For businesses that handle sensitive data affected by regulations, outsourcing has become a critical security concern. Not surprisingly, sharing and securing data in the supply chain is one of the hot topics being covered in the keynote theatre at this year’s InfoSec13 show next month. In kicking off our series of Infosec-themed blog posts, I wanted to talk about data protection best practices in the context of outsourcing business information to third parties.
The outsourcing of laborious or indeed specialist tasks like IT support or data processing has become a critical part of business operations. I still find that many of the customers and prospects I speak to have two main concerns when it comes to the security of outsourcing activities and the sharing of information with partners and contractors: 1) where exactly their data physically resides; and 2) what the security risks are to that outsourced data.
Unfortunately, it can be very difficult to be certain that the data passed to third-parties won’t end up stored in vulnerable locations or transferred across unsafe networks. As a business’ supply chain grows (or more sensitive processes are outsourced), more data is exchanged – from payment data and tax information, to sensitive intellectual property like source code and engineering/design drawings and plans. As amount of data passed to third parties increases, so too does the number of possible points of entry. And, as we all know, the bad guys are always on the lookout for the path of least resistance, so they are definitely trawling supply chains for the weak link.
So, how do you safeguard your valuable data, while still providing the required access that your partners need to get the job done?
Firstly, you need to stop thinking about this as a third-party problem and understand that this is something YOU and YOUR organisation are responsible for. You need to protect what matters – and that includes data that you’re sharing with your outsourcing partners. Here in Europe, the UK Information Commissioner’s Office recently issued guidelines stating (unequivocally) ‘as a business, you are responsible for keeping your data safe.’
Secondly, what’s needed is a shift from network-level protection to protection that occurs around the actual data involved. Legacy security solutions have focused on network-level and perimeter security — which, if you’ve been checking the headlines you know is failing — so, if your third-party supplier happens to have weak network defences, access to your data could be compromised. Security needs to be around the data and it must incorporate fine-grained controls over how the data can be accessed, where, when, and by whom.
Data is the new currency, so look for solutions that enable your business to continue sharing data with your partners as easily as possible, while also ensuring that you retain control and can limit access to that data. I invite you to visit the Vormetric stand at Infosec to learn more about how to protect what matters.
Paul Ayers, VP EMEA at Vormetric.