Security in software outsourcing

May 07, 2015

One of the first things that comes to mind when thinking about outsourcing a software project is related to data security, and this is exactly what we're going to cover today.

Outsourcing started to rise in the mid '80s due to companies' needs to get rid of non-essential processes (in order to be able to focus more on core activities), to cut costs and improve production quality. So instead of having, for example, an in-house software development department, some companies decided to delegate this process to an external provider, which was specialized in this area.

Is software outsourcing secure?

Over the years, the software outsourcing market has evolved rapidly, and now entire projects are being outsourced to third party software companies, and of course this has raised security concerns for prospective customers. So taking this into consideration, what are the main security concerns out there?

1. Physical security – Although not as prevalent as others threats listed below, physical security might pose a problem, due to the fact that laptops, PCs, servers, hard-drives that contain important data can be stolen. However, this can be prevented by using security measures such as: alarm systems, video surveillance cameras, locked server rooms. So nothing new here...

2. Logical security – Outsourcing a software project will provide the third party company with access to a series of information about the customer’s infrastructure, security measures, and internal resources. Protecting this type of information can be easily done, by asking the outsourcing provider to follow strict contractual obligations (which also includes enforcing and maintaining well documented information control procedures).

If this is too vague, here's what I wanted to say by "information control procedures":

- Using a proxy application which restricts inbound and outbound traffic, and allows only for certain ports to function, depending on the particular needs (Port 80, anyone?)
- Preventing or restricting the usage of USB Storage Devices
- (if the provider has a work-from-home policy) Remote work must be regulated by strict access procedures
- Updating credentials based on a periodical schedule (and also in certain particular situations, for example when an employee that leaves the company)
- Permanently monitoring the direct internet connections

3. Legal consequences“Outsourcing involves two entities entering into an extremely intimate commercial relationship... which in itself is a recipe for legal complications.”[1]. A way of avoiding the risks involved by such a partnership is to sign an NDA document (more details below).

Overall, it's quite obvious that every company is liable to such security issues (even if it does not outsource any project!) and this is demonstrated by the recent Sony hack, which resulted in a huge theft of confidential data and cost Sony over $15 million (and  A MASSIVE reputation damage).

Looking for a secure outsourcing partner?

After tackling the above concerns about security, we should now determine what characteristics should a software company have, in order to be considered a reliable software outsourcing provider.

In an outsourced environment, the customer is no longer in direct control of the IT functions, so the outsourcing provider must prove that it retains certain procedures and controls in order to secure the customer’s needs. In relation to this, 3rd party security certifications (such as ISO 27001 or ISO 20000) are definitely a plus for any software outsourcing company.

Another way to ensure that things go smoothly is to make sure that the software outsourcing provider is willing to sign an NDA (Non-Disclosure Agreement), an agreement which will greatly benefit the customer (as the outsourcing company is legally bound to comply with the agreement) and this in turn will greatly diminish the probabilities of running into an unfortunate situation. For example, European Union countries have a strict body of law, which in combination with various legal documents (such as an NDA) will secure the intellectual property of the customer.

Last but not least, the customer should look for an experienced software outsourcer, one that has proved itself in the past by providing reliable outsourcing services (and is able to present a portfolio that reflects this fact).

It's clear that there are many procedures and legal means through which a software outsourcing company can guarantee security for its customers, and considering the above, it feels like an overstatement to say that software outsourcing is not secure. What is your opinion on that? 

[1] Source: Gay, Charles E.; James Essinger; Inside Outsourcing: The Insider's Guide to Managing Strategic Sourcing, London, Nicholas Brealey Publishing, 2000




Recent articles

Security in software outsourcing
May 07, 2015
One of the first things that comes to mind when thinking about outsourcing a software project is related to data security... read more
Attractive software outsourcing destinations in Eastern Europe
Mar 19, 2014
The Asian region was regarded, for many years, as the only suitable destination for software outsourcing (customers were attracted by affordable hourly rates and smaller development time frames). However in the last decade a new destination has emerged: Eastern Europe. Countries such as: Latvia, Hungary, Czech Republic, Romania, Poland, Ukraine etc. made a name for themselves on the outsourcing market by providing a complete set of services - consulting, development, support, maintenance.... read more
Romania - an attractive software outsourcing destination in Eastern Europe
Feb 25, 2014
Today's outsourcing market provides a wide range of outsourcing destinations and a high number of software development companies, so choosing an outsourcing company for your business can be a challenging and complicated process.... read more
Outsourcing: how to keep up with the competition
Jan 08, 2014
If at first, the economic climate forced more companies to outsource their IT departments towards outsourcing software companies, now outsourcing has become a viable solution for having access to a multitude of skills and expertise. ... read more
Software development: let's make it custom
Sep 09, 2013
We all want to have our requirements met immediately, but as a company it's even more important to receive personalized services, that are adapted to your day-to-day activities.... read more
...but what does software consulting mean?
Aug 15, 2013
What is software consulting? Software consulting is a service that helps other companies or self-employed individuals to meet their needs in terms of software infrastructure, development & support... read more
Products  |  Press  |  Site Map  |  Technologies  |  Terms of Use  |  Privacy Policy
© 2017 SBP Romania. All rights reserved.