Doing Due Diligence
Web-hosting services are not the right solution for everyone. They may not save your company money; costs range widely, and if your company already has the security resources and infrastructure in place, it may cost less to host your Web site in-house. The decision to host also involves such strategic questions as core competencies, and future plans and business conditions.
But should your company decide to explore the third-party Web-hosting option, one of the biggest mistakes a CIO can make is to fail to perform due diligence. It can be difficult to identify the subtle nuances between a hosting service that truly understands security and one that just looks like it does. Yet failure to do so can lead to serious consequences down the road.
The managers who run Web-hosting services generally realize the need for security, but not all of them actually understand it. In general, Web hosting services that have historic links to Cold War-era defense contractors or have hired experienced security executives have a better grasp of these requirements.
The differences between companies that are and aren't truly security-minded are evident literally from the ground up. While some Web-hosting facilities are built to withstand catastrophic natural disasters, one facility I visited was built over an active earthquake fault. Some services have two powerful diesel generators and backup batteries, while others don't have generators at all, or lack contingency plans in case fuel tanks run dry.
Web-hosting firms frequently overlook some necessary precautions even as they take others. Some deploy state-of-the-art intrusion detection systems to actively monitor for cyberattacks originating anywhere in the world, but lack the proper security policies, procedures and controls to defend themselves against a rogue employee inside their own data center. Web-host cages, which resemble chain-link fences, may be as secure and rugged as they look, while others have sliding gates that can be lifted off the tracks or bent far enough to allow an intruder to enter.
Security-minded firms are careful about the physical layout of the cages where the servers are kept. At such firms, managers take care to make sure the cables are far from the cage walls. Other companies, in order to maximize space, place the backs of the servers flush against the cages, where they are vulnerable to any passerby who wishes to unplug a cable. Firms that take security seriously lock servers in cabinets; those that do not sometimes leave the cabinets unlocked, or leave the keys in the locks.
Controlling access to secured cages should be at the top of the list of control measures. The fewer people who have access to the Web servers, the better. In one secured cage I visited, where a dozen servers from different companies were housed, I asked one technician how many people had clearance to access that cage. I expected the answer to be 25 to 30. The technician's response was appalling: between 500 and 1,000 people had access privileges.
Cages, locks, backup generators and other physical devices are meaningless without security awareness, probably the number-one deficiency at many Web-hosting firms. Security, after all, is ultimately a people issue.
Executives at hosting firms that truly care about security make sure their companies have robust security awareness programs. To quickly gauge the overall security environment at these firms, ask these executives to demonstrate their commitment to security by answering these questions: What is your company's security vision and strategy? What is your information security management structure? How is your formal security training and awareness program run? The inability to articulate answers to any of these questions should trigger an alarm. Then ask yourself: How do these answers compare with my own company's security environment? Is it better or worse?