Traditional Information Technology (IT) has been besmirched, and with good reason, by such concepts as Service Outsourcing. Traditional IT as we have known it might be dead, but reports of its complete demise are greatly exaggerated. The Digital Age has forced organizations to be more business-focused which means ceding Traditional IT duties to “cloud” firms whose “business model” is performing the service of Traditional IT. However, we shouldn’t bury an organization’s internal Traditional IT functions just yet without examining a few of the challenges it helps obviate.

Though fashionable in the Digital Age, Service Outsourcing may not be an option for various reasons. First, security is an ongoing issue in any IT system, however Service Outsourcing presents a unique set of challenges that we do not see in Traditional IT. The main security threats can be grouped into six categories: Network, Virtualization, Identity and Access Management, Data and Storage, Governance, and Legal and Compliance issues3.

  •  Network Security – Some security issues are common between Service/Cloud and Traditional IT; however, such issues as XML Signature Wrapping, Flooding Attacks, Malware Injection, and Metadata Spoofing are unique to Service Outsourcing
  • Virtualization – This provides resource management functions to enable sharing of hardware resources between the virtual machines. There are benefits to be gained from these technologies, but they also introduce security threats such as Hypervisor Vulnerabilities, Cross VM Channel Attacks, and Outdated Software Packages in VM
  • Identity and Access Management – The proof of user identity involves the use of personally identifiable information (PII). Therefore, unauthorized access to data resources presents four main challenges: Identity Management, Authentication, Authorization and Access Control, and Federation Management (i.e. single signon)
  • Data and Storage Security – It is possible that storage service providers may decide to hide a data loss incidents to keep their reputation undamaged or overlook the importance of sensitive customer data delete rarely accessed files. Specific issues that can arise are:
    • Confidentiality, Integrity, and Availability (CIA) – CIA issues span traditional IT as well, but Service Outsourcing presents specific concerns. For example, confidentiality issues include access control (authentication and authorization) mechanisms, data protection schemes, encryption algorithms, and encryption key management
    • Data Isolation – from a customer’s standpoint, the notion of using shared infrastructure could be a concern, administrators need to ensure that all data are completely secure and accessible only by authorized users
    • Data Sharing – cloud-based services are an attractive model for applications like online word processing, calendaring, blogging, and social networking, but server-side information leakage could pose significant risk to confidentiality and adversely impact privacy
    • Data Backup & Redundancy – First, outsourcing data storage does not necessarily mean that data is backed up. Second, service providers may prefer to rely on seamless backups without the active consent of the clients. Finally, there is the challenge of controlling back up versions
    • Data Sanitation – Destruction of data might be challenging since multiple copies could be dispersed in different geographical locations making it difficult to ensure whether a service provider is reliably removing all backup copies. Also, if physical destruction of media is required, there is the issue of shared volumes among customers
    • Data Provenance – The provenance (the origin) of sensitive data may divulge critical private information, and adversaries always look for security loopholes to exploit this. Thus, not only should the data be secure, but the security of how the data was generated must also be.

Second, the decision to outsource is an important strategic one for many businesses because it involves evaluating the possible cost savings compared to the consequences of a loss in control over the product or service2. In Service Outsourcing, an organization relinquishes control on several critical issues, such as policy and procedures. This creates governance, legal, and contractual issues that Traditional IT does not have. For example:

  • Selection of a Service vendor involves more than just believing in their reputation or record of accomplishment. Companies must also consider their current processes and customer references and that still could lead to a vendor compatibility issue – not to mention the possibility of bad contract terms
  • Not only are there security concerns as discussed above, that there also could be confidentiality and trade secret issues that may not be able to be overcome or are simply incompatible with the vendor business model
  • Organizational processes may be incompatible with the vendor. One cannot assume a vendor’s processes are inherently better than the customer’s. This could lead to inefficiencies, communication issues, and eventual loss of insight as to the vendor’s progress or service. Configuration Management of Service Assets is difficult enough. A line now must be drawn from the logical assets the organization controls and the physical assets the vendor controls to which the logical assets are allocated. There is also contract change control addressed later in this article

Organizational culture is an issue whether dealing with Traditional IT or with Service Outsourcing. However, the culture you know is less of an issue than the culture you don’t. A vendor’s culture may be different from your own and this should be addressed as a separate issue in the vendor selection process.

Finally, where the vendor has now been selected and contract awarded, an organization will be looking for economies of scope and scale. More to the point, the organization’s internal and external customers will be looking for better service with reduced costs. Traditional IT is viewed as not as competitive due to the consumerization model. There are however, several hidden costs of Service Outsourcing that are often overlooked1. For example:

  • Transitioning to a vendor probably presents the most difficult to measure. It is difficult to educate the vendor on the organization’s business and processes and it is sometimes hard to determine when (or if) the education and transition is ever complete
  • The vendor must be managed and this represent the largest cost area of Service Outsourcing. The vendor must be managed in three areas:
    • Monitoring to ensure they fulfill contract obligations
    • Bargaining and sanctioning, if necessary
    • Managing Contract Changes and contract closure, if the vendor is not going to be retained
  • Overall, contractual pressure is surely an argument for Traditional IT. Studies have shown poorly negotiated contracts lead to rising IT costs and decrease in service levels and is a driver for moving services back in-house3. Nonetheless, contracts expire and if the vendor is not going to be retained, Services must be transitioned back in-house or to a new vendor. If transitioning to a new vendor, the issues of Service Outsourcing repeat themselves. However, transitioning back to in-house resources is extremely difficult to quantify because the organization must first admit to a failed outsource effort. Second, since outsourcing is usually thought of as a permanent solution to focus on core business or to cut costs, there is little thought given to this possibility
  • An organization may keep a sufficient number of internal IT expertise as a hedge against a failed Service Outsourcing contract. Ironically, this turns into a redundant cost of Service Outsourcing that is also overlooked.

While such concepts as Service outsourcing solve some problems presented by Traditional IT, they create their own set of challenges that must be addressed by all organizations before they are adopted.

Sources:

1Barthelemy, J. (2001). The hidden costs of IT outsourcing. MIT Sloan management review, 42(3), 60.

2Dinu, A. (2015). THE RISKS AND BENEFITS OF OUTSOURCING. Knowledge Horizons.Economics, 7(2), 103-104. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com.ezproxy.umuc.edu/docview/1686096998?accountid=14580

3Hirschheim, R., & Lacity, M. (2000). THE MYTHS AND REALITIES OF INFORMATION TECHNOLOGY INSOURCING. Communications Of The ACM, 43(2), 99-107. doi:10.1145/328236.328112

4Islam, T., Manivannan, D., & Zeadally, S. (2016). A Classification and Characterization of Security Threats in Cloud Computing. INTERNATIONAL JOURNAL OF NEXT-GENERATION COMPUTING, 7(1).

About the Author: