No CIO should walk blindly into any agreement with a Web-hosting firm. The risks are too great, and the level of security from one hosting firm to the next can vary widely. You should work with the highest-ranking IT and physical security officials in your company; the latter are invaluable, since physical security is a major risk for Web hosts. Many companies also rely on security advisors who work in tandem with the internal team.
Here are a few indicators to look for when considering whether a Web-hosting service is secure and reliable:
Financial Viability. If the service goes out of business, the security controls don't matter. One such host recently stranded approximately 100 customers when it lost its communications service because it didn't pay the bill. Make sure the Web host has appropriate lines of credit, additional rounds of financing as needed, and is not in bankruptcy proceedings. This can be done by carefully reviewing the host firm's financial audit results and by consulting its legal counsel. Ask your general counsel and CFO to assist in the effort.
Protection from Attacks and Viruses. A serious host will deploy state-of-the-art tools to ensure the maximum level of security. Intrusion detection monitoring, antivirus software and firewalls are central to any secure host. Consistently updating patches from vendors and making sure firewall configuration settings are at optimal levels are equally important. The level of compliance can be ascertained by having a computer security expert interview the host firm's security director.
Security Policies and Procedures. To minimize the risk of security breaches, every hosting firm should have a set of formal information security management guidelines that govern how security policies and procedures are developed and managed. These policies and procedures should be implemented consistently on all the firm's sites, wherever in the world they are (taking into account reasonable local variables such as construction standards in earthquake or flood-prone regions). Ask to see the actual documentation on policies and procedures, and check how it covers such security operations issues as controlling access to the servers, training and awareness, employee background investigations, monitoring of employee e-mail, and the use of firewalls and intrusion-detection technology. If the hosting firm cannot produce this documentationor at least an independent third-party assessment of security controls, known to auditors as an SAS-70 reportit is the wrong host for you. CIOs should also look into whether the host firm's top executives actively advocate security awareness throughout their company, and whether the lowest levels of the host's organization are as committed to security as its executives.
Hiring and Termination Practices. Because of market demand for network and security professionals, the employee turnover rate has been high at some Web-hosting companies. Inquire into whether the company performs background investigations on new employees; many companies either inadequately perform them or fail to do so entirely. At a minimum, make sure there is a process for verifying employee background information. For personnel with unrestricted access to Web servers, the host should check for criminal backgrounds and connections to hacker groups, and conduct credit checks. Appropriate termination practices can include an assessment by a security expert to see if an employee has inappropriately accessed or altered your host systems.
Access Control. Ask for detailed information on access authentication and authorization procedures. Are badges required to enter the facility and go from one secure zone to another? Who is issued a badge and under what circumstances? Are customers issued badges? If so, are they granted different access privileges than employees? Are badges color-coded to signify whether the wearer is a customer, an employee or a third party? Who should be escorted when in the facility, and who is authorized to be unescorted? Are these distinctions obvious to host personnel? One way to verify that access control practices are effectively deployed is to learn the different badge identifiers and observe traffic patterns inside the facility. See if anyone is walking around without a badge; no one should be, not even the firm's CEO. Of course, the entry point to the facility is the first zone of concern. I once signed a visitor log as Daniel Defoe, the long-deceased author of Robinson Crusoe. The guard compared my legible, printed log-in with my driver's license and then let me into the "secure" facility.
Continuity and Disaster Recovery. Backup generators are a start, but they are not enough. Make certain the host has clear, documented plans to guarantee service even during such disasters as floods, earthquakes, power outages, fire, explosions and even terrorist attacks. These plans should include semiannual field tests and maintenance of the generators, properly storing and annually recycling diesel fuel for the generators, and rolling over data to other centers in case of a disabling event. Batteries should supply short-term backup power needs; for longer emergencies, there should be at least two diesel generators capable of supplying power to the data center for 48 hours. Following a power outage, the generators should start within 30 seconds.
The Senior Security Staff. Ask about the experience and status of the senior security staff. Is there a chief security officer or chief information security officer? This is a trend in security-conscious organizations. In facilities that are less security-conscious, responsibility for security may reside in a lower-level manager, a possible problem.
Security Guards. Find out whether the guards are equipped and trained to properly protect your server operation. At one host, I found that the security guards on external patrol were not equipped with any communications equipment. In the event of an incident, they would have to run back to the data center to alert others. Also ask how guards carry out nighttime patrols. Is the entire facility inspected, both inside and outside?
Don't forget to visit the facility with a security team to look for physical flaws, such as secured doors that can be opened with a piece of paper, cables that can be easily pulled out of servers, unlocked server cabinets, rusty backup generators and people walking around without badges. You should also check to make sure your servers can be picked up by the video cameras, and that the facility is divided into zones with different levels of security. When there are no security zones, it could mean that too much security is applied in some areas and not enough in others.
Finally, once you decide to use a Web hosting service, it is absolutely essential to document your due diligence efforts and decision, and to report them to the general counsel, CEO or another appropriate corporate officer with risk management responsibility. Since management and the board will come to you if something goes bump in the night, you want to make sure you have minimized any risks and documented your decisions.
The list of issues, questions and answers can seem endless, and there are no shortcuts. Still, with the credibility of your firmand the loyalty of your customersat risk, it's important to make the right decision for your company.
MacDonnell Ulsch, an independent security consultant, analyst and author, served as a Trusted Advisor to the U.S. Moynihan Commission on Secrecy.