Outsourcing DNS Registry Maintenance Draws CriticismCritics Expect Increased Risks Due to Lack of Visibility and Control
The National Internet Exchange of India , an autonomous body under the Ministry of Electronics and IT that maintains the .In registry and country code Top Level Domains, or ccTLDs, has switched to a new U.S.-based outsourcer for the registry's operations and maintenance.
See Also: Integrated Risk Management Buying Guide
Some security experts are criticizing the move, saying that outsourcing increases risks.
NIXI had outsourced the .In registry maintenance since 2004 to U.S.-based Affilias, a third party technical service provider. It recently switched to a new partner, U.S.-based Neustar, to provide critical infrastructure, technology and services.
Sanjay Goel, CEO at NIXI and joint secretary at MeitY, says the switch of outsourcers came following a thorough evaluation through a tendering process.
"We selected U.S.-based TSP because we believe they possess better expertise and technological development is faster there," he says. "We evaluated about five to six operators and chose Neustar as it would bring in global security practices."
Questioning the Decision
But Dinesh Bareja, president of Open Security Alliance, questions the move to continue outsourcing. "Third-party risks are increasing considerably given the data and infrastructure is completely managed remotely," he says. "Also, [those hiring outsourcers] cannot monitor them effectively in real time."
The government's security requirements for the technical service providers it uses are inadequate, some critics argue.
Prakash Ranjan Kumar, former manager of IT security at Canara Bank, says, "The units of government that outsource to a third party have little visibility into the information shared, with whom it's shared, and security practices and protocols of third and fourth parties with access to it."
Kumar also notes that the government's technical staff cannot audit the third party's subcontractors.
Rahul Sharma, country leader for India at the International Association of Accessibility Professionals, says the lack of control of infrastructure by the in-house team at NIXI and a lack of transparency about day-to-day data monitoring could result in an insider abuse in the third-party environment.
"Other risks associated with outsourcing can be regulatory issues, like what regulations apply to data and technology infrastructure, depending on locations of the operators, etc.," he says.
But Dr. S. Govind, former CEO of NIXI, points out that outsourcing service providers are selected after a careful evaluation process. "We insist they keep the servers in India to manage the data," he says.
Goel of NIXI adds: "We ensure the third party meets all the security requirements issued by the National Informatics Center and builds robust security within the systems against breaches or cyberattacks."
NIXI says the government's technical service provider for .In registry:
- Is not allowed to extract any data from the server and take it out of the data center or the disaster recovery center without NIXI's written permission.
- Must formulate a comprehensive Information Security Policy, Disaster Recovery and BCP policy based on BS7799/ISO 27001 and BS15000/ ISO 20000 guidelines.
- Must maintain the confidentiality of government's business data and other proprietary information or materials.
- Must safeguard proprietary information and prevent any unauthorized access or disclosure of information.
Leveraging New Technologies
Ritesh Bhatia , founder and director of V4WEB, a cybersecurity firm in Mumbai, questions whether the government takes enough steps to ensure the third party uses the right technologies in safeguarding the data residing in the servers.
He recommends that the government insist that its outsourcer partners leverage new technologies, including artificial intelligence, to identify unlawful content posted by hackers.
"The government must understand various dimensions of technologies, architectures and tools the service provider uses, whether these can protect the data hosted and what the governing frameworks deployed are," Bhatia says.