February 28, 2014
QualiTest's blog discusses the risks of dealing with outsourced data, and how to ensure that this data will be safe.
“Our global landscape is a scary place,” security analyst Chris Coleman recently told NPR. Outsourcing work to any other country around the world, it would seem, is always a data risk; Coleman says that “A hundred percent of third parties showed signs of compromise or indicators of threats.” Truly, outsourcing is an evil practice thought up by heartless corporations who don’t care about your security at all, and will compromise your entire life simply for bigger profit margins. At least, that’s what NPR would have you think about the security of outsourced data.
As a company with offices all over the world, we have an insider’s view of both sides of the outsourcing equation: we work all over the world, imposing our stringent security standards across the US, Europe, Asia, and the Middle East. Someone who reads NPR’s article may assume that our India-based operations are less secure than those in the United States simply due to their location, which is simply not true. There’s an inherent problem with the article: its tone makes it seem like the entire world’s data is in jeopardy, and that outsourcing is to blame for all security breaches. Really, though, it’s much more complicated than that, because the article doesn’t consider the most important part of security leaks: the human element.
Is a suburban road safer than a super highway? Obviously it’s easy to say, “Yes, because people drive fast on the highway, so you’re more likely to crash,” and that’s not untrue; however, the most important part is how people use and interact with the road. If everyone decided one day to start driving a conservative speed on the highway, but then drove 80 miles per hour on the suburban roads instead, the safety of those roads would obviously decrease exponentially. Similarly, it’s silly to say that outsourcing always puts your security at risk; a well-secured outsourced project will always be safer than a poorly-secured local project.
Outsourcing certainly opens up risks, and if you aren’t prepared to deal with them, your data is hugely likely to be compromised; however, there are ways to deal with them to the point where the difference between local and outsourced is much smaller than the difference between well-secured and poorly-secured.
The article seems to also assume that the people your company would be outsourcing to are inherently untrustworthy, and the ones in your own country are inherently less so. There are people all over the world who shouldn’t be trusted, and they’re just as likely to work for your company as the one you’d be outsourcing to. Similarly, Coleman comments in the article that data is safer in the US than in other countries because companies here are legally required to tell their users if data is compromised, and that it’s that level of transparency which makes the companies focus more heavily on security. However, that’s actually fairly irrelevant, because your outsourcing company should be complying with whatever security policies your company sets out. No matter where the outsourcing company is, all that matters is whether or not your own policies comply with the stringent standards in place in the US. If you don’t trust the other company to comply with your security standards, you really shouldn’t be working with them in the first place.
NPR isn’t entirely wrong, though. Working locally does have a higher chance of being secure than outsourcing. If you keep everything in-house, you can be sure that it’s all on the same LAN, and if that LAN is secure, it never hits unsecure channels. It goes without saying that doing anything over an unsecured network would indeed be less secure. Plus, you can keep better track of the hardware, which eliminates more safety concerns associated with the hardware falling into the wrong hands (though that’s obviously going to be a problem no matter where your data is located).
Outsourcing certainly opens up risks, and if you aren’t prepared to deal with them, your data is hugely likely to be compromised; however, there are ways to deal with them to the point where the difference between local and outsourced is much smaller than the difference between well-secured and poorly-secured. Fear-mongering about the evils of outsourcing does the entire IT industry a disservice, because it takes the focus off of the necessity of good security and puts an undue focus on the physical location of the data. Instead of obsessing over where our data will be, it’s much more important to make sure that it can get to the people who need it in a secure fashion (whether that’s developers, testers, or even end users); it’s defining and complying with strict security standards that will engender confidence in a company’s data.