Article Apr 19, 2021 5 min read

In the age of IT outsourcing, trust is everything

Nico Cormier

Apr 19, 2021 5 min read

Nico Cormier

Enterprises are spending more and more money on outsourcing, according to Gartner. It’s a trend that is very much aligned with the move from on-premises hardware to the cloud. Companies today, even the non-tech players, aim to move faster, be more agile and have greater velocity in all that they do. It’s an industry-agnostic trend, as everyone wants to scale their IT projects up and down, as fast as possible, and they need third-party support to do it.

Transforming any business into a technologically agile company is no easy feat. It requires a level of support and know-how that isn’t often available internally. In periods of high growth, all shapes and sizes of enterprises are forced to react and transform quickly in order to tackle new threats to their own business continuity. And the answer to many of their problems was found in the cloud.

While a move to the cloud serves to propel a company’s technological agility, it also means that critical IT assets that were once solely under the control of the enterprise are now in the hands of third-party cloud or software-as-a-service (SaaS) vendors. An enormous amount of responsibility is placed on these vendors, who are suddenly shouldering the burden of protecting and storing the customers’ data, including the sensitive data stemming from the scheduling and resulting meetings of video conferences.

Do vendors deserve all this trust?

During this period of rapid growth in cloud deployments, the dramatic shortcomings (especially related to privacy and security) among some of the vendors have come to the forefront. This has caused customers and the industry at-large to re-evaluate and question the amount of trust they bestow their third-party providers.

Unfortunately, the reassurances that we get from vendors aren’t all satisfactory, and we see a swathe of players who prefer to hide under a cover of technology rather than talk about the real issue at hand: trust. One common example is the vendor’s reliance on ‘encryption technology’, which is used as a subterfuge to avoiding giving real answers to the uncomfortable questions about privacy and security.

Don’t be misled by encryption smoke and mirrors

Encryption is what allows two parties to exchange private information safely over an unsecured network, like the internet. Strong encryption practices can guarantee privacy between two users, or between a user and their bank, or between a user and their web mail client. Simply put, it is the very foundation of any web service out there.

To put this in real terms, when Alice sends a message to Bob using either their favorite messenger app, typically Alice would send the message encrypted to the messenger app SaaS provider, then the provider would process the message, encrypt it, and then send it to Bob. This process means that, if they so desired, the SaaS provider could read this message. It’s a situation that could happen if the provider lacks strong privacy and security practices and a good company culture around it.

What if a vendor repeatedly disregards user privacy and security?

A disregard of privacy and security would be the beginning of the end for any IT vendor that doesn’t place these principles at the heart of their offering. It would result in dissolution of the business or alternatively force the vendor to re-build their product and company culture from the ground up. Attempting to make something secure as an afterthought or add-on doesn’t evoke trust among customers or users either. Sometimes, the vendor may even make a last-ditch effort to convince you that with the right technology, such as all-too-impressive-sounding end-to-end encryption (E2EE), you don’t really need to trust them after all. This advanced technology takes care of that for you.

But can technology really replace trust? To answer that question, let’s revisit Alice and Bob and their messages, this time adding E2EE to their exchange. E2EE means, as its name indicates, that encryption is used all the way from Alice to Bob, presenting zero opportunity for the SaaS provider to decrypt and re-encrypt. It’s an argument that seems to take all responsibility away from the vendor, as there’s no need for trust if it’s all encrypted anyway. Problem solved!

Unfortunately, that story is simply too good to be true and reality has taught us something else. The first lesson is that even in the face of E2EE, trust is still an important factor. You need to trust that the provider is taking full responsibility for the implementation and delivery of a solid and secure E2EE, giving you confidence in the vendor’s own, internal engineering security and privacy practices.

In practice with E2EE, most of the critical data will not be fully encrypted (meeting title, participant names, various metadata) but more worryingly, users will actively avoid E2EE as it reduces the features available to them.

Another consideration is that by removing the provider’s ability to process the user’s data, you also diminish the ability to provide the rich user experience that the users have come to expect.

E2EE is not a substitute for trust

Building trust in a SaaS provider starts by ensuring that the vendor has a solid internal culture built on strong privacy and security practices. To uncover the truth, you need to go beyond checking certifications, because the right certifications are simply the minimum requirement. Instead, you should be asking: How and where do they run their engineering department? Who builds the products and how does the team engage and support its customers? Will they troubleshoot when issues arise? And will they be there by your side when it’s time to grow and scale your company?

Just as you wouldn’t ask a stranger to babysit your kids before knowing more about that person, you shouldn’t entrust your sensitive data with a company that hides behind misleading, technological terms. When evaluating your third-party vendors, it’s time to put trust at the top of your evaluation checklist. Dig deeper into the internal culture of this provider to find out if privacy and security are an integral part of how they do business. That way you can be sure that your data is in the hands of people who want to protect it as much as you do.

Learn more about securing your critical assets by visiting our Pexip for Secure Communications webpage.

Topics: