As an example of what can go wrong, imagine that your company outsources its new online poker games to an independent organization that implements a software upgrade which then results in a loss of confidential player information. In the event that your MSA does not specifically address remedies for such a loss, your organization could face significant risks well beyond what it can manage.
Another significant weakness of IT outsourcing agreements tends to be around cost containment. Additional vigilance is required to ensure that there is no “over architecture” of infrastructure or processes that are not specifically provided for in the agreement. Additional costs could also arise if the outsourcing agreement ends and results in changes to the operational processes that your business is reliant upon.
Virtualization is the use of advanced software and powerful hardware that allows organizations to make more efficient use of IT infrastructure in terms of power usage, capacity, storage, etc. For example, it enables organizations to replace several older servers with one more powerful unit that runs a “virtual” copy of the old one. End users are not aware of the change and virtualization reduces the overall total cost of ownership and maintenance effort. It can be accommodated in-house or in an outsourced environment.
Many companies use virtualization to minimize downtime and “maintenance windows.” They are able to migrate a virtual machine to a new host system more efficiently. While there are many uses for virtualization, organizations have to examine the impact on IT security when contemplating it. Virtual servers share a common hardware platform, thus making it possible for savvy individuals to compromise the data security. When virtualized servers are managed in-house, the risk can be mitigated by ensuring that virtual machines with highly sensitive data are not co-mingled with machines hosting less secure data.
This is a particularly salient point in regards to outsourced IT environments. Unless specifically disallowed within the MSA or contract, it is possible that the outsourcer will not only mix data security levels, they may also co-mingle client virtual systems with those of other companies. Take, for example, the outsourced online gaming engine and consider what would happen if the outsourcer put your lottery games on the same server as a competitor’s game. To safeguard your data, you need to know what controls are in place to ensure that your database of client transactions is not mixed with that of others, and that your player’s information is protected from unauthorized access or disclosure.
Cloud computing refers to the use of a connected on-demand pool of shared IT elements that includes infrastructure, software, platforms, and services. Cloud computing can be internally or externally delivered and usually also includes the use of virtualized computing. It allows organizations to meet peaks or emerging IT needs without additional capital outlays or time delays related to building the IT element in-house.
Cloud computing allows users to buy access to IT resources for a set period of time in a cost-effective manner. Similar to the decision to outsourcing, there are several risk elements that should be considered in making the decision to purchase services in the cloud:
Loss of data control. Storage is often done without consideration of data classification or safeguards, and upon termination of service, the data destruction is often left to the provider’s discretion.
Loss of perimeter security. To accommodate the needs of a larger client, access controls to the cloud infrastructure are not as tightly controlled. There is no ability for individual companies to configure or control access. As a result, in this environment, blocked services can be allowed.
Lack of standards. There are no defined standards on how a cloud provider will operate or safeguard infrastructure and, as such, there is no ability to understand how simple elements like user access, backups, disaster recovery, etc., are being undertaken.
Lack of governance and accountability. Organizations are not able to implement their normal oversight and risk management framework, and there is less opportunity to assert right-to-audit clauses into this offering.
Once these risks are properly assessed and steps undertaken to address them, significant benefits can be achieved.
In the end, it comes back to ensuring you understand your risks and mitigation strategies and are undertaking appropriate due diligence before embarking on any major change to a company’s IT resources. For gaming companies, the risk is higher and the afore mentioned solutions each merit a detailed thorough examination and a clear understanding of what can go wrong in each environment in order to help ensure your risks are mitigated.
By Louie Velocci, Vice President, KPMG Forensic Inc./Senior Manager, Advisory Services