September 29, 2009

Does IT Outsourcing Pose Security Risks?

This article  from eWeek discusses the results of survey from VanDyke/Amplitude that found a larger number of network intrusions at companies that outsourced tech jobs. There aren’t a lot of details, unless of course you go and get the full survey, which I don’t have access to. If I were to guess, I would say most of this comes from the requirement for such companies to open network access to their company’s internal network. This of course is fraught with a variety of security issues that I suspect many companies aren’t taking seriously enough.

There are a few ways to mitigate against these kinds of risks. Here are a few ideas:

  1. Choose an outsourcing partner that has lots of experience working via VPN and SSH with their partners. Their experience can help you ensure the right steps are taken. They will also be able to demonstrate how their own internal networks are kept secure.
  2. Another option is to find an outsourcing partner that has their own secure network and services distinct from your own corporate network. The best partners have great capabilities for securely working with you without the need to access your internal network. You can then sync work at periodic intervals without full VPN access.
  3. Specifically contract a network security specialist to assist in setting up access to your internal corporate network.
  4. Isolate access to the networks and services your outsourcing partner needs. Keep these separate from what your internal people use. This might not be practical in many cases, but it could work in your case.
  5. Use SSH with public keys as much as possible. It is as secure as a VPN, but offers many advantages to control access at a fine-grained level.