Wednesday, March 05, 2008

Data Security and Outsourcing: Oxymoron?

Source : Click here

Business Process Outsourcing (BPO) is a common practice these days. From front office to back office, HR to accounting, offshore to near shore; BPO comes in many different flavors—all of which provide an upside on the cost savings front.


But with the benefits of reduced cost, improved efficiency – and, in some cases, the increased expertise of outsourcing – comes a need to provide outsourcers with access to some of our most sensitive corporate data assets. So, along with the benefits of BPO comes an increased risk to data.

Data risks are an inherent problem for companies that outsource. Whether they take the form of compliance issues, legal liability, brand risk or customer concern, companies that choose to employ BPO must handle the security challenges that are inevitable whenever they move business processes outside of the confines of the company.

That said, the data risk problem is a "Catch 22:" If you cannot protect your data, you put your business at risk. But if you constrain the use of data too much, you can paralyze the outsourcing effort – and your business.

So how do you align your outsourcing effort with business goals while protecting the data?

Successful outsourcing requires successful risk management. It also requires a new view of data security.

Tipping the Benefits/Risk Scale

A certain amount of risk is a natural part of doing business. But when it comes to data, many companies have been forced to accept more risk than they might otherwise be comfortable with because the bottom line benefits of outsourcing outweighed the risks. That tide is now turning and it is turning for a number of reasons.

First, increased risk to data, in the form of mass data breaches (a product of the increasing sophistication and motivation of data thieves) has heaped pressure on corporations that store and use sensitive data. There is not a business in existence that does not want to avoid becoming the star of the next data-breach drama.

And the fallout from data breaches does not stop at brand-busting (bad) PR. Fines and legal issues resulting from data breaches have become more complicated and much more costly. Regulatory compliance is also a major driver when it comes to the need for data risk mitigation.

Fortunately, where once there was a dearth of remedies for swiftly detecting malicious activity with data, now there are literally dozens of new technologies designed to address this very problem. These new technologies are helping to tip the risk vs. benefits scale to the point where enterprises with outsourcing projects underway are taking a second look at their BPO data risk mitigation techniques. Likewise, enterprises considering BPO in the future are building data security into their outsourcing strategies.

One of the biggest issues when it comes to mitigating outsourced data risk is that it is a close cousin to the insider threat that enterprises have been struggling with for many years. This has been a tough problem to solve.

How do you mitigate data risk and detect malicious activity when the users are trusted employees, are authorized to use the data and need access to data in order to do their job?

When it comes to outsourcing, this problem is magnified by the fact that the users accessing the data are not inside of your organization and may well be on the other side of the globe. This is where a new view of data security comes into play.

The "Inside-Out" Threat

Traditional data security is a methodology based on controlling access to data. The idea is to maintain tight control over who has access to data via various credentials based on job function and/or security clearance – the data equivalent of a "need to know" strategy.

Access control still is an important component of an effective data security program, but it does not address outsourcing data security issues, or any insider threat to data – because it cannot detect malicious activity by authorized users (or apparently authorized users) at core data servers. The users who pose the greatest threat to data are those who have the credentials to access the depths of the data center where all of the critical data assets are stored. This could be an employee, an outsourced partner or a data thief masquerading as one of the above. Whoever they are, they have the keys to the data kingdom. This is the "Inside-Out" Threat.

The logical and simple thing to do in order to mitigate risk to data by insiders would be to watch what they are doing with data.

Some organizations use database logs to assess user data activity, but sifting through logs is a highly manual, time-consuming process. Picture a needle in a very large haystack—and an after-the-fact solution. Ideally, you need to "see" what users are doing with data as they are doing it, to be able to discern the difference between business as usual and suspicious activity, and to sound a warning bell in time to avert the data disaster. This "deal with it as it is happening" notion of data security is anathema to many security practitioners, but it's catching on in the form of new database/data activity monitors (DAM), sometimes referred to as enterprise data auditing and real-time protection.

The Tao of Data Security for Outsourcing

Martial Art students are taught to watch carefully and take action based on the threat that materializes. This saves a lot of wasted energy flailing around in response to your best guess about what someone might do next.

This is precisely what the new intelligent data-monitoring technologies do. They watch what is happening to data in real-time and analyze what the activity means in relation to a pre-defined set of potential risks and past behavior of the users in question. The beauty of the 'innocent until proven guilty' approach is that it enables a relatively free flow of data for business outsourcing activities but provides a window into those activities that gives you control over data assets when necessary. Thus, by giving up the illusion of control, you gain real control  over what is happening to your data.

Another popular analogy for DAM is the security camera in the data center. You provide access and then watch what is going on. The problem with a security camera is that it is not automated and it lacks intelligence — so it can't tell the difference between bad behavior and good behavior. Database activity monitoring tools can, however, tell the difference.

Monitoring Outsourced Data Activity for Risk Mitigation

As the saying goes, "you can outsource anything except for your liability." BPO providers are increasingly putting checks in place to prevent misuse of sensitive client data, but effective data security and compliance requirements still call for the enterprise to know what's going on with outsourced data. This means closely monitoring the use of data by outsourcers.


The first step in securing outsourced, or any critical data for that matter, is data discovery. Knowing where specific data assets reside and who is accessing them will provide the basis for an effective monitoring program. Data discovery locates and monitors unstructured data assets (data in file servers) as well as structured data (data in databases) and legacy applications as well as open systems. Ideally, you should be able to identify specific types of data in these applications such as Social Security numbers or credit card numbers.


Once a benchmark for data location and access has been established, policies for monitoring, alerting and reporting can be created. The main goal of monitoring is to provide detailed information on how, from where, when and by whom data is being accessed and then to have the ability to analyze that data against policies related to compliance regulations, data protection/data breach detection and corporate data governance programs.

Policies for compliance are among the easiest to create. Some auditing/monitoring solutions come with pre-defined policies covering the major regulations such as SOX and PCI.

The second step is compliance. Despite the fact that these regulations look complicated, the auditing requirements are very straightforward. Actions such as alerting and pre-scheduled reporting can be written into policies to automate the monitoring process even further.


Creating policies for data theft is also fairly straightforward. There are definite signatures for theft—such as: highly sensitive data accessed, data accessed at odd times, unusually large downloads or, more importantly, certain combinations of these--that can easily be captured in policies. However, detecting data theft requires more than just the right policies; it requires sophisticated analytics that can look at specific behavioral characteristics against history and then factor this data into the determination of data risk. This intelligence is what makes DAM solutions more than surveillance cameras for watching outsourced data activity.


DAM solutions can be delivered in several ways. Some are delivered as appliances that sit in front of data servers and capture network traffic. Others are delivered via software agents. Still others offer a combination of both.


Determining the right solution for your organization depends on a number of factors including how many data servers you need to monitor, how much traffic flies over your network and what type of output you require from the system — types of reports, workflow features, alerts, etc. In any case, once your monitoring program is in place, it can be fine-tuned as you "learn" more about how data is being used (or abused). But even before you have the perfect monitoring program in place, you will have orders of magnitude more insight into what outsourcers are doing with your data than you had previously and this insight will be available in real-time.


So there is a way to have your outsourcing cost savings and data security, too. But it requires a slightly new way of looking at data security — that is, from the data core out and as a problem of insiders that need to be monitored.