Security relating to offshore data centers has been in the news lately. Indian call centers in particular have been the target of a good deal of negative attention such as this BBC report about a recent Channel 4 programme.
Personally, I believe such stories are unnecessary scare mongering. I believe this because I’ve been to India and performed security reviews onsite at a wide variety of locations and without exception, the level of security and the management of security is something that many UK based firms could probably learn a lot from.
When I discuss off-shore security in India with peers, there is often a perception that we are dealing with a third world country with poor quality and standards. This article here actually makes the wild claim of of “serious hazards, including a threat to America’s national sovereignty”. What it doesn’t mention is that within America, convicted criminals are being entrusted with credit card data – as mentioned here!
On performing onsite security reviews in India I first noted that all of the organisations I dealt with had achieved BS7799 certification and also CMM level 5. These are worthy accreditations and an indication of auditable paper trails and documented processes being in place – but not necessarily an indication of good security. It was when sitting down and discussing security with the companies concerned that it became apparent that they were operating world-class processes with a very high degree of awareness. Physical security prevented employees and visitors from bringing in any equipment that could be used for copying data, network security was managed by dedicated subject matter experts, and software development processes based on detailed documented security standards. Additionally and without exception, all of the organisations I visited operated mandatory security awareness training for employees.
That’s not to say that it wouldn’t be possible for a malicious insider to gather and steal confidential data. Where there is a will there is a way. My point is that such actions are possible anywhere and not just in the realm of Indian call centers. The best thing we can do is be aware of the risks and make sure that they are assessed and mitigated as far as possible.
So, if I were to be asked to provide advice to any organisation wanting to assess the security status of a offshore vendor, my advice would be thus: take a security expert with you to visit the vendor, perform a detailed assessment based on a standard and repeatable risk assessment process, look, listen, be impressed and be prepared to learn.