Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners.  It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google.  The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us? 

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can.  Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language. 

Second, be prepared to pay.  Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong. 

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.”  Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express?  When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located. 

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?”  A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended?  Do you obtain and retain the information the outsource partner maintained?  Do you have the outsource partner destroy the information and any archives of it (and verify this was done)?  Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)?  As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners.  It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google.  The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us? 

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can.  Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language. 

Second, be prepared to pay.  Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong. 

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.???  Does this mean that Google doesn???t require encryption of its confidential information since encryption of the data was not deployed at Colt Express?  When working with third parties, whether it???s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it???s located. 

Final, the Colt Express breach brings to mind a question Burton Group is always asking: ???What is your exit strategy if the contract is terminated with your outsourcing partner????  A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended?  Do you obtain and retain the information the outsource partner maintained?  Do you have the outsource partner destroy the information and any archives of it (and verify this was done)?  Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)?  As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

I wanted to take a quick moment to welcome Samuel Colt Van Ryder to the blogosphere. I know Sam for a number of years now. He was a sales person here at StillSecure for a long time working both with channel partners and direct sales. During that time I got to know Sam pretty well.  He is an interesting fellow.  A genuine Texan, Sam is a descendant of the Colt 45 Colts.  He moved to Switzerland, where he met his wife.  They then moved back to Texas where he has raised his family and worked in the security industry.  Always a stand up professional, I have stayed in touch with Sam after he left our company and went to work at Alert Logic. 

It seems that Sam has grown tired of trying to get Misha to blog regularly on the Alert Logic blog, so he has taken it over himself.  He posted his first article today. Good for Sam and we will be reading to see what he adds to our community discussions.  Welcome aboard Sam!

Speaking of community, the Alert Logic blog was already a member of the Security Bloggers Network.  However, the network is over 135 blogs strong with a combined distribution of 50,000 feedburner subscribers!  You can subscribe to the combined feed of all of these blogs by clicking here.

I wanted to take a quick moment to welcome Samuel Colt Van Ryder to the blogosphere. I know Sam for a number of years now. He was a sales person here at StillSecure for a long time working both with channel partners and direct sales. During that time I got to know Sam pretty well.  He is an interesting fellow.  A genuine Texan, Sam is a descendant of the Colt 45 Colts.  He moved to Switzerland, where he met his wife.  They then moved back to Texas where he has raised his family and worked in the security industry.  Always a stand up professional, I have stayed in touch with Sam after he left our company and went to work at Alert Logic. 

It seems that Sam has grown tired of trying to get Misha to blog regularly on the Alert Logic blog, so he has taken it over himself.  He posted his first article today. Good for Sam and we will be reading to see what he adds to our community discussions.  Welcome aboard Sam!

Speaking of community, the Alert Logic blog was already a member of the Security Bloggers Network.  However, the network is over 135 blogs strong with a combined distribution of 50,000 feedburner subscribers!  You can subscribe to the combined feed of all of these blogs by clicking here.