Data Centre Outsourcing - A Security Perspective
Overtime, the majority of Internet traffic will increasingly originate from servers housed and maintained by hosting providers, partly owing to the rapid commoditisation of bandwidth and competitive differentiation between different types of data centres; however, from a security perspective, the volume of data transmission, generation, concentration and applications make the data hosting industry too important to ignore. Not least in light of increasing hacking and cyber-criminal activity both in the Internet and Intranet space, and the rise of cyber-terrorism.
The Managed Hosting Value Proposition today
- Accelerated time to marketLower entry costs
- Lower entry costs
- Sidesteps IT resource shortage
- Less costly and more timely application upgrade cycle
- More robust network performance
- Tailored service level agreements
- Lower total cost of ownership (TCO)
- Peace of mind in terms of security, business contingency and continuity
Security as a key aspect of this Mission-Critical attribute
From a market perspective, customers will always differentiate a data centre of today from the data centre of yesterday, and look at what differentiates the same one of today tomorrow - and most often, preferably for the same price. In addition to the primary role that a data centre provides in terms of collocation, network connectivity, data storage, IT services and shared or dedicated applications, its security features have become a fundamental consideration for the ever-sophisticated customer in deciding which data centre it eventually wants to outsource to.
Outsourcing Trust
A common reason that companies cite for not outsourcing their Internet infrastructure is the concern over security. In essence, when a customer outsources the management of its data to a data centre, it not only places expectations on the data centre to deliver its hosting/network requirements, but also places trust in the hosting company to handle and protect its data. In other words, the customer feels confident in the level of professional service it will receive from the data centre. Hence, security is always a primary concern or, if not, the foremost consideration in any outsourcing decision-making process.
A survey by CIO ASIA in 2000 showed that security was the primary most important factor in considering whether to outsource its IT operations to a data centre.
| Reasons For And Against Outsourcing | |||
| % | Small | Medium | Large |
| Security | 36% | 29% | 25% |
| Flexibility/Svs. Options | 29% | 19% | 19% |
| Customer Service | 14% | 10% | 13% |
| Cost | 14% | 10% | 13% |
| Performance | 7% | 5% | 6% |
| Continuity in Mergers | 0% | 5% | 6% |
| Other | 0% | 24% | 19% |
It is already well documented that for the Internet to thrive as an e-commerce backbone, companies and individuals need to feel that transactions and proprietary information are secure. For e-commerce dependent service providers who outsource their Internet infrastructure to data centres for management, vicious attacks like a Distributed Denial-of-Service (DOS) can cripple their entire operations instantaneously. References to hacking attacks on Amazon, CNN, eBay, NASA, BBC and other popular Web sites are often brought up as powerful reminders of the lurking dangers on the Internet. As such, data centres must ensure that network security technology and the requisite security expertise supports the other product suite offering, and actively recommend security offerings to any potential customers. Owing to the increasing level of attack sophistication, data centres should also continuously consider and internalize new e-security measures to stay ahead of hackers and malicious intruders.
| A Sampling of Attacks | |
| Type | Description |
| Backdoors | Executable codes enabling entry without authorization |
| Session Hijacking | Replacing one party of a legitimate TCP connection |
| Packet Sniffing | Reading unencrypted passwords off a network |
| Packet Spoofing | Masquerading as a trusted host in order to insert a backdoor |
| Application-layer | Hidden executable code within common software and protocols |
| Denial of Service | Flooding a host/router with TCP/ICMP requests to shut it down |
Page 2 of 3
It is imperative that data centres demonstrate their capability to address customers' genuine concerns on security, and assure them that their data - in terms of confidentiality, integrity and availability - will be well-maintained and protected at all times.
Basic Physical Security
Most data centres already provide physical security features, beginning with the basics and extending to value-added services that a highly sensitive customer can elect to add. The basic security embedded in a data centre's infrastructure will typically encompass Controlled Access, Physical Monitoring and Value-Added Services (see next figure).
Types of Physical Data Centre Security
Controlled Access:
|
Network Security
Data centres must also maintain adequate network security measures for customers because of the IP connectivity and Internet based applications supported out of the data centre. Typical network security measures today include firewall and firewall management, intrusion detection systems (IDS), and vulnerability scanning and monitoring of servers. As the company's footprint expands, most hosting service providers will also establish a mirrored Network Operating Centre (NOC) in an alternate location, usually out of region, to allow for remote disaster recovery resulting from weather-related disturbances or other unforeseen events, which is good practice.
Standard Security Features of a Data Centre Today and Tomorrow
| Today | Tomorrow | |
| Physical Security | ||
| Access | CCTV, Guard, ID Card | Biometric scanning |
| Security | 24 x 7 x 365 | 24 x 7 x 365 |
| Trouble Call Response Time | Hours | Minutes |
| Network Security | ||
| Infrastructure Firewall Firewall, IDS (network & host-based) | ||
| Network Security Management | Some | Full-suite |
| Vulnerability Scanning | Some | Most |
| 24x7 Network/Internet Surveillance | None | |
| None | Real-time | |
| Correlation Analysis & Profiling | None | Some |
Source: e-Cop.net Data Centre Outsourcing - A Security Perspective
Page 3 of 3
However, someone building a fortress would still need people on patrol in case there is a break-in or attempted break-in. As mentioned earlier, network attacks are becoming more sophisticated and early detection or, better still prevention, is needed before real damage is done. Hence, there is the need for active management of firewalls and IDSs. The managed security services offered by a data centre, if properly deployed, can address this. Managed security services will become a compelling value proposition as much as it is a competitive differentiation to the data centre. Taking it one step further, there is an increasingly clear need for 24x7 network surveillance within the data centre to prevent external hackers or intruders from successfully targeting customer's servers. Why? Because an attempted "theft" detected is an attempt noticed, and the customer/data centre can be alerted to do something immediately. An attempted "theft" undetected is an attempt gone unnoticed, and the hacker may be encouraged to try again. If no remedial action is taken immediately, any damage control may be too late.
Managed Security Services
In essence, managed hosting services are already prevalent in most data centre. At the core , managed security services will become critical to a successful hosting strategy. The majority of managed security service revenues come from either the installation or the ongoing support of the network security infrastructure. This role is analogous to the role played by an enterprise's own internal IT security group. Rather than hire internal IT security professional to run and monitor firewalls and IDSs, companies can outsource the role to a data centre. Given the tight labor market for network security professionals and the increasing complexity of the trade, managed security services of this type will likely continue to form a very high value-added segment of the hosting market.
Data Centre - Security Partnerships
Today, because of the many technical demands made of a data centre, we see many managed data centres collaborating with best-of-breed partners to amalgamate, or bundle, their technology solutions and services into their core offerings, so long as they feel there is a customer need for that service feature. Managed security is certainty one of enabling service, as illustrated by telco-data centres partnering with managed e-security providers, such as British Telecom tying up with Ubizen, and SingTel Expan partnering e-Cop.net in Asia-Pacific.
Information Security Management Systems (ISMS) - The Certification Way
As mentioned earlier, many customers look toward some measure of assurances when they outsource their data to a data centre. One noticeable industry feature has been the trend towards demonstrating these assurances through security certification standards, such as the BS 7799 or its ISO equivalent, ISO/IEC 17799, ISO 13335 and ISO 15408. Obviously, data centres that go for these standards believe that certification ensures the existence of acceptable standards of effective security systems and processes in place. Achievement of such standards, which are benchmarked against the industry's "Best Practices", will also improve customer confidence in their systems and processes, since the weakest link in operations can always make the best technology vulnerable. Although certification does not guarantee 100% security - nothing does - it does set acceptable standards in an industry that has so far been less demonstrative in inspiring security confidence since new technology and processes are often deployed first for commercial returns.
What You Get Is Not Always What You See
Contrary to common belief, not all data centres are equal, nor will they be equal at any one point in time, today or tomorrow. Differences in location, size, power, storage capacity, bandwidth connectivity, the type of end-to-end services, managed services and many other value-added features will differentiate the "tomorrow" from the "today". From the customer perspective, each feature will lend varying returns on investment for the customer, depending on the requirements and economics involved. Besides economic considerations, most customers today will ask broad questions in three key areas before deciding whether to outsource: traffic management capability, performance reliability and security. Besides pricing considerations, the quality, reliability and security of a data centre will determine the speed and retention capability at which a hosting provider is able to fill it and sustain it. This has significant impact on returns for any organization outsourcing to it.
As with almost any outsource service model, having a trustworthy reputation and a reliable state-of-the-art infrastructure, which must include effective network security, are critical to sustaining the long-term viability of the data centre outsourcing model.
Eddie Chau is President and CEO of e-Cop.net Pte Ltd, an Internet Security Services provider headquartered in Singapore, with offices and Global Command Centres (GCCs) in Singapore, Hong Kong, Malaysia and Japan.