IntroductionBy MacDonnell Ulsch III
Analysis: Security and Outsourcing
At first glance, the building where the Web hosting firm operated appeared protected. Inside the fortress-like structure, servers stood locked inside their cages; a wall of industrial-grade shatterproof glass and an imposing, electronically controlled door protected the data center. The operation seemed the model of efficiency and somber authoritybut the model was about to unravel.
Quietly, without being noticed by the guards, a visitor removed a 6-by-9-inch piece of paper from a stenographer's notebook, inserted it between the top of the door and the doorframe, and slid the paper from right to left. In less than five seconds, the paper interrupted the infrared beam of the motion sensor located inside the data center. The door unlocked immediately, its electronic control mechanism responding to a signal that someone apparently wanted to leave the center. The visitor quickly stepped inside the data center and began to wave through the glass to the guards.
Fortunately for the Web-hosting firmand the companies that trusted the firm to keep their sites running 24 hours a daythe visitor was a security consultant. Had it been a disgruntled or former employee, an ill-intentioned competitor or even a violent political activist, the servers could have been unplugged or damaged, causing revenues, corporate reputations and even jobs to be lost.
A Web-hosting firm can claim and appear to be secure at first glance. However, the gap between appearance and reality is why CIOs must take a hard look at security when making the decision to outsource any part of their company's Web infrastructure. Security breaches are on the rise; according to the Federal Bureau of Investigation, system intrusions surged 250 percent in 2001. Approximately 21,000 security incidents were reported in 2000 to Carnegie Mellon University's Computer Emergency Response Team, a federally funded research and development center.
Breaches can result in tremendous damage. One survey conducted by the FBI revealed that e-business security violations worldwide in 2000 caused more than $10 billion in damage. In one case, Stamford, Conn.-based Omega Engineering network administrator Timothy Lloyd created and deployed a virus that wiped out virtually all his company's corporate information after he learned he was to be fired. That breach cost the company at least $10 million, according to the U.S. Department of Justice.
Today, more senior IT executives are asking whether they should create their own infrastructure to host their Web site, or contract with third-party Web-hosting services. Demand for such third-party services is growing: The Web-hosting industry, according to IDC researcher Melanie Posey, is forecast to grow from $3.9 billion in 2000 to $24 billion by 2004 despite the slowing economy.
Why the strong growth? The dilemma facing Old Dominion Electric Cooperative in Glen Allen, Va., reveals why the market is expected to increase. The cooperative, composed of a dozen electric utilities serving mostly rural customers, had originally outsourced its Web servers in order to quickly get on the Internet. It began hosting its own Web site when its executives decided that managing its site should be a core competency. Now, however, hosting one's own site has become more complex thanks to such tasks as online bill payment and new demands from customers who can now buy electricity from other suppliers. This complexity is leading Daryl Jaschen, Old Dominion's top IT executive, to reconsider the Web-hosting option. The firm's Web strategy "requires another level of core competency," he says. "The comfort of knowing the system is secure comes at a cost."
Doing Due Diligence
Doing Due Diligence
Web-hosting services are not the right solution for everyone. They may not save your company money; costs range widely, and if your company already has the security resources and infrastructure in place, it may cost less to host your Web site in-house. The decision to host also involves such strategic questions as core competencies, and future plans and business conditions.
But should your company decide to explore the third-party Web-hosting option, one of the biggest mistakes a CIO can make is to fail to perform due diligence. It can be difficult to identify the subtle nuances between a hosting service that truly understands security and one that just looks like it does. Yet failure to do so can lead to serious consequences down the road.
The managers who run Web-hosting services generally realize the need for security, but not all of them actually understand it. In general, Web hosting services that have historic links to Cold War-era defense contractors or have hired experienced security executives have a better grasp of these requirements.
The differences between companies that are and aren't truly security-minded are evident literally from the ground up. While some Web-hosting facilities are built to withstand catastrophic natural disasters, one facility I visited was built over an active earthquake fault. Some services have two powerful diesel generators and backup batteries, while others don't have generators at all, or lack contingency plans in case fuel tanks run dry.
Web-hosting firms frequently overlook some necessary precautions even as they take others. Some deploy state-of-the-art intrusion detection systems to actively monitor for cyberattacks originating anywhere in the world, but lack the proper security policies, procedures and controls to defend themselves against a rogue employee inside their own data center. Web-host cages, which resemble chain-link fences, may be as secure and rugged as they look, while others have sliding gates that can be lifted off the tracks or bent far enough to allow an intruder to enter.
Security-minded firms are careful about the physical layout of the cages where the servers are kept. At such firms, managers take care to make sure the cables are far from the cage walls. Other companies, in order to maximize space, place the backs of the servers flush against the cages, where they are vulnerable to any passerby who wishes to unplug a cable. Firms that take security seriously lock servers in cabinets; those that do not sometimes leave the cabinets unlocked, or leave the keys in the locks.
Controlling access to secured cages should be at the top of the list of control measures. The fewer people who have access to the Web servers, the better. In one secured cage I visited, where a dozen servers from different companies were housed, I asked one technician how many people had clearance to access that cage. I expected the answer to be 25 to 30. The technician's response was appalling: between 500 and 1,000 people had access privileges.
Cages, locks, backup generators and other physical devices are meaningless without security awareness, probably the number-one deficiency at many Web-hosting firms. Security, after all, is ultimately a people issue.
Executives at hosting firms that truly care about security make sure their companies have robust security awareness programs. To quickly gauge the overall security environment at these firms, ask these executives to demonstrate their commitment to security by answering these questions: What is your company's security vision and strategy? What is your information security management structure? How is your formal security training and awareness program run? The inability to articulate answers to any of these questions should trigger an alarm. Then ask yourself: How do these answers compare with my own company's security environment? Is it better or worse?
No CIO should walk blindly into any agreement with a Web-hosting firm. The risks are too great, and the level of security from one hosting firm to the next can vary widely. You should work with the highest-ranking IT and physical security officials in your company; the latter are invaluable, since physical security is a major risk for Web hosts. Many companies also rely on security advisors who work in tandem with the internal team.
Here are a few indicators to look for when considering whether a Web-hosting service is secure and reliable:
Financial Viability. If the service goes out of business, the security controls don't matter. One such host recently stranded approximately 100 customers when it lost its communications service because it didn't pay the bill. Make sure the Web host has appropriate lines of credit, additional rounds of financing as needed, and is not in bankruptcy proceedings. This can be done by carefully reviewing the host firm's financial audit results and by consulting its legal counsel. Ask your general counsel and CFO to assist in the effort.
Protection from Attacks and Viruses. A serious host will deploy state-of-the-art tools to ensure the maximum level of security. Intrusion detection monitoring, antivirus software and firewalls are central to any secure host. Consistently updating patches from vendors and making sure firewall configuration settings are at optimal levels are equally important. The level of compliance can be ascertained by having a computer security expert interview the host firm's security director.
Security Policies and Procedures. To minimize the risk of security breaches, every hosting firm should have a set of formal information security management guidelines that govern how security policies and procedures are developed and managed. These policies and procedures should be implemented consistently on all the firm's sites, wherever in the world they are (taking into account reasonable local variables such as construction standards in earthquake or flood-prone regions). Ask to see the actual documentation on policies and procedures, and check how it covers such security operations issues as controlling access to the servers, training and awareness, employee background investigations, monitoring of employee e-mail, and the use of firewalls and intrusion-detection technology. If the hosting firm cannot produce this documentationor at least an independent third-party assessment of security controls, known to auditors as an SAS-70 reportit is the wrong host for you. CIOs should also look into whether the host firm's top executives actively advocate security awareness throughout their company, and whether the lowest levels of the host's organization are as committed to security as its executives.
Hiring and Termination Practices. Because of market demand for network and security professionals, the employee turnover rate has been high at some Web-hosting companies. Inquire into whether the company performs background investigations on new employees; many companies either inadequately perform them or fail to do so entirely. At a minimum, make sure there is a process for verifying employee background information. For personnel with unrestricted access to Web servers, the host should check for criminal backgrounds and connections to hacker groups, and conduct credit checks. Appropriate termination practices can include an assessment by a security expert to see if an employee has inappropriately accessed or altered your host systems.
Access Control. Ask for detailed information on access authentication and authorization procedures. Are badges required to enter the facility and go from one secure zone to another? Who is issued a badge and under what circumstances? Are customers issued badges? If so, are they granted different access privileges than employees? Are badges color-coded to signify whether the wearer is a customer, an employee or a third party? Who should be escorted when in the facility, and who is authorized to be unescorted? Are these distinctions obvious to host personnel? One way to verify that access control practices are effectively deployed is to learn the different badge identifiers and observe traffic patterns inside the facility. See if anyone is walking around without a badge; no one should be, not even the firm's CEO. Of course, the entry point to the facility is the first zone of concern. I once signed a visitor log as Daniel Defoe, the long-deceased author of Robinson Crusoe. The guard compared my legible, printed log-in with my driver's license and then let me into the "secure" facility.
Continuity and Disaster Recovery. Backup generators are a start, but they are not enough. Make certain the host has clear, documented plans to guarantee service even during such disasters as floods, earthquakes, power outages, fire, explosions and even terrorist attacks. These plans should include semiannual field tests and maintenance of the generators, properly storing and annually recycling diesel fuel for the generators, and rolling over data to other centers in case of a disabling event. Batteries should supply short-term backup power needs; for longer emergencies, there should be at least two diesel generators capable of supplying power to the data center for 48 hours. Following a power outage, the generators should start within 30 seconds.
The Senior Security Staff. Ask about the experience and status of the senior security staff. Is there a chief security officer or chief information security officer? This is a trend in security-conscious organizations. In facilities that are less security-conscious, responsibility for security may reside in a lower-level manager, a possible problem.
Security Guards. Find out whether the guards are equipped and trained to properly protect your server operation. At one host, I found that the security guards on external patrol were not equipped with any communications equipment. In the event of an incident, they would have to run back to the data center to alert others. Also ask how guards carry out nighttime patrols. Is the entire facility inspected, both inside and outside?
Don't forget to visit the facility with a security team to look for physical flaws, such as secured doors that can be opened with a piece of paper, cables that can be easily pulled out of servers, unlocked server cabinets, rusty backup generators and people walking around without badges. You should also check to make sure your servers can be picked up by the video cameras, and that the facility is divided into zones with different levels of security. When there are no security zones, it could mean that too much security is applied in some areas and not enough in others.
Finally, once you decide to use a Web hosting service, it is absolutely essential to document your due diligence efforts and decision, and to report them to the general counsel, CEO or another appropriate corporate officer with risk management responsibility. Since management and the board will come to you if something goes bump in the night, you want to make sure you have minimized any risks and documented your decisions.
The list of issues, questions and answers can seem endless, and there are no shortcuts. Still, with the credibility of your firmand the loyalty of your customersat risk, it's important to make the right decision for your company.
MacDonnell Ulsch, an independent security consultant, analyst and author, served as a Trusted Advisor to the U.S. Moynihan Commission on Secrecy.
Service Level Agreements
Service Level Agreements: Coming to Terms
Service-Level Agreements are a point of control in the relationship between the customer and Web-hosting service provider. It is ultimately what both parties agree to in principal and in fact. Your legal counsel should review the document, but more is required to create a satisfactory SLA. A team made up of the CIO, an attorney, security and risk executives, and the chief marketing officer should write these agreements. And remember: While a good SLA will aid security, the purpose of the hosted Web site is not to be a paragon of security, but an effective channel for developing your company's business. The SLA should set forth the following:
Security and operational procedures: How often are the backup generators tested, and how frequently is the fuel recycled? What are the actual procedures used in the event of a power failure?
Performance-level statistics: What is the average downtime? What was the longest downtime?
Incident reporting: If there is an attack on the Web host, what information is the host obligated to disclose and when? This can include what damage occurred, how the attack was carried out, what security holes were exploited and whether they were closed, and how quickly the host detected and responded to the attack.
Financial reporting: What is the credit rating of the host? Is the host obligated to advise customers of changes in its credit rating? What is the host's source of funding? If funded through venture capital, when will it close on its next round of capital, and what must it do to ensure successful closure of the next investment round? Does the host have a financial line of credit, and how much of the credit is available?
Human resources policies: What are the backgrounds of the security personnel? Are background investigations completed on all employees? Are convicted felons hired? Are third-party guard services used? Are those guards trained on host security policies and procedures? How much training is provided?
Which Host Fits Best
Which Host Fits Best?
Mom and Pop
- Small businesses catering to small businesses
- Self-funded, reliant on cash flow and bank credit
- Reliability, security and disaster recovery can be low priorities
- The most common type of hosting firm
- Targets mid-size to large corporate clients
- Some are venture-financed; revenues vary widely
- Security varies from weak to strong
- Possibly a viable option, but check carefully
- Focus on vertical markets
- Usually secure and dependable
- Biggest risk is failure to negotiate an effective service-level agreement
-hosting Promises: Fact or Fiction?">
Web-hosting Promises: Fact or Fiction?
- We're secure.
- We have backup systems.
- We'll be there for you.
- Just leave the worrying to us.
- Many firms aren't secure.
- Backup systems, if they exist, may not work.
- Not all firms can substantiate security claims.
- You need to keep worrying.
According to the online magazine Salon.com, Tripod, a site-hosting service owned by Terra Lycos, shut down hundreds of sites on March 17, 2001. Some of the deletions were accidental, but others were not, says Dori Almann, public relations manager of community and communications for Terra Lycos. "We were in the process of removing sites that were in clear violation of our terms of service," Almann told Salon.com, "and inadvertently, there were other sites that were also removed and should not have been."