Seclore InfoSource - Security Concerns in Outsourcing

1
Security concerns in outsourcing An Introduction
to Seclore InfoSource Abhijit
Tannu CTO www.seclore.com
2
The problem
3
The problem
4
The problem
5
The problem
6
The problem
In 2010, the total size of the outsourcing market
is expected to be about USD 154B USD 1.9B will
be spent on proactive and reactive actions on
information breaches An average breach costs an
enterprise USD 6.75 M in direct costs
7
The risks - Human

• Each person in the chain of outsourcing process
  handoffs represents a risk
• High man power churn typical to the industry
• Mother of all HR problems !!
• This element of risk is indispensable,
  intelligent, adaptive and prone to greed !

8
The risks Legal and compliance

• Legal cover for malfunction for any of the risks
  is critical
• Outsourcing process is typically under compliance
  norms of various country specific norms,
  compliance frameworks and cross border data flow
  agreements
• Liability is largely spread across multiple
  entities and reputation risks are not covered
• Insurance is at-best, high cost !

9
The risks - technology

• Information through the lifecycle of creation
  storage transmission use archival
  deletion represents one of the biggest risks
• Multitude of information systems with hand offs
  have shown themselves to be prone to breaches
• Controls are typically built into individual
  applications

10
Information exchange in outsourcing

• Remote application access is provided
• Vendor may be part of same network / domain
• Vendor may be complete disconnected.

Outsourcing partner
ENTERPRISE
Disconnected Network
VPN
Outsourcing partner
VPN Network
Remote Access
Outsourcing partner
11
The underlying issues

• Share it It becomes his (also)
• Usage and access control separation is not
  possible
• Share it once Share it forever
• No possibility of information recall if
  relationships change
• Out of the firewall Free for all
• Only legal contracts protect information outside
  the perimeter

12
Illustration
BPO
Bank
Bank Employee
BPO Employees doing data entry
Kay Bank outsource its data entry work to a
remotely located business partner IntServices Pvt
Ltd
13
Illustration
BPO
Bank
Bank Employee
BPO Employees doing data entry
Certain documents are scanned and image files are
sent by a bank employee to the business partner
via a secured FTP connection.
14
Illustration
BPO
Bank
Bank Employee
BPO Employees doing data entry
Different employees process the scanned image
files to enter data into excel or database files.
These files are sent back to bank via secured FTP.
15
Illustration
BPO
Bank
Telemarketer
Bank Employee
BPO Employees doing data entry
Confidential data may be leaked by one of the
employees to a telemarketer.
16
A new concept in secure collaboration
Right Location
Right Time
Right Action
Right Person
Outsourcing partner
Defined by the enterprise

• Users from bank as well as outsourcing partner
  can access protected information provided it is -
• Right Person Only pre-identified authorized
  persons / groups
• Right Action Action performed by the processing
  application View / Edit / Print / Full Control
• Right Time Within the stipulated time
• Right Location Only pre-identified trusted
  machines / applications

17
Illustration - After
BPO
Bank
Bank Employee
BPO Employees doing data entry
Kay Bank outsource its data entry work to a
remotely located business partner IntServices
18
Illustration - After
BPO
Bank
Bank Employee
BPO Employees doing data entry
Certain documents are scanned and image files are
protected sent by a bank employee to the
business partner via a secured FTP connection.
19
Illustration - After
BPO
Bank
Bank Employee
BPO Employees doing data entry
Different employees process the scanned image
files to enter data into excel or database files.
These files are sent back to bank via secured FTP.
20
Illustration - After
BPO
Bank
Bank Employee
Telemarketer
BPO Employees doing data entry
In case anyone attempts to make copies of the
information and send it to an unauthorized user /
location, the information becomes inaccessible
21
Illustration - After
BPO
Bank
Bank Employee
BPO Employees doing data entry
After legitimate use, Kay bank can ensure that
information shared with or generate by
Intservices is destructed
22
Introducing Seclore InfoSource

• A technology for defining and implementing usage
  policies on information before sharing
• Granular usage policies can define
• Right person,
• Right action,
• Right time
• Right location of usage
• Policies are persistent and travel with the
  information wherever it goes

23
Introducing Seclore InfoSource
Processing Application
Email, Web, FTP, Fileshare
Hot Folder with pre-defined permissions for
usage
OUTSOURCING PARTNER
ENTERPRISE
24
Introducing Seclore InfoSource
Outsourcing Partner
Enterprise
Source Application
Hot Folder
Anywhere else
25
About
Seclore is a high growth information security
product company focussed on providing Security
without compromising collaboration Seclores
flagship product Seclore FileSecure is used by
More than 1 million users some of the largest
enterprises
. . .
26
What customers say about us
"In todays world, where the boundaries of the
organisations functionality are disappearing, we
are dependent on different business providers to
process our customer information. Given that
requirement, we still want to control how that
information is used and processed by the service
providers. Seclores technology has allowed us to
do that." - Vishal Salvi, CISO
Senior Vice President and CISO, HDFC Bank.
26
27
Want to know more
Website www.seclore.com Blog
blog.seclore.com Email info_at_seclore.com
Phone 91-22-4015-5252
27