Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG SHOWCASE

An Elegant Approach to Extending Enterprise Security to BPOs

An Elegant Approach to Extending Enterprise Security to BPOs

By Dave Gruber, Principal Analyst
OCTOBER 2022

Abstract

The use of third-party business process outsourcing (BPO) has become a mainstream practice that enables organizations to scale and optimize business operations. These outsourced functions often require access to critical business systems, challenging IT and security teams to provision and provide secure access to BPO users. Extending traditional access and security controls to BPOs is fraught with challenges, slowing onboarding and leaving most organizations with unwanted risk. New strategies for access and security are needed.

Overview

Business process outsourcing strategies offer organizations many proven benefits, including operational scale and optimization, cost reduction, speed, and simplification of management. Software-as-a-service (SaaS) application strategies are offering many organizations similar benefits, helping IT and line-of-business teams scale and optimize operations, while offering cost, speed, and simplified management. As enterprises and their BPO service providers share the use of SaaS applications to operate, both share a common objective to do so in a secure, performant model.
However, it can be a challenge for IT and security teams on both sides to establish shared SaaS access in a secure and performant manner. Operational challenges often begin with the complexity of provisioning applications for BPO user access, leading to delays in ramping up services. Application performance degradation associated with additional layers of security controls further adds friction, reducing BPO throughput.
Security challenges include the risk of sensitive data leakage and the frequent requirement to provide over-privileged accounts due to a lack of alignment with fine-grained application access controls. According to ESG research, 31% of organizations reported that they have security/privacy concerns related to their SaaS applications. In addition, in a separate ESG research study, nearly one-third of respondents reported issues with misconfigured cloud applications resulting in over-privileged accounts.
BPO data leakage threatens both corporate data assets and BPO reputation. Inadequate security controls open the door for data leakage or over-privileged access, introducing further operational risk. Simply stated, BPO data leakage has the potential to ruin a company.
To address these risks, many organizations are attempting to utilize solutions built for other use cases, including virtualized desktops or full VPN solutions. However, these approaches can degrade compute performance, slowing down BPO users and the tasks they are expected to complete. A new approach is needed.

Challenges

While BPO strategies enable organizations to grow and compete more effectively, they challenge IT, security, and compliance teams’ abilities to:
• Implement fine-grained user-access privileges that limit access to privileged capabilities in a consistent way across both internal/on-premises applications and multiple SaaS applications.
• Prevent sensitive data leakage from on-premises and SaaS applications onto BPO-owned or non-corporate-owned devices.
• Audit BPO access/usage of privileged functions and the access/usage of sensitive data.
• Leverage traditional network security controls to inspect progressively stronger encryption protocols.
BPOs need to customize access to sensitive data and functions in support of staffing strategies designed to deliver the highest levels of service for organizations’ clients. Yet SaaS applications are often designed around the most common use cases, offering limited, fine-grained roles-based access controls (RBAC) around both features and data. IT and security teams, therefore, often offer over-privileged access accounts to BPO users to enable them to operate effectively. This creates exposure for both accidental and intentional theft of data and the potential to authorize data or services that fall outside of intended controls (e.g., business email compromise).
This becomes even more acute during the BPO onboarding process, where setting up virtual private networks (VPN), mobile device management (MDM), or even virtual desktop infrastructure (VDI) can be time-consuming and complicated, causing many organizations to “fast-track” around necessary controls to accelerate onboarding. BPO resources often utilize devices owned and controlled by their employers, adding further complexity to the deployment of these controls on alternative-corporate-owned devices.
These same applications often lack the ability to audit the use of privileged functions and access of sensitive data, adding complexity for governance and audit teams. Forensic auditing is difficult at best, making it challenging to control data leakage and determine if, and when, users copy/paste data, download/save files, or simply screenshot data to user-owned or non-corporate-owned devices. And while 69% of organizations expect their endpoint security solutions to protect against data leakage, most endpoint security solutions lack any ability to address data leakage.
Further complicating matters, BPOs typically work with a variety of clients, creating risk of cross-contamination of data across their client base.

Facilitating Secure BPO Relationships

IT and security teams need to level-up controls to protect application and data assets used by BPOs without impacting application performance and throughput. This means extending customized access and data security policies and controls to third-party BPO users aligned with specific outsourced functions.
While SaaS application usage has become prevalent, on-premises applications requiring private-network access are still in use at many organizations, requiring BPO access and security strategies to support both—in a seamless, consistent manner. BPO service contracts often also come with aggressive onboarding objectives, warranting a simple, straightforward approach to onboarding application users.
Application usability and availability is considered critical to meeting BPO service level agreements (SLAs). Accelerated onboarding objectives and ongoing SLAs require access and security solutions to operate seamlessly, without additional end user authentication steps and without degrading application performance.
With 86% of organizations reporting active zero trust initiatives, security teams need the ability to extend zero trust principles to contracted BPOs, ensuring that least privilege access controls are in place.

Introducing Island, the Enterprise Browser

Island provides what many would consider a disruptive approach to securing a modern, cloud-enabled, hybrid workforce, providing users the freedom to leverage a multitude of SaaS, hybrid cloud, and internal web applications, while helping IT, risk, and security teams overcome many of the challenges associated with provisioning fine-grained access privileges, data leakage controls, and the fulfillment of governance and compliance requirements.
Fast, familiar experience. The Island Enterprise Browser is based on Chromium, so it's 100% compatible with modern web applications. Security controls are applied locally so there are no additional virtualization layers or network gateways to slow down the user experience—even where bandwidth is scarce in more remote locations.
Easy authentication. Using end user credentials (integrated with an identity provider), users get a tailored home screen with all the apps and resources they need for their current role.
Island, the Enterprise Browser, extends access and security controls to third-party BPO and contract users using a new approach—adding management and security controls directly within the browser.
Stop data leakage. Using granular last-mile controls, Island prevents sensitive data from leaving the browser via printing, screen capture, or copy-and-paste operations. For workflows that require document downloads, Island can redirect downloads to secure cloud storage to maintain full workflow productivity (viewing, editing) and full custody of the documents.
Update legacy technologies. Island can reduce or eliminate the need for legacy solutions like VPN or VDI that are used for remote access. Island connects users to private networks directly through the browser, reducing complexity for both end users and IT operations.
Capture high-fidelity activity logs. Island collects detailed activity logs supporting IT, security, risk, and audit requirements. These are critical for incident investigations, rapid response to security events, and auditing the BPO relationship.

The Bigger Truth

Business agility depends on organizations’ ability to leverage third-party BPOs and SaaS applications to scale and optimize operations. But while BPO and SaaS strategies offer significant operational and cost benefits, many organizations are experiencing a loss of security controls and are subject to a new set of risks associated with this loss.
As organizations strive to strengthen security controls for all types of users, third-party BPO users introduce specialized access requirements, requiring new strategies to extend security policies to this audience. A simple, performant approach to controlling access and data security is needed.
Enterprise browser solutions from vendors like Island are aligning well to meet this growing requirement. ESG recommends that organizations engaging with BPOs take a serious look at how Island, the Enterprise Browser, can extend robust security for data and access to facilitate this important operational business strategy.
ESG recommends that BPOs investigate how enterprise browser solutions from vendors like Island can offer scalable, portable controls that can accelerate onboarding and offer their users a simple, elegant, and effective approach to securely accessing required client applications and data.

This ESG Showcase was commissioned by Island Technology, Inc and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.