T.K. Chary formerly served as COO of Wissen Infotech (MATRIX Offshore) and was responsible for ISO Quality, Security and Compliance initiatives. He was instrumental in getting the ISO 27001:2005 and ISO-9001:2008 certifications for the offshore units and also for addressing FDA compliance requirements of a major healthcare client of Wissen, thus enabling delivery of mission critical Validated Transactions of the client from offshore. He has 35+ years of experience in the software industry and has had various management and technical roles during his lengthy and illustrious career.
Information Security Trends in Availing Offshore Services
To remain competitive in the market, a number of organizations use offshore IT services to take advantage of the benefits that come along with factors such as low costs and time zone differences.
While leveraging the economies of scale and technical expertise of the vendor, an organization needs to make sure that the outsourced IT project or service to offshore does not introduce security problems or vulnerabilities to the already-functioning internal systems, business processes and operations.
The question that remains is whether to outsource or not, and whether offshore is a practical option. Luckily, access to high-speed Internet and availability of a skilled, English-speaking workforce in low-cost countries like India has tremendously improved the viability of offshore services as a cost-effective alternative to in-house or offsite services without compromising on quality.
Information Security is one of the major concerns while outsourcing to offshore. However, with the latest trends in technology and improved processes, an organization can mitigate the risks of security breaches very effectively.
One of the major improvements in offshore vendors such as Wissen Infotech (MATRIX Offshore Partner) is that they are increasingly becoming aware of the need to address the security concerns of their clients. Most of them are getting certified for ISO 27001 certification. Known as ISMS (Information Security Management System), the standard requires a set of controls to be installed at the vendor 's offshore units based on a detailed risk analysis considering the physical, logical, network and information security risks. The mitigation involves implementation of ISO Controls/guidelines depending on the risks identified. Since we are an ISMS certified company, the security risk of the outsourcing organization is cut to a bare minimum. Organizations can also demand their right to audit the vendor security systems and processes and can agree to SLAs addressing the prevention/correction of the security breach incidents.
Apart from ISMS, remote connectivity through Virtual Private Network (VPN) enables the vendor computer to become part of the organization network and can be subjected to all the security norms and checks of the organization. The communications between the remote workstation and the onsite network happens through a secure connection in which the data transmission in either direction will be encrypted. It is almost impossible to tap the connection if the same is based on a RSA hard token for verifying the login credentials.
Smart cards add one more layer of security to remote connectivity. These cards have an embedded chip that checks and authenticates the user trying to log into the computer at the very first level. Named as three-factor authentication, the login process involves three major checks; namely smartcard authentication, connecting to VPN through RSA Token based authentication and finally connecting to the client network using regular username and password. We use smart cards to access production servers of client systems and have had no issues.
Another challenge is ensuring that there is no pilferage of sensitive data during mass data transmission using ftp or email or some other physical means. Data encryption comes to the rescue in all such cases. By transmitting the encrypted data, the risk of interception can be drastically reduced. The keys can be pre-agreed between the communicating parties or they can be sent separately using a different mode of communication i.e. encrypted data is uploaded through ftp and the key is sent through email.
These current trends in Information Security risks address most of the security concerns that organizations may have. It is encouraging to note that more and more organizations are jumping on the bandwagon of outsourcing their services to offshore to reap the benefits.