Wheres Your Database?

Database outsourcing has many risks.

With companies facing increasingly fierce pressures to meet shareholder and Wall Street demands for earnings growth, offshore outsourcing to cut costs has become more than an attractive option. It has become a fact of IT life.

While outsourcing best practices for help desk work and application development are well-understood, best practices for database administration outsourcing are not so well-known—but they need to be. According to Information Control, an IT consultancy in Columbus, Ohio, companies can achieve cost savings of approximately 41 percent by sending database administration offshore.

Those gains will evaporate, however, if a host of considerations arent taken into account. First, securing data in worldwide locations is harder and costlier than locking down a single U.S. data center. Second, databases contain a companys most critical information, including intellectual property and clients private information. The theft of this kind of data—for example, patient records like those held hostage last year by a medical transcription subcontractor in Pakistan—can jeopardize a companys ability to compete and open it to customer lawsuits.

Even without outsourcing, information control issues, such as granting root access, are thorny questions. When root access is handled by an outsourcer 10,000 miles and 10 time zones away, doubts about data integrity multiply. If data is compromised, which countrys laws do you use to prosecute?

Recognition of outsourcing risks is not only a best IT practice but, increasingly, a regulatory requirement. For example, financial institutions that offshore need to address risks related to offshoring to meet banking regulations. The U.S. Comptroller of the Currencies Bulletin 2001-47 directs banks to require third parties, including those abroad, to fully disclose breaches in security resulting in unauthorized intrusions that may materially affect the bank or its customers. According to the bulletin, banks must report breaches in security from outsourcing relationships with foreign providers.

The Financial Services Technology Consortium has an initiative to establish minimum required practices for offshore outsourcing. A report, due at years end, will recommend how organizations can manage risks consistently, regardless of where data is. The group aims to create standards for country-risk assessment and monitoring; background checks of workers; and, potentially, a certification program for offshore professionals.

Companies that know the stakes also know they need to send abroad an understanding of their corporate culture, industry regulations and local laws. They often find it best to embody this knowledge in an expert deployed abroad who must keep critical corporate data protected and accessible according to applicable laws and regulations. Saving money but losing control over data is a bargain no company can afford.

Were interested in your opinion. Send your views to eWEEK@ziffdavis.com.


Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.


Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page