security in outsourcing or cloud-based project: constraints and challenges of the outsourcer

In this 3rd blog post (find part 1 and 2 here), I will focus on the characteristics you want to find to your outsourcer but also on the constraints this one has.

challenges

When developing products and services, an outsourcer will select a set of security controls – technical, physical and organizational – that will apply transversally to all of the outsourcer’s services. This approach creates a baseline for all of the outsourcer’s clients.

Trustworthy outsourcers create a strong baseline and spread the cost of security throughout its client base. You should understand your outsourcer’s baseline and request additional security if your project or business requires it. The outsourcer will then develop a personalized service that satisfies your needs.

In addition, many clients want guarantees regarding their outsourcer’s security organization and operations. Security certifications can and do help in that regard. However, the certifications of the outsourcer must correspond with the needs of the client – it is useless from the client’s perspective to have an outsourcer with an ISAE 3402 certification for remote access facilities if the client is not using that service.

legal issues

Legal obligations are a very touchy subject for outsourcers. Before entering into any outsourcing obligation, you should consider these questions:

  • Does your outsourcer manage private data? How?
  • Will your data be traveling between different regions of the world, having very different regulations?
  • How can you access logs if your outsourcer manages them? How do you investigate specific instances? Are you certain that your outsourcer can and will maintain logs for your required timeframe? What happens at the end of the contract? Log retention and access deserve careful attention.

If the outsourcer is providing you with a “standard” service, you must ensure that all of your legal requirements and obligations are met: you remain accountable in the face of the law.

Last, but not least, outsourcers may be subject to local laws that conflict with your business purposes or may impact the confidentiality of your data. If this is the case, you must ensure that the outsourcer is aware of this situation and puts in place mitigating controls.

audits

There are two kinds of audits in an outsourcing environment:

  • audits performed by the client
  • audits performed at the request of the outsourcer to obtain a security certification

client audit

When implementing an outsourcing project, you may subject the outsourcer to an internal and/or external audit. The requirements of the auditors must be clearly understood.

When an environment is to be outsourced, extra controls may be requested. Some controls may disappear, some may be replaced. This means that when building the project, you must ensure that the outsourcer is able to provide the auditors with the correct information. If you are using a third-party auditor, you must request from the outsourcer the right to disclose sensitive information.

You may not always have the right to audit an entire outsourced environment. The shared environment is usually guaranteed by international certifications. However, if you’ve had a dedicated service built, it may or may not be included in the scope of the certifications. You should clearly state before signing any contract if you require the right to audit and which part of the outsourced services you desire to audit. The Information Security Officer can help to define these requirements at the beginning of the project and all the way through the audit cycle.

There are two forms of auditing.

  1. This first one, the “paper audit,” can provide you with some basic assurances. During this audit, the Information Security Officer will align your security controls and policies with the outsourcer’s policies and certifications. This simple approach is sufficient for non-critical outsourcing projects.
  2. However, more critical ones will require a physical audit. The rights and the conditions to perform this type of audit must be included in the contract.

security certification audit

Auditing has several drawbacks: each client must pay for the audit and each audit introduces a disturbance. Outsourcers will have a difficult time managing all the requests coming in from their clients: each takes time and resources and introduces disruptions within the audited environment.

To avoid this and to reduce costs, outsourcers often apply for security certifications, such as ISAE 3204 and ISO 27001. These certifications provide proof to clients that the outsourcer competently manages security. The client should then ensure that the scope of the outsourcer’s accreditation matches his needs. Sometimes, the accreditation covers only a small part of the outsourcer’s environment and gives a false sense of security to clients. Also, the client should ensure that the certification is an international standard and that the auditors providing the certificate are reputable firms.

Obtaining access to accreditation reports is not easy: the documents are confidential and require a good understanding of the outsourcer’s infrastructure and processes. The Information Security Officer can be an ideal resource to provide this information, however.

Stay tuned for the following (and last) post of this miniseries: I’ll give the missing link between the client and the supplier! ;-)

Michel

crédit photo: © XtravaganT - Fotolia.com

Michel Nolf

I am providing information security officer consultancy for multinational clients and governmental institutions.  Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.

Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!