www.tatacommunications.com

Tata CommunicationsSecurity Outsourcing A Must-have for Entry into

the Global Economy

www.tatacommunications.com

2

Tata CommunicationsSecurity Outsourcing – A Must-have for Entry into the Global Economy

Executive Overview

In the current global economy, outsourcing is an accepted business strategy. Although price was once the de facto consideration in choosing a provider, today’s business climate raises additional concerns, such as compliance with industry and statutory requirements. For example, formal security standards, such as ISO 27001, are used to measure security readiness and formal audits ensure whether companies and their outsourcers are certified compliant. American, European and Asian organizations have accepted ISO 27001 as the primary security standard and auditors consider ISO 27001 in assessing the maturity and comprehensiveness of an organization’s IT security plan.

Most security experts are accustomed to implementing and managing security technologies, however, continual monitoring is critical to compliance. Smaller companies find monitoring cost-prohibitive and larger firms may lack the skills or time required for continual monitoring. Without monitoring, technology platforms act as the last line of defense, forgoing the opportunity to proactively identify incidents and change security policies and practices accordingly, to comply with standards.

Before tackling the complexities of procuring, implementing and managing security solutions to achieve compliance, companies should consider all options, including using in-house staff, hiring an integration firm, or contracting with a Managed Security Service Provider (MSSP). Although these approaches may be combined, relying on a subset of the total requirements may leave a firm lacking the requirements for ISO 27001 compliance. Key considerations in selecting the right approach include cost, expertise, overall fit of the solution and scalability as the company grows.

Any of these approaches may help a company meet the ISO 27001 standard. However, in-house compliance efforts are expensive — often higher than consulting an integrator or MSSP. Integrators may deliver a complete solution, but often lack the people and processes needed for accurate monitoring. MSSPs, however, deliver a balanced mix of people, processes and technology required for ISO 27001 audits, eliminating this responsibility for their customers. The combined skills, flexibility and experience MSSPs offer makes managed security a pragmatic approach to meeting the compliance requirements that help companies compete in a global economy.

The Case for Compliance

In a profit-driven, global economy where business processes are reinvented to increase profitability by a fraction of a percent, established and growing companies are quickly becoming part of the back office and supply chain of other firms. In the early days of offshoring and outsourcing, price was often the single determining factor for most organizations. But, as outsourcing has evolved as a widely accepted business strategy and companies’ needs have grown more sophisticated, additional concerns have arisen, such as the need to comply with industry and statutory requirements. Compliance is now a deciding factor for these firms so outsourcing providers are expected to deliver the desired compliance capabilities to achieve it. For example, for a U.S.-based firm to meet Sarbanes-Oxley compliance standards, it must validate that its suppliers also meet these requirements. In addition, in the case of data integrity, outsourcers now face the same obligations as their customers to ensure information security while acting as participants in a global economy.

3

Why Compliance Matters

Compliance mandates impact all outsourcing firms because outsourcers and suppliers act as part of an ecosystem that drives global companies. In this way, outsourcers are often responsible for: • Sensitive client information • Clients’ financial data • Clients’ internal business processes

When an outsourcer allows any of this information to be compromised, the impact to the ecosystem, and therefore to the client, can include: • Loss of customers • Incorrect financial information, leading to inaccurate financial reporting • Damage to the corporate reputation and brand • Loss of competitive advantage

From an IT perspective, the technologies used to deliver the necessary protections include, for example, firewalls, Intrusion Detection and Prevention Systems (IDPS), virus and malware scanning, proxies, authentication systems, data loss prevention systems, integrity checking systems and vulnerability management solutions. When properly deployed, managed and monitored, these technologies can secure key business processes while acting as a critical component in demonstrating compliance.

Auditors focus on processes and procedures that indicate the success or failure of security systems, which result in a set of predictable, measurable outcomes. If processes and procedures normally safeguard information and ensure data integrity, then established protections are sufficient. Conversely, a firm’s inability to comply with recognized standards indicates a weakness in protecting both its own and its customers’ sensitive information, financial data and business processes. A well-defined security plan and appropriate technologies indicate an outsourcer’s ability to meet their clients’ needs.

Connecting Certifications and Compliance

Published in 2005, ISO 27001 is a standard that is specifically designed to ensure companies create a sound information security management strategy. ISO 27001 specifies requirements for establishing, implementing, monitoring and reviewing, maintaining and improving an overall management and control framework for managing an organization’s information security risks. Because it is a formal specification, ISO 27001 mandates specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard.

American, European and Asian organizations have accepted ISO 27001 as the primary standard for implementing, managing and maintaining IT security controls. Accordingly, auditors consider ISO 27001 in assessing the maturity and comprehensiveness of an organization’s IT security plan. By extension, this standard should be a critical consideration for companies considering outsourcing security to an outside firm.

4

5

A Look at Security Compliance

To meet ISO 27001 requirements, outsourcers need to embrace a comprehensive set of people, processes and technologies. The “people” part of the equation includes security experts and their ability to continually monitor and measure technology efforts and provide feedback. Operating on the assumption that a robust security infrastructure is dynamic, an outsourcing staff must be adept at handling change to continually meet the company’s evolving needs.

The “process” part of the equation includes highly structured procedures that are rigorously managed and measured, including: • Efficient and effective threat evaluation • Swift response to all incidents that meet specified criteria • Efficient and effective remediation for incidents • Consistent, strong security policy enforcement • Business continuity and alternate site recovery

All these processes are documented and verified as repeatable. Technologies used to ensure security compliance include:

• Perimeter security such as firewalls and IDS protect networked assets from external and internal breaches. These solutions require a vigilant team to deploy, tune, monitor and correlate security events within the network 24x7x365. Early-warning global threat visibility, event monitoring, correlation and attack recognition provide thorough and accurate incident detection and escalation.

• Authentication solutions help prevent unauthorized network access by leveraging two-factor authentication, requiring users to provide both a user-created Personal Identification Number (PIN) and a random token code generated by a hardware- or software-based token (authenticator) to validate user identities.

• Encrypted communication channels such as VPNs for transmitting information over public networks and, on occasion, private networks.

• Virus and malware scanning solutions detect and remove malicious software. Also, web filtering, antispam and antispyware services prevent blended attacks and/or unauthorized use from interrupting business.

• Distributed Denial of Service (DDoS) detection and mitigation solutions identify, report on and alert companies to Internet traffic anomalies to avoid the devastating impact of DDoS attacks.

• Vulnerability and patch management proactively identifies and remediates documented weaknesses in networks, operating systems and applications. Vulnerability management helps large-scale global deployments, providing discovery, scanning, reporting and remediation workflows to quickly and accurately identify and remediate security vulnerabilities.

• Enterprise-wide email protection filters and quarantines spam, viruses, malware and other harmful content before it reaches the network. Email threats can be blocked before they reach users, providing a high level of email security to help companies maintain productivity.

• Penetration testing is a localized, time-constrained and authorized attempt to breach the architecture of networks and systems using attacker techniques. This comprehensive testing can help determine the real level of network risk so corrective measures can be prioritized to set the overall direction for security strategy.

Most security experts are accustomed to implementing and managing these technologies. However, it is also critical to continually monitor these solutions. Smaller companies may find this level of monitoring cost-prohibitive to perform internally. And, although cost may not be an issue for midsize and large firms, many are unaccustomed to performing continual monitoring. Without aggressive monitoring, companies essentially trust technology platforms as a last line of defense, forgoing the opportunity to proactively identify incidents and make the necessary changes to security policies and practices within time frames that are effective.

IT executives usually decide whether solutions are sourced, managed, and maintained solely by a company’s own in-house IT staff or with varying degrees of assistance from integrators or Managed Security Service Providers (MSSPs) — provided the approach taken is sufficiently disciplined and robust to meet auditing requirements.

Choosing the Right Security Approach

For firms that have only existing, basic security provisions, such as firewalls or antivirus solutions, standards such as ISO 27001 can present extreme challenges in light of existing skill sets, staffing commitments and budgets. Before tackling the complexities of selecting, purchasing, implementing and managing a comprehensive set of security solutions to achieve compliance, several approaches should be considered before making a commitment. These approaches include:

1. Perform all compliance-related tasks internally — including hiring and retaining the appropriate security expertise to procure, install, configure, manage and monitor the solutions.

2. Hire an integration firm — if adept at security, the firm can help build the required architecture and can help procure, implement, manage and monitor technology solutions.

3. Contract with an MSSP for assistance — these firms can provide the networking and architectural background of an integration firm while also delivering the security expertise needed to procure, implement, manage and monitor the necessary technology solutions.

Although it is possible to combine elements of the above approaches, relying on a subset of the total requirements may leave a firm lacking the requirements necessary for ISO 27001 compliance. And, while compliance may exceed an organization’s stand-alone requirements for security — , participation in the global ecosystem and global economy requires a higher level of commitment and investment — one that may exceed what business leaders believe is required for their own needs.

The key considerations in selecting the right approach to ensure security compliance are summarized below:

- Cost: Is it cheaper to outsource security or retain these activities in-house? Or, does it make sense to combine these approaches? Is it necessary to avoid capital expenditures and rely solely on operating expenses to achieve the desired solution?

- Expertise: Does the firm have the necessary skills and, if not, is it willing to invest in hiring and retaining the skilled staff required to install, maintain and monitor the required security infrastructure?

- Fitness of the solution: Can the firm find a notably better architecture from a certain type of supplier — typically one that is not focused on selling a narrow set of vendors’ offerings?

- Scale: As the firm grows and its needs evolve, which approach will provide the necessary flexibility?

6

7

MSSPs and the Link to Compliance

Any of the above security approaches may enable a firm to meet the ISO 27001 standard. However, when responsibilities are kept in-house, a company also accepts the responsibility for periodically undergoing an ISO 27001 audit. Except for very large firms, the total cost associated with procuring, implementing, configuring, managing and monitoring the solutions will invariably prove higher than consulting an integrator or Managed Security Service Provider (MSSP).

Integrators may deliver a complete solution, but often place tremendous reliance on people and minimal reliance on repeatable processes. The impact of this choice on monitoring reduces the accuracy in identifying potential security incidents, leading either to overworked security analysts chasing too many false alarms or to missed incidents.

MSSPs overcome the challenges posed by integrators due to a balanced mix of people, processes and technology — with processes and technology deployed to maximum effect. Security analysts pick up where technology and processes leave off, performing tasks that cannot occur automatically. Moreover, MSSPs typically undergo ISO 27001 audits on a regularly scheduled basis, removing responsibility from their customers. The combined skills, flexibility and experience that MSSPs offer makes managed security a pragmatic approach to meet compliance requirements that are driven by internal mandates and by customers.

Securing Entry to a Global Economy

Global firms interested in building operations within the U.S. and Europe require demonstrable security processes and procedures to satisfy increased pressure for comprehensive compliance with industry and statutory standards. For example, although a French bank might be headquartered in Paris, the organization must comply with U.S. regulations if it wishes to sell financial products and services to U.S. customers. If companies cannot comply, heavy fines and penalties are the result for those caught in violation. Regulations exist in many industries, making compliance a must for all global businesses.

Similarly, ISO 27001 — the standard for security best practices — demonstrates a company’s readiness from a security perspective. For many firms, the most straightforward route to ISO 27001 certification is through an MSSP that has already achieved certification on its own and can provide the necessary services faster and with greater expertise than a company unfamiliar with the rigors of achieving ISO 27001 certification.

About Tata Communications

Tata Communications offers a full suite of managed security solutions for organizations of all sizes. Tata Communications’ security solutions enable companies to find the right balance between cost, performance and operational objectives with a solution tailored to their unique technology requirements.

Tata Communications Limited along with its global subsidiaries (Tata Communications) is a leading global provider of the new world of communications. The company leverages its Tata Global Network, vertical intelligence and leadership in emerging markets, to deliver value-driven, globally managed solutions to the Fortune 1000 and mid-sized enterprises, service providers and consumers.

The Tata Communications portfolio includes transmission, IP, converged voice, mobility, managed network connectivity, hosted data center, communications solutions and business transformation services to global and Indian enterprises & service providers as well as, broadband and content services to Indian consumers. The Tata Global Network encompasses one of the most advanced and largest submarine cable networks, a Tier-1 IP network, connectivity to more than 200 countries across 300 PoPs and more than one million square feet of data center space. Tata Communications serves its customers from its offi ces in 80 cities in 40 countries worldwide. Tata Communications has a strategic investment in South African operator Neotel, providing the company with a strong anchor to build an African footprint.

The number one global international wholesale voice operator and number one provider of International Long Distance, Enterprise Data and Internet Services in India, the company was named “Best Wholesale Carrier” at the World Communications Awards in 2006 and was named the “Best Pan-Asian Wholesale Provider” at the 2007 Capacity magazine Global Wholesale Telecommunications Awards for the second consecutive year.

Becoming the leading integrated provider to drive and deliver a new world of communications, Tata Communications became the unifi ed global brand for VSNL, Tata Communications, Teleglobe, Tata Indicom Enterprise Business Unit and CIPRIS on February 13, 2008.

Tata Communications Ltd. is a part of the $29 billion Tata Group; it is listed on the Bombay Stock Exchange and the National Stock Exchange of India and its ADRs are listed on the New York Stock Exchange (NYSE: TCL).

For further clarifi cation or discussion, please contact Alain Bouvier at: Alain.Bouvier@tatacommunications.com.

www.tatacommunications.com

© 2010 Tata Communications Ltd. All Rights Reserved. whitepaper_Security Outsourcing_v1.0_jan-2010

Security Outsourcing A Must-have for Entry into the Global Economy