Security and Compliance: Managing the Design Process with Outsourced Personnel

Typography

Smaller Small Medium Big Bigger
Default Helvetica Segoe Georgia Times
Reading Mode

The problems of building systems that meet the requirements of security and corporate compliance are difficult enough when designing and building an application in-house. The complexity of meeting these requirements increases exponentially when IT departments outsource the projects to personnel who are no longer onsite. It is possible that an outsourcer could deliver a product that does not meet the security requirements of the organization, opening up potential compliance problems that go unaddressed by IT.

Project managers and application designers for outsourced development applications are experiencing security challenges of a magnitude they have not seen before. Is that self-inflicted through corporate paranoia, or is it an absolute necessity?

Simplistically, the problems caused by the management of such projects can be compared with the challenges parents have with their teenagers. Most parental coaching manuals stress the importance of trusting your children and granting them some freedom. Therefore, parents give their offspring some freedom to make decisions for themselves, and the parents pronounce that they trust them. But how far do they trust them? Are these the same parents installing software to control PC and instant messaging access? Do the parents check out their children's MySpace pages? Are they reading their children's journals and tidying bedrooms with eagle eyes?

In the same way, an IT organization would not normally engage in an outsourcing project with a provider it doesn't trust. That would be foolish. But will the organization be stricter than with its in-house staff? Will it define strong rules and audit, audit, audit? You bet it will.

One overriding point throughout this article is that the scale of the project has a massive impact on the security requirement. As more and more SMBs consider some aspect of development outsourcing, a lot can be learned from the large projects that have gone before.

Wikipedia describes outsourcing this way: "Outsourcing (or contracting out) is often defined as the delegation of non-core operations or jobs from internal production within a business to an external entity (such as a subcontractor) that specializes in that operation. Outsourcing is a business decision that is often made to lower costs or focus on core competences."

But that definition can cover many different scenarios. Introducing consultants and contractors for IT development projects is nothing new. Projects with outside resources always present more management and security challenges than wholly in-house projects. However, each project within this broad range will have different security needs, especially if we consider the project types:

Contracting with an ex-employee who is now independent but has the right skills and knowledge to be a consultant on legacy applications
Contracting resources from a cheaper part of the same country—for example, "farmsourcing"
Outsourcing to major players such as IBM Global Services, EDS, etc.
Outsourcing to software providers with some development teams overseas
Outsourcing to software providers with only a sales presence locally and all developers overseas
Creating shared companies with overseas development organizations
Creating a development resource company in a foreign country, often called "captive subsidiaries"

Each of these presents its own challenges and levels of risk. Obviously, as risk increases, the need for stronger security mechanisms increases, too. The most risky outsourcing project is the situation in which development resources are located in another country and provided by a totally separate organization. It is this type of scenario that raises the most security concerns; however, many apply to local outsourcing projects, too.

It is easy to slip into the mindset that "we" are good and the outsourcers are bad, but that is far from the truth. Speak to many of outsourcing providers, and their verbal commitment to IT security is blatantly obvious. Organizations should look for a provider with a such a mindset. This highlights another important aspect when choosing a partner: Organizations should look for an outsourcer with a similar level of project organizational maturity. To quantify this, organizations have in the past utilized standards that grew out of ISO 9001 to cover "quality" in development project management. One that has been used regularly over the last 20 years or so is the Capability Maturity Model (CMM). Many organizations have already evaluated their own level of process organization and should look for a developer with a similar level of maturity. CMM, which was developed out of the Software Engineering Institute at Carnegie Mellon, has since been sunsetted with the introduction of a newer model called Capability Maturity Model Integration (CMMI).

To analyze the security requirements for an outsourcing project, we can split the project into discrete sections. Some security issues span, or affect, more than one of these categories and may be mentioned multiple times:

Project definition
Design
Technology infrastructure
Skills/knowledge transfer
Development
Testing and QA
Audit

Project Definition

A manager I worked for once told me that contracts were only written in case one of the signatories passed away! He believed that business relationships were directed by the personal relationships of the people involved and that any issues that arose would be addressed without recourse to the contract paperwork.

I am sure everyone can think of at least one situation in which that was blatantly not the case. Outsourced projects need good, strong, detailed contracts between the parties involved. Failure to take every precaution at this stage would be a disaster waiting to happen. Stop and think of the reason outsourcing projects take place. In the majority of cases, the answer is money. The client organization is looking for a cost-effective way to produce applications.

So what is the tradeoff organizations have to accept in order to get these savings? One reason for the cost-savings is that the outsourcer is in a region that has different standards and expectations for privacy and data protection. This is not to say they are more insecure, just that there may not be a culture of security and their legal system may not provide the same protection. This is similar to employing a building contractor who does not know, or adhere to, local building codes. It may be cheaper, but it could cause problems later.

In addition to the general items, the contract must address these security issues:

Intellectual property rights
Federal and industry regulations
Privacy
Country/state of jurisdiction
Non-compete clauses
Exit options—Discrete points along the way where it might be useful to end the relationship if security issues arise
Results of failure to deliver by either side
Arbitration—Whether this can be used, rather than the more expensive and slower legal systems
Personnel expectations—For example, whether developers are allowed to work on other companies' projects or whether third-party contractors are allowed

Design

In some development departments, personnel have been working for the same business on the same applications for so long that the designer intentionally omits some design details. It is a great luxury not to have to explain the business, demonstrate the tools, and discuss the users' expectations in order to get a quality result.

However, in an outsourcing environment, the documentation must be complete. If the developers working for the outsourcing company are located in a different region of the world, they may have no understanding of what the application will do for the end user. Hence, a detailed specification document is required. However, the organization must maintain control of that document. Whether the company is a software developer or an organization needing an in-house application to run its business, loss of design documents can lead to loss of business advantage.

The type of design documentation, its expected flow, and its rules for use must be defined up front. In large outsourcing contracts, the development resources often never get to see a printed copy of the design specifications they are working from. The PC could be locked down so that the developer cannot transmit the document somewhere else, plug in a flash drive, etc. These severe and draconian measures are important to ensure that both parties are comfortable in the business relationship.

Technology Infrastructure

As mentioned, many companies insist on a high level of security for the hardware the outsource developers are using. This extends not only to the individual PCs but also to the infrastructure between the two organizations. Some outsourcers connect to their client's systems through shared lines to save expense. Companies must determine whether the possibility exists that another partner or client of the outsourcer could connect to their production systems or even just scan and steal documentation and coding that is being transferred. How should an organization react to such a risk? One option is to insist on a separate line for the organization's project and resources (which will erode some of the cost savings the client was hoping for) or to impose security restrictions/technologies on the shared lines (which will also erode the cost savings).

Some large outsourcing projects specify that the client has the right to build the PCs and servers that the developers are to use during the project to ensure that the correct security procedures are in place. Other organizations use technology to enforce the environment they need. For example, virtualization software provider VMware markets a product called ACE (Assured Computing Environment) that can encapsulate a total environment for the developer to work on. It can be configured so that developers can still access their emails, other clients' development environments, the Internet, etc. without compromising the security of the development model.

Other technology solutions may be required to enforce the right standards for the developers' PCs when they connect to an organization's own systems. As an example, it is important that virus definitions and OS patches are at the right level before allowing access to the network.

Skills/Knowledge Transfer

With any project, transferring business and application knowledge to the developers is an important aspect of the process. Similarly, transferring technical skills cannot be underplayed. When choosing an outsourcing provider, an organization should always try to find a good match within the developer base, but it is unlikely to be a perfect match, especially with legacy environments, such as some of the older iSeries technologies. It is critical during the partner search phase of the project that the outsourcing provider makes commitments regarding the skills available within its developer team, including specific details as to which person has those skills.

However, such commitments will be of no use if the developer assigned to the project resigns or is reassigned to a new project. Monitoring developer personnel is a critical ongoing task, especially if the developer has IDs permitting him to access the client's own systems. Because of these concerns, companies often decide to employ third-party organizations to verify that the personnel commitments made by the outsourcer are being met.

The type of application development project chosen to be outsourced can be vary greatly, but all have their own types of challenges. For example, one view is that maintenance of an old legacy system is a good choice for outsourcing so that internal development can focus on newer technologies. However, the skills transfer on the old application can lead to the type of privacy exposure documented above. Another view is that a completely new application is the right type of project, partly because there would be less skills transfer concerning the old processes; however, there would be more knowledge transfer related to the business. Whichever type of project an organization has available for outsourcing, it is guaranteed that considerable skills transfer will be necessary.

Development

Maintaining control of an outsourced project has the same basic requirements as traditional in-house development, just taken to the next degree. Even the least paranoid project manager has at some time wondered whether his own developers have inserted some rogue coding into applications. The worry is that, at some point in the future, a disgruntled person could activate that coding and cause all sorts of havoc. For example, the application could transfer the rounding errors to rogue bank accounts or the application could ignore the security restrictions if the user name is JHACKER.

Now hold that thought, and apply it to an outsourcing project, where the developers are in a poorer region of the world or a country with potential political instability. Could these factors influence a developer to introduce some sort of rogue coding into the application? An organization could try to review the coding details of every part of every application, but that will likely negate the cost benefits of outsourcing. More sensible is an organized, though random, audit of selected elements of the application.

Testing and Quality Assurance

One challenge for the organization is to ensure that the quality-testing phase does not become the most onerous part of the project. Despite good design documentation, skills transfer, and such, will the developer really understand the requirements and will the discussions between designer and developer work well across geographical and social boundaries? At least in the early stages of the project, it is critical to regularly check that the developers are interpreting the designs correctly. It is not sensible to wait too long to start the QA process.

One aspect of security that is often overlooked, even during in-house development, is the privacy of the available test data. Of course, outsourcing companies require good test data to prove their applications, but what does that test data contain? Of course, the current live corporate data is the best source of application information; however, it is critical that all useful and identifiable data is replaced before handing it over for use in testing. For example, a customer file with real customer names and real prices may be of value to competitors; therefore, it should be used as test data only if some of the data contents are changed.

Audit

Most of the elements highlighted above need to be strictly audited on a regular basis. Sadly, figures show that less than a quarter of clients audit the security of their outsourcing partners. Given the difficulties in doing this, it is not surprising. For example, will a client send a consultant to check the outsourcer's premises for physical security and proper use of design documentation every quarter—or even every year?

If the outsourcing developers have access to their clients' production systems for implementation issues and ongoing support, are the IDs being checked for appropriateness of access? Is that a part of the client's internal audit processes?

In many global outsourcing centers of the world, the outsourcers have matured to a security standard that is comparable to those of the client. This can still cause challenges as the outsourcer may have set those standards to meet one particular client, maybe their first large contract, but these may not meet all clients' standards. It is difficult for the outsourcer to make all clients happy at the same time.

Successful Outsourcing

A number of themes run through this article. First, the risk (or at least the perceived risk) is greater with outsourced development projects. Second, there is a delicate balance between trust and compliance; organizations must audit to the level they are comfortable with. Finally, as more and more SMBs take their first steps in remote development, a lot can be learned from the way the big boys have run their projects. However, trying to emulate all of the processes, tools, and methodologies that the larger companies have used will very quickly erode the cost savings associated with an outsourced development project.

Martin Norman is Senior Systems Engineer for SafeStone Technologies, an IBM BP specializing in compliance and identity management. As one of the original developers of SafeStone's security portfolio, Martin has performed security audits and advised on installations for clients throughout the United States and Europe. Martin can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it..

Also Read

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Book Reviews

Book Review: Extract, Transform, and Load with SSIS

Do your business apps access different data sources? This book shows you how to make that task easier
Book Review: 21st Century RPG: /Free, ILE, and MVC

David Shirey’s first book is an educational and entertaining read for “modern” and “old” RPG programmers alike
Book Review: Developing Business Applications for the Web--With HTML, CSS, JSP, PHP, ASP.NET, and JavaScript

If you are ready to get into Web application development, take this book along as your guide
Book Review: DB2 10.5 Fundamentals for LUW: Certification Study Guide (Exam 615)

DBAs who use the book will find it very helpful first in their test study and later as a reference book.
Book Review: DB2 11 for z/OS Database Administration—Certification Study Guide

This is a well-written DB2 11 book that could easily stand on its own as a reference manual, not just a certification guide.
Book Review: Free-Format RPG IV, Third Edition

Jim Martin comes through for us again.
Book Review: IBM i Security Administration and Compliance, Second Edition
Book Review: Programming in ILE RPG, Fifth Edition

This book really hits the mark and is a must-read for all RPG developers.
Book Review: DB2 10.1/10.5 for Linux, UNIX, and Windows Database Administration: Certification Guide
Book Review: Subfiles in Free-Format RPG

Whether you're a newbie or a seasoned pro, this book has something for you.
Book Review: Evolve Your RPG Coding: Move from OPM to ILE ... and Beyond

This book provides an amazingly comprehensive introduction to the concepts while at the same time delivering enough technical detail to make you productive very quickly.
Book Review: Database Design and SQL for DB2
Book Review: The Chief Data Officer Handbook for Data Governance

When implemented appropriately, data governance is a powerful framework.
Book Review: DB2 10 for z/OS: The Smarter, Faster Way to Upgrade

Trying to figure out whether to upgrade? Read on.
Book Review: 5 Keys to Business Analytics Program Success
Book Review: DB2 11: The Ultimate Database for Cloud, Analytics, and Mobile
Book Review: Flexible Input, Dazzling Output with IBM i

Today, it's all about input and output. Getting data into the IBM i from non-traditional sources and then displaying it back out again in varied formats. But where can you go to learn all that you need to know about this critical skill?
Book Review: Advanced Guide to PHP on IBM i

Enterprise-level PHP skills and techniques have been adapted for IBM i developers in Kevin Schroeder's new book.
Book Review: Java for RPG Programmers

If you've been putting off learning Java, you have no excuse anymore!
Book Review: DB2 10.1 Fundamentals: Certification Study Guide

Too valuable to be classified as merely excellent certification material, this book should also rightly take its place on DB2 DBA bookshelves as a solid day-to-day DB2 reference.
Book Review: DB2 10 for Z/OS Database Administration: Certification Study Guide

Whether you're trying to get certified or you just need a great reference book, this is the book for you.
Book Review: Developing Web 2.0 Applications with EGL for IBM i

It's everything you need to know, from the bottom up.
Book Review: Advanced Integrated RPG

Isn't it about time somebody told us how to integrate RPG and Java?
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: The Remote System Explorer

This book speaks directly to the thousands of IBM i programmers who develop in RPG, COBOL, CL, and DDS every day.
Book Review: IBM System i APIs at Work, Second Edition

API expert Bruce Vining delivers the only comprehensive guide to APIs.
Book Review: Functions in Free-Format RPG IV

This one short volume manages to essentially be both a general introduction and a detailed reference.
Book Review: DB2 11: The Database for Big Data and Analytics
Book Review: IBM Mainframe Security: Beyond the Basics

Beginners will have a strong foundation after reading this book. Experienced professionals will reference it frequently.
Book Review: IBM InfoSphere: A Platform for Big Data Governance and Process Data Governance

Find out how IBM is addressing the challenges of big data.
Book Review: Fundamentals of Technology Project Management

Projects can be overwhelming, but taken in small, deliberate steps, all projects are achievable.
Book Review: Customer Experience Analytics

Use CEA as a strategic weapon to stay ahead of your competitors.
Book Review: Big Data Analytics: Disruptive Technologies for Changing the Game

The disciplines of data analytics are evolving to meet the new challenges of big data.
Book Review: IBM i Security: Administration and Compliance

If you have any interest in IBM i security, whether as an administrator, a programmer, or an auditor, then this book is the perfect resource.
Book Review: DB2 9.7 for Linux, UNIX, and Windows Database Administration (Exam 541)

This book, written by the creator of the certification exam, reveals exactly what you'll need to know to prep for the test.
Book Review: Selling Information Governance to the Business

Who governs the information that runs your company?
Book Review: You Want to Do WHAT with PHP?

If you're serious about programming in PHP, get a book that treats you that way.
Book Review: The IBM i Programmer's Guide to PHP

Both a primer and a reference, this book is a must-have for anyone who wants to program in PHP.
Book Review: JavaScript for the Business Developer

There's no faster, easier way to become proficient in JavaScript.
Book Review: SOA for the Business Developer

If you want to know how SOA works in the real world, this is your book.
Book Review: DB2 9 Fundamentals

Whether you want to obtain an IBM certified DB2 professional certification or simply become well-rounded in the fundamental concepts of DB2 and general database theory, this is your book.
Book Review: The Modern RPG IV Language, Fourth Edition

This book isn't a training manual; it's a reference book.

Resource Center

Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:
Profound Logic Solution Guide

More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
Power10 Power Hour

IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:
Comply in 5! Well, actually UNDER 5 minutes!!

TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Combating Ransomware: Building a Strategy to Prevent and Detect Attacks

Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Top IBM I Security Vulnerabilities and How to Address Them

IT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.
What Most IBM i Shops Get Wrong About the IFS

Can you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:
Backup and Recovery on IBM i: Your Strategy for the Unexpected

Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Manage IBM i Messages by Exception with Robot

Managing messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:
Easiest Way to Save Money? Stop Printing IBM i Reports

The thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:
Hassle-Free IBM i Operations around the Clock

For over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
Why Migrate When You Can Modernize?

Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
The Power of Coding in a Low-Code Solution

When it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:
Low Code: A Digital Transformation of Supply Chain and Logistics

Supply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:
Resource Center

The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit
Node Webinar Series Pt. 1: The World of Node.js on IBM i

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
IBM i Transformation Risks Every Business Leader Should Know

Join us for this hour-long webcast that will explore:
What to Do When Your AS/400 Talent Retires

IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

Analytics & Cognitive Categories

Latest Analytics & Cognitive News

Career Catgories

Latest Career News

Cloud Categories

Latest Cloud News

IT Infrastructure Categories

Latest IT Infrastructure News

News Categories

Latest News

Programming Categories

Latest Programming News

Security Categories

Latest Security News