Article

OWASP AppSec Asia 2009 highlights offshoring security concerns

Dhwani Pandya, Principal Correspondent

OWASP AppSec Asia Conference 2009, one of India's largest security conferences, started off with significant participation from the Indian information security community on November 17, 2009. Organized by Securitybyte at Gurgaon, the event discussed issues like application security, remote user management, cloud security concerns, international cyber crimes and compliance during the first day. Securitybyte, a brainchild of OWASP, was formed to build an end to end information security knowledge sharing platform. While last year's conference was organized singlehandedly by OWASP, the organization partnered with Securitybyte this year to showcase a diverse range of security-related subjects and issues.

The first day of OWASP AppSec Asia Conference 2009 ended with a panel discussion on security concerns in offshoring. This panel consisted of eminent security professionals from varied backgrounds such as Vakul Sharma, a lawyer from the Supreme Court of India; Kamlesh Bajaj, the CEO of Data Security Council of India (DSCI); Terry Thomas, partner, Ernst & Young; Raghavendra Vaidya, the CIO of GE Capital; Pankaj Agrawal, the CISO of Aircel Ltd and Sunil Gujral, the executive vice president and CTO of Quatrro BPO.

The panel was moderated by Howard Schmidt, former special advisor of cyberspace security for the White House. This discussion started off with opinions on the top offshoring security challenges faced by members. According to Sharma, India still lacks surveillance

Requires Free Membership to View

capability, even though the IT amendment Act has come into force. Bajaj opined that outsourcing of IT does not mean outsourcing governance, since accountability and responsibility still lies with the outsourcer. Gujral pointed out that service providers are required to enormous amount of compliance and audits, so management of this aspect is a major issue.

According to Thomas, the inability of service providers to take information security to a strategic level is the major offshoring infosec issue. In most cases, security is treated as an operational or tactical measure. Agrawal says that employees of service providers frequently change jobs, thus creating scenarios where it becomes very difficult to secure critical business data.

On being asked about their best achievements in the areas of improving information security in offshoring, Sharma and Bajaj mentioned that the IT amendment act and DSCI framework (soon to be launched) are steps which will go a long way in proving the seriousness of India's data protection regime. Bajaj explained that filing of compliance checklists does not provide enough security as such, so DSCI will also come up with an implementation methodology. "However, we are facing a major challenge when it comes to determining the extent of how prescriptive best practices can be," said Bajaj.

Service providers (as well as outsourcers) provided examples of their successful information security related initiatives. Gujral explained that adhering to compliance is often boring for employees. Hence Quatrro's team created skits on compliances and information security to explain how the BPO is required to follow regulations. According to Thomas, audits and compliance requirements cover up to 90% of the common security requirements. He suggested the building of a strong audit plan which covers these common factors.

Vaidya pointed out the concerns of letting service providers access organizational networks and dealing with multiple service providers (with differing security levels). To resolve this issue, GE India came up with a program for partner certification, where they are required to follow the same level of security standards. On this front, Agrawal detailed how Aircel's identity and access management initiative has helped it solve identity provisioning and deprovisioning issues.

The panel also struggled to determine whether compliance drives security or security drives compliance. Bajaj explained that Indian companies need to work out the cost of security breaches to the company, which will help them understand why compliance is essential. Gujral recommended that the company can start with basic hygiene. Later, by the nature of its business, the organization can decide to become compliant with related regulations.