Outsourcing is a common way of improving the technical platform and gaining access to expertise for IT needs in all industries. It also helps cut costs. But as there are some security risks connected to outsourcing, there are some important things to have in mind.
Secure supply chain
As businesses in IT rely more and more on third parties and service providers, the resilience of the supply chains becomes critical. Supply chains can many times form complex webs of interconnected, multi-level delivery chains, where different providers are linked to customers and also to each other. A breach in just one of these links can have a direct ramification on vast number of businesses. The effects can spread from a local incident to global in an instance, when taking into account that many businesses and IT providers are international.
All software, whether it is an operating system or business application, need updates from vendors to implement new features, fix bugs or patch critical vulnerabilities. These updates are downloaded from the vendor, or from some other trusted party through internet. In some cases, also manually using portable media to decrease the risk of it to be tampered by a malicious outside actor. When implementing software updates, it is good security practice to use only trusted sources and to verify a cryptographical signature of the update packages before installing them.
But what if someone tampers the package by placing additional payload, like a backdoor, ransomware or any other malicious content to the package at the source, the vendor? In this case, the vendor's infrastructure would have been breached and the malicious content is placed in the software package without the vendor's knowledge. For the businesses using or providing it to their customer, the integrity of the software packages would appear to be OK and also the source would seem trustworthy.
Important steps for secure outsourcing
When outsourcing, you must include the security requirements as a given part of the agreement. Because - do you know how future-proof the solution you choose to invest in actually is? Who is responsible if your solution is hacked in a few years? Who’s digital responsibility is it?
The first step is to ensure that your organization is in order, which includes checking your security policy. The policy should cover data classification that can distinguish between sensitive and common data and it should also state clear standards and guidelines.
Selecting the right outsourcing vendor is of course very important. Select a vendor who follows a strict security policy and that has security rules including protection of your data from being copied to portable devices or to other tenants in “the cloud”. Make sure that your vendor will follow your privacy and intellectual property policies. To ensure that your information security solution is future-proof, it is therefore important that you also ensure that your supplier has a way of working that means that it takes on the commitment to continue to be digitally responsible. Do they provide security updates throughout the life of the product/service? Do they do regular threat and security analyses? Is their product/solution future-proof? These are important questions that you need to ask your supplier.
It is also better to choose a vendor who employs the use of gateways and fire walls as t his will help in the total protection of your data. Other things to check are if your vendor has a good track record? Are they educating the employees on how to handle and protect sensitive data? Do they have a systematic approach? Can they give you evidence of it?
To ensure continued secure outsourcing you must conduct regular application/database security audits and network security audits and control that prevention technologies are employed at all times (you need evidence that they have been used).
Outsourcing VPN management
One aspect often overlooked in outsourcing is the risk of letting a supplier manage personal information or other sensitive information.
A VPN (Virtual Private Network) connection is often used to ensure that no one can eavesdrop on information sent across the public network. The VPN devices protect information and ensure privacy through use of cryptographic functions combined with tunneling protocols.
But many VPN solutions have deficiencies in privacy and confidentiality. Administering VPN devices often have indirect access to sensitive information. This means that no matter where the IT solution is managed, unauthorised people can consciously or unconsciously gain access to sensitive information.
Three Domain Separation
Solve the problem by limiting or completely preventing access to information for the operating party. Instead of relying solely on NDAs and agreements you can avoid risk "by design" where a third party may have access to information that they are not qualified to handle, and, despite any NDA should not be allowed to access.
Advenica’s patented innovation, Three Domain Separation, is a true paradigm shift in VPN management. It is the only technology that eliminates the threat of unauthorised disclosure of sensitive information by a VPN administrator or a Managed Security Service Provider (MSSP). It was pioneered to address the potential insider threat from rogue administrative staff within the government, armed forces and intelligence organisations
Want to read more about Three Domain Separation? Visit the product page or download the White Paper #01 SecuriVPN - Three Domain Separation!
Interested in more information about secure remote access through RDP? Find it here!