Security concerns in outsourcingAn Introduction to Seclore InfoSource

Abhijit TannuCTO

www.seclore.com

The problem

The problem

The problem

The problem

The problem

In 2010, the total size of the outsourcing market is expected to be about USD 154B

~USD 1.9B will be spent on proactive and reactive actions on information breaches

An average breach costs an enterprise USD 6.75 M in direct costs

The risks - Human

Each person in the chain of outsourcing process handoffs represents a “risk”

*High man power churn typical to the industry

=Mother of all HR problems !!

This element of risk is indispensable, intelligent, adaptive and prone to greed !

The risks – Legal and compliance

Legal cover for malfunction for any of the risks is critical

Outsourcing process is typically under compliance norms of various country specific norms,

compliance frameworks and cross border data flow agreements

Liability is largely spread across multiple entities and reputation risks are not covered

Insurance is at-best, high cost !

The risks - technology

Information through the lifecycle of creation – storage – transmission – use – archival & deletion

represents one of the biggest risks

Multitude of information systems with hand offs have shown themselves to be prone to breaches

Controls are typically built into individual applications

Information exchange in outsourcing

• Remote application access is provided• Vendor may be part of same network / domain• Vendor may be complete disconnected.

ENTERPRISE

Outsourcing partner

FirewallVPN Network

Outsourcing partner

Disconnected Network

Outsourcing partner

VPN

Remote Access

The underlying issues

Share it = It becomes his (also)Usage and access control separation is not possible

Share it once = Share it foreverNo possibility of information “recall” if relationships change

Out of the firewall = Free for allOnly legal contracts protect information outside the

“perimeter”

Illustration

BankBPO

BPO Employees doing data entry

Bank Employee

Kay Bank outsource it’s data entry work to a remotely located business partner IntServices Pvt Ltd

Illustration

BankBPO

BPO Employees doing data entry

Bank Employee

Certain documents are scanned and image files are sent by a bank employee to the business partner via a secured FTP connection.

Illustration

BankBPO

BPO Employees doing data entry

Bank Employee

Different employees process the scanned image files to enter data into excel or database files. These files are sent back to bank via secured FTP.

Illustration

BankBPO

BPO Employees doing data entry

Bank Employee

Confidential data may be leaked by one of the employees to a telemarketer.

Telemarketer

A new concept in secure collaboration

RightLocation

RightTime

RightAction

RightPerson

Users from bank as well as outsourcing partner can access protected information provided it is -

• Right Person : Only pre-identified authorized persons / groups

• Right Action : Action performed by the processing application – View / Edit / Print / Full Control

• Right Time : Within the stipulated time

• Right Location : Only pre-identified trusted machines / applications

Defined by the enterpriseOutsourcing

partner

Illustration - AfterIllustration - After

BankBPO

BPO Employees doing data entry

Bank Employee

Kay Bank outsource it’s data entry work to a remotely located business partner IntServices

Illustration - AfterIllustration - After

BankBPO

BPO Employees doing data entry

Bank Employee

Certain documents are scanned and image files are protected & sent by a bank employee to the business partner via a secured FTP connection.

Illustration - AfterIllustration - After

BankBPO

BPO Employees doing data entry

Bank Employee

Different employees process the scanned image files to enter data into excel or database files. These files are sent back to bank via secured FTP.

Illustration - AfterIllustration - After

BankBPO

BPO Employees doing data entry

Bank Employee

Telemarketer

In case anyone attempts to make copies of the information and send it to an unauthorized user / location, the information becomes inaccessible

Illustration - AfterIllustration - After

BankBPO

BPO Employees doing data entry

Bank Employee

After legitimate use, Kay bank can ensure that information shared with or generate by Intservices is destructed

Introducing Seclore InfoSource

A technology for defining and implementing usage policies on information before sharing

Granular usage policies can define …Right person, Right action, Right time & Right location of usage

Policies are persistent and travel with the information wherever it goes

Introducing Seclore InfoSource

ENTERPRISE OUTSOURCING PARTNER

“Hot Folder” with pre-defined permissions for usage

Email, Web, FTP, Fileshare

Processing

Application

Introducing Seclore InfoSource

Outsourcing Partner

Source ApplicationProcessing Application

Enterprise

Processing ApplicationHot Folder

Anywhere else

About …About …Seclore is a high growth information security product company

focussed on providing Security without compromising collaboration

Seclore’s flagship product Seclore FileSecure is used by More than 1 million users & some of the largest enterprises

. . .

26

What customers say about us …What customers say about us …

Senior Vice President and CISO, HDFC Bank.

"In today’s world, where the boundaries of the organisation’s functionality are disappearing, we are dependent on different business providers to process our customer information. Given that requirement, we still want to control how that information is used and processed by the service providers. Seclore’s technology has allowed us to do that." - Vishal Salvi, CISO

27

Want to know more …Want to know more …

Website : www.seclore.com

Blog : blog.seclore.com

Email : info@seclore.com

Phone : +91-22-4015-5252