. Increased Security
For extremely sensitive information, businesses and outsourcers may want to consider developing certain infrastructural solutions that increase network security. One approach might be to build a separate and secure network-within-a-network. While this approach will vary depending on the sensitivity of the information involved, it could make sense to create physically separate networks so that, for example, one network processes administrative information and a separate network processes financial transactions.
5. Internet Security
Businesses and outsourcers that plan to connect a network to the Internet will want to balance any projected cost-savings against the Internet’s own security issues. While businesses can prudently take advantage of the Internet, given recent advancements in encryption technology, they must carefully engineer the nexus so as to protect the confidential aspects of the network. Indeed, a business might not want any connection between its most sensitive information and the Internet. This issue has growing relevance given the recent trend of Internet Service Providers (ISPs) offering ‘applications hosting,’ which allows companies to save finite computer space by placing applications off-site, often on an ISP’s server.
When planned well, outsourcing allows a business to focus on its core competencies and not to try to master technologies that are both maddeningly complex and ever changing. When planned poorly, it is a wrenching disruption that consumes resources but yields little efficiency or cost savings. Businesses are wise to approach outsourcing, then, with the same circumspection and diligence that they would employ for any critical decision. Outsourcers, in turn, would do well to understand that businesses will need and expect a heightened level of service. Would-be outsourcers may find that their approach to network security, the most sensitive of issues, will irrevocably determine how their client perceives them. The lesson is clear: when seen as a long-term relationship between partners, rather than a commodity sold between merchants, outsourcing can be what it is — one of most profound and profitable business strategies in decades.
Richard Raysman is an attorney with the New York firm of Brown Raysman Millstein Felder & Steiner LLP.
Lessons from the Outsourcing Primer:
- The complexity of the network-centric environment creates new challenges in security.
- Confidentiality agreements document the fact that outsourcers will be privy to confidential information and force participants to deal with security solutions.
- Although outsourcers can begin to address security issues by subcontracting those responsibilities, they will need, over time, to develop or hire their own security professionals.
- Businesses should be sure to leverage their existing security experts and involve them in every step of the outsourcing relationship.
- Security for extremely sensitive information may require infrastructural solutions, such as the network-within-a-network approach. Utilization of the Internet also presents increased security challenges.
