12
Wed, Jun
4 New Articles

Security and Compliance: Managing the Design Process with Outsourced Personnel

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The problems of building systems that meet the requirements of security and corporate compliance are difficult enough when designing and building an application in-house. The complexity of meeting these requirements increases exponentially when IT departments outsource the projects to personnel who are no longer onsite. It is possible that an outsourcer could deliver a product that does not meet the security requirements of the organization, opening up potential compliance problems that go unaddressed by IT.

Project managers and application designers for outsourced development applications are experiencing security challenges of a magnitude they have not seen before. Is that self-inflicted through corporate paranoia, or is it an absolute necessity?

Simplistically, the problems caused by the management of such projects can be compared with the challenges parents have with their teenagers. Most parental coaching manuals stress the importance of trusting your children and granting them some freedom. Therefore, parents give their offspring some freedom to make decisions for themselves, and the parents pronounce that they trust them. But how far do they trust them? Are these the same parents installing software to control PC and instant messaging access? Do the parents check out their children's MySpace pages? Are they reading their children's journals and tidying bedrooms with eagle eyes?

In the same way, an IT organization would not normally engage in an outsourcing project with a provider it doesn't trust. That would be foolish. But will the organization be stricter than with its in-house staff? Will it define strong rules and audit, audit, audit? You bet it will.

One overriding point throughout this article is that the scale of the project has a massive impact on the security requirement. As more and more SMBs consider some aspect of development outsourcing, a lot can be learned from the large projects that have gone before.

Wikipedia describes outsourcing this way: "Outsourcing (or contracting out) is often defined as the delegation of non-core operations or jobs from internal production within a business to an external entity (such as a subcontractor) that specializes in that operation. Outsourcing is a business decision that is often made to lower costs or focus on core competences."

But that definition can cover many different scenarios. Introducing consultants and contractors for IT development projects is nothing new. Projects with outside resources always present more management and security challenges than wholly in-house projects. However, each project within this broad range will have different security needs, especially if we consider the project types:

  • Contracting with an ex-employee who is now independent but has the right skills and knowledge to be a consultant on legacy applications
  • Contracting resources from a cheaper part of the same country—for example, "farmsourcing"
  • Outsourcing to major players such as IBM Global Services, EDS, etc.
  • Outsourcing to software providers with some development teams overseas
  • Outsourcing to software providers with only a sales presence locally and all developers overseas
  • Creating shared companies with overseas development organizations
  • Creating a development resource company in a foreign country, often called "captive subsidiaries"

Each of these presents its own challenges and levels of risk. Obviously, as risk increases, the need for stronger security mechanisms increases, too. The most risky outsourcing project is the situation in which development resources are located in another country and provided by a totally separate organization. It is this type of scenario that raises the most security concerns; however, many apply to local outsourcing projects, too.

It is easy to slip into the mindset that "we" are good and the outsourcers are bad, but that is far from the truth. Speak to many of outsourcing providers, and their verbal commitment to IT security is blatantly obvious. Organizations should look for a provider with a such a mindset. This highlights another important aspect when choosing a partner: Organizations should look for an outsourcer with a similar level of project organizational maturity. To quantify this, organizations have in the past utilized standards that grew out of ISO 9001 to cover "quality" in development project management. One that has been used regularly over the last 20 years or so is the Capability Maturity Model (CMM). Many organizations have already evaluated their own level of process organization and should look for a developer with a similar level of maturity. CMM, which was developed out of the Software Engineering Institute at Carnegie Mellon, has since been sunsetted with the introduction of a newer model called Capability Maturity Model Integration (CMMI).

To analyze the security requirements for an outsourcing project, we can split the project into discrete sections. Some security issues span, or affect, more than one of these categories and may be mentioned multiple times:

  • Project definition
  • Design
  • Technology infrastructure
  • Skills/knowledge transfer
  • Development
  • Testing and QA
  • Audit

Project Definition

A manager I worked for once told me that contracts were only written in case one of the signatories passed away! He believed that business relationships were directed by the personal relationships of the people involved and that any issues that arose would be addressed without recourse to the contract paperwork.

I am sure everyone can think of at least one situation in which that was blatantly not the case. Outsourced projects need good, strong, detailed contracts between the parties involved. Failure to take every precaution at this stage would be a disaster waiting to happen. Stop and think of the reason outsourcing projects take place. In the majority of cases, the answer is money. The client organization is looking for a cost-effective way to produce applications.

So what is the tradeoff organizations have to accept in order to get these savings? One reason for the cost-savings is that the outsourcer is in a region that has different standards and expectations for privacy and data protection. This is not to say they are more insecure, just that there may not be a culture of security and their legal system may not provide the same protection. This is similar to employing a building contractor who does not know, or adhere to, local building codes. It may be cheaper, but it could cause problems later.

In addition to the general items, the contract must address these security issues:

  • Intellectual property rights
  • Federal and industry regulations
  • Privacy
  • Country/state of jurisdiction
  • Non-compete clauses
  • Exit options—Discrete points along the way where it might be useful to end the relationship if security issues arise
  • Results of failure to deliver by either side
  • Arbitration—Whether this can be used, rather than the more expensive and slower legal systems
  • Personnel expectations—For example, whether developers are allowed to work on other companies' projects or whether third-party contractors are allowed

Design

In some development departments, personnel have been working for the same business on the same applications for so long that the designer intentionally omits some design details. It is a great luxury not to have to explain the business, demonstrate the tools, and discuss the users' expectations in order to get a quality result.

However, in an outsourcing environment, the documentation must be complete. If the developers working for the outsourcing company are located in a different region of the world, they may have no understanding of what the application will do for the end user. Hence, a detailed specification document is required. However, the organization must maintain control of that document. Whether the company is a software developer or an organization needing an in-house application to run its business, loss of design documents can lead to loss of business advantage.

The type of design documentation, its expected flow, and its rules for use must be defined up front. In large outsourcing contracts, the development resources often never get to see a printed copy of the design specifications they are working from. The PC could be locked down so that the developer cannot transmit the document somewhere else, plug in a flash drive, etc. These severe and draconian measures are important to ensure that both parties are comfortable in the business relationship.

Technology Infrastructure

As mentioned, many companies insist on a high level of security for the hardware the outsource developers are using. This extends not only to the individual PCs but also to the infrastructure between the two organizations. Some outsourcers connect to their client's systems through shared lines to save expense. Companies must determine whether the possibility exists that another partner or client of the outsourcer could connect to their production systems or even just scan and steal documentation and coding that is being transferred. How should an organization react to such a risk? One option is to insist on a separate line for the organization's project and resources (which will erode some of the cost savings the client was hoping for) or to impose security restrictions/technologies on the shared lines (which will also erode the cost savings).

Some large outsourcing projects specify that the client has the right to build the PCs and servers that the developers are to use during the project to ensure that the correct security procedures are in place. Other organizations use technology to enforce the environment they need. For example, virtualization software provider VMware markets a product called ACE (Assured Computing Environment) that can encapsulate a total environment for the developer to work on. It can be configured so that developers can still access their emails, other clients' development environments, the Internet, etc. without compromising the security of the development model.

Other technology solutions may be required to enforce the right standards for the developers' PCs when they connect to an organization's own systems. As an example, it is important that virus definitions and OS patches are at the right level before allowing access to the network.

Skills/Knowledge Transfer

With any project, transferring business and application knowledge to the developers is an important aspect of the process. Similarly, transferring technical skills cannot be underplayed. When choosing an outsourcing provider, an organization should always try to find a good match within the developer base, but it is unlikely to be a perfect match, especially with legacy environments, such as some of the older iSeries technologies. It is critical during the partner search phase of the project that the outsourcing provider makes commitments regarding the skills available within its developer team, including specific details as to which person has those skills.

However, such commitments will be of no use if the developer assigned to the project resigns or is reassigned to a new project. Monitoring developer personnel is a critical ongoing task, especially if the developer has IDs permitting him to access the client's own systems. Because of these concerns, companies often decide to employ third-party organizations to verify that the personnel commitments made by the outsourcer are being met.

The type of application development project chosen to be outsourced can be vary greatly, but all have their own types of challenges. For example, one view is that maintenance of an old legacy system is a good choice for outsourcing so that internal development can focus on newer technologies. However, the skills transfer on the old application can lead to the type of privacy exposure documented above. Another view is that a completely new application is the right type of project, partly because there would be less skills transfer concerning the old processes; however, there would be more knowledge transfer related to the business. Whichever type of project an organization has available for outsourcing, it is guaranteed that considerable skills transfer will be necessary.

Development

Maintaining control of an outsourced project has the same basic requirements as traditional in-house development, just taken to the next degree. Even the least paranoid project manager has at some time wondered whether his own developers have inserted some rogue coding into applications. The worry is that, at some point in the future, a disgruntled person could activate that coding and cause all sorts of havoc. For example, the application could transfer the rounding errors to rogue bank accounts or the application could ignore the security restrictions if the user name is JHACKER.

Now hold that thought, and apply it to an outsourcing project, where the developers are in a poorer region of the world or a country with potential political instability. Could these factors influence a developer to introduce some sort of rogue coding into the application? An organization could try to review the coding details of every part of every application, but that will likely negate the cost benefits of outsourcing. More sensible is an organized, though random, audit of selected elements of the application.

Testing and Quality Assurance

One challenge for the organization is to ensure that the quality-testing phase does not become the most onerous part of the project. Despite good design documentation, skills transfer, and such, will the developer really understand the requirements and will the discussions between designer and developer work well across geographical and social boundaries? At least in the early stages of the project, it is critical to regularly check that the developers are interpreting the designs correctly. It is not sensible to wait too long to start the QA process.

One aspect of security that is often overlooked, even during in-house development, is the privacy of the available test data. Of course, outsourcing companies require good test data to prove their applications, but what does that test data contain? Of course, the current live corporate data is the best source of application information; however, it is critical that all useful and identifiable data is replaced before handing it over for use in testing. For example, a customer file with real customer names and real prices may be of value to competitors; therefore, it should be used as test data only if some of the data contents are changed.

Audit

Most of the elements highlighted above need to be strictly audited on a regular basis. Sadly, figures show that less than a quarter of clients audit the security of their outsourcing partners. Given the difficulties in doing this, it is not surprising. For example, will a client send a consultant to check the outsourcer's premises for physical security and proper use of design documentation every quarter—or even every year?

If the outsourcing developers have access to their clients' production systems for implementation issues and ongoing support, are the IDs being checked for appropriateness of access? Is that a part of the client's internal audit processes?

In many global outsourcing centers of the world, the outsourcers have matured to a security standard that is comparable to those of the client. This can still cause challenges as the outsourcer may have set those standards to meet one particular client, maybe their first large contract, but these may not meet all clients' standards. It is difficult for the outsourcer to make all clients happy at the same time.

Successful Outsourcing

A number of themes run through this article. First, the risk (or at least the perceived risk) is greater with outsourced development projects. Second, there is a delicate balance between trust and compliance; organizations must audit to the level they are comfortable with. Finally, as more and more SMBs take their first steps in remote development, a lot can be learned from the way the big boys have run their projects. However, trying to emulate all of the processes, tools, and methodologies that the larger companies have used will very quickly erode the cost savings associated with an outsourced development project.

Martin Norman is Senior Systems Engineer for SafeStone Technologies, an IBM BP specializing in compliance and identity management. As one of the original developers of SafeStone's security portfolio, Martin has performed security audits and advised on installations for clients throughout the United States and Europe. Martin can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: