Are you interested or involved in decisions about using outsourcing and web-based applications?
Then, business-oriented (i.e. non technical) post is for you.
How to define a contractual minimal level of security, with some examples.
Let me explain: not simply outsourcing, but also SasS (Software as a service).
If you do not understand what I mean… it is like GoogleDocs- the idea that you do not install software on your machine, and instead use a website to both give you the software and keep your documents.
A wonderful concept.
And I totally subscribe to it.
But…
Actually,if you look at my cv, you will see that I have been working with outsourcing companies negotiated/managed outsourced services from early 1990s until 2007.
So, maybe, I know a little bit about it.
And so how it evolved, at least in Europe, before and after the Internet.
Let’s see my first point: I consider outsourcing not simply a technical choice, but a structural approach.
Because, as soon as enough time goes by (usually, a couple of years is more than enough), you will lose inside your organization the capability to go back immediately, if needed.
But you can read some 20 pages that I wrote about strategic outsourcing (again, from a business perspective) few years ago here.
I mean that you lose: people, support, technology, infrastructure: anything, from installing the software to, often, the hard disks on each disk to store the software.
If you share online irrelevant information, it is fine: one piece of information is just a piece of information.
But load tens (for a small organization) or thousands of documents, and you are actually putting on a machine managed by somebody that you do not know a profile of how your organization works, thinks, processes information.
And makes decisions.
My solution?
Well, if you are a large company, with a large outsourcing supplier, it is easy.
You define with them rules as simple as where they can keep your information, and who can see that information- including at the technical level.
But if you are a smaller company, or if you are using the services from a large enough supplier that the only offer that you get is a standard offer… then you, the decision/policy maker, and not the executioners, should make a choice.
One step back: some of my first experience in information management was in politics as a kid, where I had to see what I now call “compartimentalized” information, preliminary to discussions.
Then, in the Army- nothing that serious, but still following some strict trace-and-store-and-destroy-or-return etc rule (it was pre-computer).
Then, in banking, where we had to sign off and receive a signature just to carry out some computer printouts and data to build models.
Then, in many other industries, as part of my model-building activities for controllers, marketing managers, etc.
Years ago, when the “Saas” industry was in its infancy, thanks to my experience in large-scale outsoucing and project management (and not because I am a fortune teller or smarter- just experience), I saw a worrying trend.
I supported many startups, and had in my drawer plans for some more that I would like to “seed”, if I ever obtained a partner able to fund the activities.
Everytime I asked to a SaaS supplier about security, they said that they had a password and PIN system, or that they were using other ways to build a secure communication channel.
But user-side, pre-sending encryption (i.e. sending information that is already encrypted)?
And server-side encryption that made content unaccessible even to technicians?
At best, it was considered overkill.
And this was before companies started using huge “server farms”, i.e. delivering just a service, while using the computing and telecommunication infrastructure of a third company.
And I saw it, by chance, from both the customer and the supplier side.
The trend? Mainly a run for the cost-cutting target.
So, some companies, to get critical new software (say, a data analysis and simulation tool) signed up for contracts with an external company that would receive their hyperconfidential information (e.g. on financial/asset management).
And gave back some analysis, usually via a web browser (yes, with a secure connection).
Fighting for price-cutting and market share, companies would, in turn, outsource their infrastructure to other companies, who wold in turn consolidate to even larger companies…
The point being: if you outsource to cut cost of time-to-market, are you really confident that you can keep tab on who has access to your most sensitive information?
See the article on outsourcing.
Why would you deliver to an outsourcerer or SasS company sensitive information?
Well, e.g. to use today a financial/asset management packaged, instead of waiting for an in-house project that tries to replicate what is already available on the market.
Moreover, the cost will be lower than the budget allocation that would require to enter the authorization process, allowing you to “fly below the radar”, and pay just a monthly fee.
It is a business model that you can find now everywhere- from GoogleDocs to plenty of online services.
My solution?
I designed and built a software structure (for the more technically oriented, an application and data storage framework using OpenSource languages and databases).
It was based on a two-part encryption key (if you are a security expert, please ignore the over-simplification), plus a way of storing the data that would have masked the database content and structure from even my own provider.
Because, of course, I outsource all my online infrastructure from 1997.
I never understood SMEs who keep their e-mail and web servers in house.
The human and technical resources, and the risk that they are importing in the organization (e.g. losing the connection) is staggering, and justified only if you have enough volume, or deliver a service to others.
To test the environment, I created a community for former colleagues, ComshareNoMore.Com, with a “dashboard” to see how much new information had been provided since the last connection and other community services (internal messaging, etc).
The data storage? Using my encryption and “spreading” method, the storage was masking even from me the data and the content.
But I did not tell about this feature to the about 150 users- I wanted to see how the system, built on and using only outsourced OpenSource software would fare.
Eventually I created a website called “doubleblinding.com”.
“doubleblinding” is a terminology that I derived from clinical research- means mainly masking both to the patients and the doctors the information about who is getting what, in a clinical trial, to avoid influencing any of the participants, including the medical staff.
But I did make an unfortunate choice: it was not long before 9/11 that I defined the service.
And, as my service would have “blinded” even me from the content and identity of the parties involved (that was my purpose- to allow secure and certified transactions between unknown parties), I risked getting in violation of a staggering quantity of regulations.
So, after asking for the advice of a banking and former CID in UK, I decided to shelve the service: it never started.
After reading this short post, you should now have a clearer perspective on all the issue and potential pitfalls involved in outsourcing or SaaS- but also the benefits.
And now, my suggestion is simple: if you outsource with a party that you do not control (i.e. if you are just a customer), or use a SaaS:
- read the contract details (for simple online services, most people don’t)
- insist on obtaining not just a password or pin, but a system that does not store in any way or form part of your key, that you will have to enter, each time, but after having established a secure communication channel (by whatever means)
- check that the contract gives you a formal assurance that the data are stored in an encrypted form, and that they cannot recover your data if you lose your identification key- seems to be the opposite of what you want, but it is actually what you need to have secure data storage
- require resources to extract (”export”) immediately all your information anytime you want to leave the service, at no additional cost, in a format that can be used with other systems (e.g. SQL, CSV, XML+DTD); this will allow you also to personally keep a copy of the data locally
- verify if, for additional security, instead of extracting data unencrypted, can you be given access to an option to export data as they are on their side (i.e. encrypted), and then have a simple software that does not require install where you can enter, anytime and anywhere, your authentication information, and obtain a decrypted-extract
For this last point, I proposed and delivered to a customer in early 2000s a USB-based application that did not require any installation.
And that could connect with a mainframe database, extract the data, and store it locally, and, when needed, export information in a location where the mainframe could process the information.
Right now, the encryption/decryption part of those features is available on any USB key that you buy that is marked somewhere on the box “secure”, i.e. contains a software to keep your data secure, or remove in a secure way any stored data.
I simply do not understand why this kind of service is not commonly offered.
I saw plenty of discussions about the “cost” of leaving a SaaS provider.
Well, if you are a SaaS company, think about it- could be a nice option for some applications.
All these requirements are, in my opinion, the bare minimum to avoid any embarrassing loss of confidential information, and ensure that you can continue business-as-usual activities, also if you switch suppliers (what is called “business continuity”).
Also: to stop embarrassing cases of USB keys (that now can contain tens of gigabytes) lost with confidential data “en clair”.
Moreover- consider that, in most cases of outsourcing or SaaS involving sensitive information, without this minimal set of protections, your risk increases.
As you will have a low-paid employee of an unknown company in a low-wage country providing technology or infrastructure having the capability to consolidate information that not even your own highly paid employees would be allowed to join or share.
If you do not believe me- I repeatedly discovered in many customer sites that, once inside a network, I had access to information using the technical access that normal employees would not have had access to: and this is the standard in most organization.
Usually, when I alerted on the issue, I discovered that the problem wasn’t technical, but organizational: who knew the technology did not know how to communicate with who knew the data, and the result was a misalignment of security.
In the old times (1990s) there was a book called Orange book (a.k.a. TCSEC), with a nicely listed table of levels of security- and, in the free-for-all first few years of Internet, you could easily find it online.
More recently, you can refer to the ISO 15408.
As an introductory document, I suggest to read the Wikipedia.Org articles linked above, and if you have time also read the ISO 27000 (all the introductory standard on security are available for free from the ISO website).
If you want, my software applications consider C2 the bare minimum for any business application, and suggest a B2 level into the software for business-critical or sensitive data.
To simplify: data should be stored in a way that not even a noisy DBA can read the content or understand its structure for really sensitive information, but there is also a separation between the operator and the administrator; and the “minimum” requirements implies that you keep track of access.
In some countries, it is actually a legal requirement to keep all the electronic communications (as I started doing from 1993, when I first became a free-lance, and did before that when provided the resources by my employers).
Electronic communication is not just e-mail: consider how many files are nowadays never printed, and move from person to person via a USB key.
Personally, I consider USB ports a security hole in most companies: they have all the passwords etc, but when a USB key is connected, it allows to copy anything that you can see on the screen.
If you think that this is paranoid, think again.
In most SME and software companies I worked with, the trends toward managing the marketing director or sales manager resignation was to put remove their access as soon as they resigned, without waiting the usual 2 to 6 months.
The reason, I was told, was to avoid that the relevant people left the company with the customer list or rolodex.
Despite all our online activities, and all the brouhaha about going “virtual”, or certifying toward security standards (e.g. 27001), all the layers of additional communication and standardization actually made more complex to keep data where it should be.
As in the movie “the recruit”: security is way too often to protect from outside, not from inside.
Therefore, if you use external suppliers (but, in some cases, also on internal systems) ask for and obtain the minimal list of protections that I wrote above.
The worst-case scenario is: you will know which risks you have identified, and you will be able to plan accordingly to keep those risks under control.
Tags: 14508, 27000, book, common, contract, criteria, google, googledocs, infrastruc, orange, outsourcing, saas, secure, sensitive, service announces, software, tcsec