Network security risks multiply when enterprises begin outsourcing

By Jessica Scarpati 07 Oct 2009 | SearchNetworking.com

Network security news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

The network security risks of outsourcing technology jobs offshore are weighing heavily on the minds of IT executives, according to a survey -- and with good reason. Opening network access to overseas firms without the right protections in place could leave an enterprise vulnerable to a network security breach.

Benefits and risks of oursourcing Automated network management alleviates staff shortages Misconceptions about information security outsourcing Don't let your job get shipped away in offshore IT outsourcing Is offshore outsourcing worth the loss of IT jobs?

"People don't put in the same controls they would have for a remote employee," said Rob Ayoub, global program director of network security at Frost & Sullivan. "The challenge becomes that those are added costs, and when you're outsourcing to save money [while] you have to put in these compensating controls … it's no longer such a savings."

Organizations outsourcing technology jobs offshore in 2009 were "significantly" more likely to report an unauthorized network intrusion than those that didn't, according to the 5th Annual Security Survey of IT Executives / Network Administrators by Amplitude Research Inc., commissioned by VanDyke Software.

Sixty-nine percent of 350 respondents said they generally felt outsourcing put network security at risk. Even many of the IT professionals within organizations that actually do outsource IT functions believe that outsourcing carries a network security risk. Of the 29% of respondents who said their companies outsource, half said this practice has a negative impact on network security.

"Certainly, when you outsource your work -- say, outsourcing software development to somewhere like India -- that does add a risk," Ayoub said. "You have to implement protections around that to make sure your codes are not being stolen and limit access directly into your network controls."

Applications can be targets for a network security breach

Hacks or unauthorized intrusions afflicted 42% of organizations in the past year, down from 48% the year before. When the survey began in 2005, 44% reported intrusions.

"Everyone is really good at patching Windows, and everyone's pretty good at patching Office," Ayoub said, but often they leave openings in other applications, thinking they won't be targets. "I'm not looking to get into Adobe to get your PDF. I exploit a vulnerability in Adobe to get a good foothold into your network."

Network security risks afflict even those who don't outsource IT

"People don't put in the same controls they would have for a remote employee." Rob Ayoub Global program director of network security, Frost & Sullivan

But even organizations that keep their entire IT shop in-house can become vulnerable to the risks of outsourcing. Luis Wiedemann, a network manager for Florida-based law firm Broad and Cassel, has dodged any push to outsource his department, but he still faces pressure from vendors to expose his network to ordinarily unauthorized users.

"All of our application vendors insist on setting up a WebEx or GoToAssist session so they can take control and fix the issue themselves," Wiedemann said.

"They also give me an attitude when I, depending on my mood, refuse access to our servers. They're also putting these remote access demands in contracts as well, indicating they can't guarantee support if they don't have unhindered access to the servers their applications reside on," he added. "This is a tough pill to swallow for any security or network admin and brings a tremendous amount of fear for the integrity of security, should something go awry from leaving RDP [remote desktop protocol] opened to the Internet."

Network administrators presented with those ultimatums ought to look for different vendors. Vendors that outsource support have to be upfront with customers about their security best practices if customers are to trust them, Ayoub said.

"Customers have to vote with their dollars," he said. "We do need a shift in mindset and willingness to stand up to some of the vendors on some of these issues. It's a really, really tough challenge, but hopefully, if you're a large enough institution, you could say, 'I'm not going to do business with you without some kind of local support,' [or ask] 'What kind of compensating control do you put on that?'"

Let us know what you think about the story; email: Jessica Scarpati, News Writer

Tags: Network Access Control,  Network Security Monitoring,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control Dynamic policy ensures faster, safer network for school district NAC appliance vendors: Can you depend on them? NAC integration at the endpoint Extending NAC enforcement to network security devices Integrating NAC with network security tools Network access control market crushed by economy, but future is bright Joel Snyder discusses Network Access Control Day at Interop Las Vegas Maturing NAC market gets its first Gartner Magic Quadrant Poor data-loss prevention practices almost cost Intel a billion Network access control poised for a comeback by aiming small Network Security Monitoring Network automation lags general IT process automation for now Green enterprise: Three networking investments that make a difference Is there a way to trace my stolen laptop computer? Extending NAC enforcement to network security devices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network access control  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary