Transcript Assessing the Outsourcers

Assessing the Outsourcers: Off-Shore
Development
George G. McBride, CISSP
RSA Conference 2004 San Francisco, CA
What is off-shore development?
The architecture, design, development, testing, or lifecycle
maintenance of software and hardware products somewhere
outside of your home country.
— Typically includes countries such as:
• India
• Philippines
• China
• Ireland
This presentation will not concentrate on the help-desk or
support type functions, but many thoughts and concerns also
apply to these efforts.
What’s the big deal?
A couple of questions:
— Are you setting up your own Offshore Development Center (ODC)
or are you using an outside firm?
— Do your business partners, consultancy firms, and other suppliers
have a requirement to inform you of where the work is being
done?
• Do you have a requirement to tell your customers?
• Are there legal requirements?
— What is the difference between sending your work down the street
or across the world?
The big deal is:
A significant amount of your product or Intellectual Property (IP)
is now managed and controlled by a 3rd party.
— Many companies feel they’ve “lost control”
— Many have some implicit belief that because the firms are CMM
Level 5, the ODC must have an equivalent level of security
— Many assume everything is fine if they haven’t heard otherwise
— Many believe any problems or issues are the responsibility of the
ODC, usually because it hasn’t been thrown “over the fence” yet.
— Geo-political issues begin to creep in and can affect productivity
through time differences, travel restrictions, etc.
Contractual Issues
Ensure that the security organization coordinates all off-shoring
activities with business units, purchasing, supply chain, etc.
— Review RFIs, RFPs, etc and be part of the evaluation process
— Ensure compliance with your organization’s security policy
• Must balance business needs (saving money) with security
— Include the right to audit / assess clause in detail including:
• Frequency
• On-site visits
• Interviews
• Network scans
• Physical security reviews
Contractual Issues
Can previously conducted audits and assessments by the ODC
be reviewed?
— Their own internal security staff efforts
— Contracted assessments and audits
— Other clients results
— SAS70 reviews
— ISO17799 reviews
Have employees signed Intellectual Property agreements?
What about Non-Disclosure Agreements (NDA)s?
Connectivity Options - Limited
No direct network connectivity
Primarily used for “over the
wall” and one-off development
efforts, not partnerships
ODC Network
Corporate Network
How are source code and
design documents transferred?
Firewall
Can e-mail and data transfer
encryption be forced?
ODC can have connection to
the Internet or could be
completely isolated.
Firewall
Internet
Connectivity Options – Leased Line
Some type of private line
Routing should be configured to
force data and e-mail transfer to
use the leased line
Leased Line
ODC Network
Corporate Network
Firewall
Firewall
Firewall
Firewall
Internet
Need to restrict access to only
the required systems
Both companies should have a
firewall only allowing the
required traffic
ODC Internet connection
optional as Corporate network
could be used for Internet
access
Connectivity Options – ODC & ODC Corp
ODC or ODC Corp Network
may have Internet connectivity
Question what traffic is allowed
between ODC and ODC Corp
Networks
Leased line and Internet
connection may be to ODC
Network or ODC Corporate
Network
Again, the existence of a
private leased line doesn’t
guarantee it’s use
Leased Line
ODC Network
Corporate Network
Firewall
Firewall
Firewall
Firewall
ODC Corporate
Network
Internet
Firewall
Connectivity Options – Source in DMZ
Can provide the best solution in
terms of data and connectivity
isolation
ODC Network
Corporate Network
Firewall
Firewall
Internet
Firewall
Source Code
Servers In DMZ
May require more effort in terms
of network engineering
Implement IP address
restrictions to allow connections
from authorized entities only
You must have one-time
passwords in use here.
VPN offers additional security
Connectivity – Remote Access ?
Watch senior ODC personnel, who may have contractor status at your
company and may have unrestricted access into your corporate
network.
Do you want personnel working from home? Most companies prohibit
it, helping to prevent intellectual property leakage.
— Does the company allow it? If so, how is logical network separation
managed to ensure your IP is protected? What restrictions are there?
— Do you require token / one time passwords to access source code?
In DMZ solutions, have you prevented a rogue employee from
downloading the source code from their home using the same
password used at work?
Connectivity Concerns
Are you providing inbound access to services on your network?
— Are the ODC systems connecting to your network secure?
— Are your systems secure?
• Anti-virus updates
• Patches and service packs
— Are you protected against:
• Worms and other mal-ware
• A malicious user using Telnet or SSH to a system on your
network and then using that as a launching point to gain
complete access to the rest of your network.
Personnel Security
Are background checks performed on employees?
— Are they performed on yours?
Each client’s personnel are generally physically separated while
writing code.
— Lunch? Personal Relationships?
What about personnel on the beach/bench?
— Is there a mandatory period of time between client transfers?
— What do personnel assigned to your account do between
projects?
Physical Security
Some ODCs have electrified fences, armed guards, motion
sensors, and video surveillance around the perimeter.
— Other ODCs are in a shared facility with a door that locks when
they remember to close it at night.
What level of physical protection do you provide to your
intellectual property?
— You’ll probably learn some things from the better ODC firms
Most ODCs will provide whatever level of physical protection
that you specify.
— That generally comes at a price.
Physical Security
What access controls are in place to protect your IP?
What logging and recording mechanisms are in place?
Who has access to the ODC? Do they have a list?
— Staff in training
— ODC security, cleaning, IT support, maintenance personnel
Can the ODC badges be customized for each of their
customers?
Are bags checked upon exit? Would guards know what a USB
drive looks like?
Application Security
Where is the IP (source code / design documents) stored?
— Do you have real-time access to the source code?
What about source code reviews?
— What have you contracted for to be performed by the ODC?
— Logic and source code errors
— Mal-ware
— Transmission / version control issues
• Increases with multiple site concurrent development
On-Site Reviews
What are the contractual obligations of the ODC vendor?
To what depth will you review?
Do you really want to do a “surprise” visit?
Be prepared to be asked to sign an NDA from the ODC.
— They’ve got secrets to keep also.
Watch bringing electronics into some of the “Customs” and
Economic zones. Some things must be declared prior to entry.
— Cameras
— Laptops, PDAs, etc.
The On-Site Review
Physical Security:
— Perimeter and Building Security
— Security specific to your ODC
— Access controls and recording including access lists
— Proprietary/Sensitive information destruction
— Lab, storage, cubicles, offices review
— Awareness posters
— Password protected screen savers
— Laptops physically protected
— Visitor policy
On-Site Review
Personnel:
— Short discussion to discuss coding procedures and adherence to
your corporate coding policies
— Employment documentation is organized, complete, and
accurately maintained
— NDAs and IP agreements signed and stored
— What security training have they attended?
— Ensure their understanding of what to do for security incidents
— Spot check of employee records to verify that they’ve been
supporting only your company
On-Site Review
Network Security
— Agree on which machines will be scanned to avoid scanning their
corporate or other customers machines
— Perform a typical network vulnerability scan of machines in the
ODC
— Interview of system administrators, users, programmers
— Since they are responsible for maintenance and security of the
machines, I’d recommend providing detailed vulnerability and
corrective actions to them
— Sit down with the administrators to walk them through the
vulnerabilities and corrective actions
— Position your efforts as “educational” and “partnering”
On-Site Review
Make sure you read the contractual agreements between you
and your ODC firms to understand what is expected of them
and of you.
Have a basic understanding of the products and technologies
that the ODC firm is working on.
Assume that the various firms have a pretty solid understanding
of which other firms may be developing products for you.
— Proposals they didn’t win.
— Social circles
Partnerships, not hostility, promote a more secure environment.
Questions?
Contact me at [email protected] with any questions that
you may have or any thoughts or comments on this talk.
Lucent Technologies
Bell Labs Innovations
George McBride
Senior Manager
IT Risk Management
Lucent Technologies Inc.
Room 2N-611G
101 Crawfords Corner Road
Holmdel, NJ 07733
Phone: +1.732.949.3408
E-mail: [email protected]