Data Centre Outsourcing - A Security Perspective

At the heart of the hosting industry are data centres and their key attributes that make them outsource-compelling.
Written by Eddie Chau, Contributor
The hosting industry began as an outlet or external resource for companies hoping to outsource the physical space and bandwidth needed to support their Web sites, and with it, their Web-hosting requirements. Over the years, the hosting industry has evolved into an economic marketplace of strategic importance within the communications industry. At the heart of the hosting industry are data centres and their key attributes that make them outsource-compelling. Data centres themselves have evolved from the plain vanilla FM-type services to IDC model, to the 'managed hosting' model today with its end-to-end managed solutions and services. Aside from the strong economic model rationale that underlines its market value proposition, the data centre today is of even higher strategic importance because of the level of Internet traffic that it generates, the IP based connectivity it sits on, and the volume of data concentration housed.

Overtime, the majority of Internet traffic will increasingly originate from servers housed and maintained by hosting providers, partly owing to the rapid commoditisation of bandwidth and competitive differentiation between different types of data centres; however, from a security perspective, the volume of data transmission, generation, concentration and applications make the data hosting industry too important to ignore. Not least in light of increasing hacking and cyber-criminal activity both in the Internet and Intranet space, and the rise of cyber-terrorism.

The Managed Hosting Value Proposition today
  • Accelerated time to marketLower entry costs
  • Lower entry costs
  • Sidesteps IT resource shortage
  • Less costly and more timely application upgrade cycle
  • More robust network performance
  • Tailored service level agreements
  • Lower total cost of ownership (TCO)
  • Peace of mind in terms of security, business contingency and continuity

Security as a key aspect of this Mission-Critical attribute
From a market perspective, customers will always differentiate a data centre of today from the data centre of yesterday, and look at what differentiates the same one of today tomorrow - and most often, preferably for the same price. In addition to the primary role that a data centre provides in terms of collocation, network connectivity, data storage, IT services and shared or dedicated applications, its security features have become a fundamental consideration for the ever-sophisticated customer in deciding which data centre it eventually wants to outsource to.

Outsourcing Trust
A common reason that companies cite for not outsourcing their Internet infrastructure is the concern over security. In essence, when a customer outsources the management of its data to a data centre, it not only places expectations on the data centre to deliver its hosting/network requirements, but also places trust in the hosting company to handle and protect its data. In other words, the customer feels confident in the level of professional service it will receive from the data centre. Hence, security is always a primary concern or, if not, the foremost consideration in any outsourcing decision-making process.

A survey by CIO ASIA in 2000 showed that security was the primary most important factor in considering whether to outsource its IT operations to a data centre.

Reasons For And Against Outsourcing    
% Small       Medium       Large      
Security 36% 29% 25%
Flexibility/Svs. Options 29% 19% 19%
Customer Service 14% 10% 13%
Cost 14% 10% 13%
Performance 7% 5% 6%
Continuity in Mergers 0% 5% 6%
Other 0% 24% 19%

It is already well documented that for the Internet to thrive as an e-commerce backbone, companies and individuals need to feel that transactions and proprietary information are secure. For e-commerce dependent service providers who outsource their Internet infrastructure to data centres for management, vicious attacks like a Distributed Denial-of-Service (DOS) can cripple their entire operations instantaneously. References to hacking attacks on Amazon, CNN, eBay, NASA, BBC and other popular Web sites are often brought up as powerful reminders of the lurking dangers on the Internet. As such, data centres must ensure that network security technology and the requisite security expertise supports the other product suite offering, and actively recommend security offerings to any potential customers. Owing to the increasing level of attack sophistication, data centres should also continuously consider and internalize new e-security measures to stay ahead of hackers and malicious intruders.

A Sampling of Attacks    
Type Description
Backdoors Executable codes enabling entry without authorization
Session Hijacking Replacing one party of a legitimate TCP connection
Packet Sniffing Reading unencrypted passwords off a network
Packet Spoofing Masquerading as a trusted host in order to insert a backdoor
Application-layer Hidden executable code within common software and protocols
Denial of Service Flooding a host/router with TCP/ICMP requests to shut it down
Source: e-Cop.net
Data Centre Outsourcing - A Security Perspective
Page 2 of 3
It is imperative that data centres demonstrate their capability to address customers' genuine concerns on security, and assure them that their data - in terms of confidentiality, integrity and availability - will be well-maintained and protected at all times.

Basic Physical Security
Most data centres already provide physical security features, beginning with the basics and extending to value-added services that a highly sensitive customer can elect to add. The basic security embedded in a data centre's infrastructure will typically encompass Controlled Access, Physical Monitoring and Value-Added Services (see next figure).

Types of Physical Data Centre Security
Controlled Access:

  • Multiple mantraps at entry
  • Photo identification
  • Electronic cards and PIN codes
  • Biometric finger or palm scanners
  • Physical Monitoring:
    • 24x7 Security Guards
    • CCTVs
    • Motion detectors
    Value Added Services:
    • Enclosed racks or cabinets
    • Cages
    • Private rooms
    • High security vaults (mini-data centres)

    Network Security
    Data centres must also maintain adequate network security measures for customers because of the IP connectivity and Internet based applications supported out of the data centre. Typical network security measures today include firewall and firewall management, intrusion detection systems (IDS), and vulnerability scanning and monitoring of servers. As the company's footprint expands, most hosting service providers will also establish a mirrored Network Operating Centre (NOC) in an alternate location, usually out of region, to allow for remote disaster recovery resulting from weather-related disturbances or other unforeseen events, which is good practice.

    Standard Security Features of a Data Centre Today and Tomorrow  
    Today Tomorrow
    Physical Security
    Access CCTV, Guard, ID Card     Biometric scanning
    Security 24 x 7 x 365 24 x 7 x 365
    Trouble Call Response Time Hours Minutes
    Network Security
    Infrastructure Firewall Firewall, IDS (network & host-based)
    Network Security Management Some Full-suite
    Vulnerability Scanning Some Most
    24x7 Network/Internet Surveillance None
    None Real-time
    Correlation Analysis & Profiling None Some

    Source: e-Cop.net
    Data Centre Outsourcing - A Security Perspective
    Page 3 of 3
    However, someone building a fortress would still need people on patrol in case there is a break-in or attempted break-in. As mentioned earlier, network attacks are becoming more sophisticated and early detection or, better still prevention, is needed before real damage is done. Hence, there is the need for active management of firewalls and IDSs. The managed security services offered by a data centre, if properly deployed, can address this. Managed security services will become a compelling value proposition as much as it is a competitive differentiation to the data centre. Taking it one step further, there is an increasingly clear need for 24x7 network surveillance within the data centre to prevent external hackers or intruders from successfully targeting customer's servers. Why? Because an attempted "theft" detected is an attempt noticed, and the customer/data centre can be alerted to do something immediately. An attempted "theft" undetected is an attempt gone unnoticed, and the hacker may be encouraged to try again. If no remedial action is taken immediately, any damage control may be too late.

    Managed Security Services
    In essence, managed hosting services are already prevalent in most data centre. At the core , managed security services will become critical to a successful hosting strategy. The majority of managed security service revenues come from either the installation or the ongoing support of the network security infrastructure. This role is analogous to the role played by an enterprise's own internal IT security group. Rather than hire internal IT security professional to run and monitor firewalls and IDSs, companies can outsource the role to a data centre. Given the tight labor market for network security professionals and the increasing complexity of the trade, managed security services of this type will likely continue to form a very high value-added segment of the hosting market.

    Data Centre - Security Partnerships
    Today, because of the many technical demands made of a data centre, we see many managed data centres collaborating with best-of-breed partners to amalgamate, or bundle, their technology solutions and services into their core offerings, so long as they feel there is a customer need for that service feature. Managed security is certainty one of enabling service, as illustrated by telco-data centres partnering with managed e-security providers, such as British Telecom tying up with Ubizen, and SingTel Expan partnering e-Cop.net in Asia-Pacific.

    Information Security Management Systems (ISMS) - The Certification Way
    As mentioned earlier, many customers look toward some measure of assurances when they outsource their data to a data centre. One noticeable industry feature has been the trend towards demonstrating these assurances through security certification standards, such as the BS 7799 or its ISO equivalent, ISO/IEC 17799, ISO 13335 and ISO 15408. Obviously, data centres that go for these standards believe that certification ensures the existence of acceptable standards of effective security systems and processes in place. Achievement of such standards, which are benchmarked against the industry's "Best Practices", will also improve customer confidence in their systems and processes, since the weakest link in operations can always make the best technology vulnerable. Although certification does not guarantee 100% security - nothing does - it does set acceptable standards in an industry that has so far been less demonstrative in inspiring security confidence since new technology and processes are often deployed first for commercial returns.

    What You Get Is Not Always What You See
    Contrary to common belief, not all data centres are equal, nor will they be equal at any one point in time, today or tomorrow. Differences in location, size, power, storage capacity, bandwidth connectivity, the type of end-to-end services, managed services and many other value-added features will differentiate the "tomorrow" from the "today". From the customer perspective, each feature will lend varying returns on investment for the customer, depending on the requirements and economics involved. Besides economic considerations, most customers today will ask broad questions in three key areas before deciding whether to outsource: traffic management capability, performance reliability and security. Besides pricing considerations, the quality, reliability and security of a data centre will determine the speed and retention capability at which a hosting provider is able to fill it and sustain it. This has significant impact on returns for any organization outsourcing to it. As with almost any outsource service model, having a trustworthy reputation and a reliable state-of-the-art infrastructure, which must include effective network security, are critical to sustaining the long-term viability of the data centre outsourcing model.

    Eddie Chau is President and CEO of e-Cop.net Pte Ltd, an Internet Security Services provider headquartered in Singapore, with offices and Global Command Centres (GCCs) in Singapore, Hong Kong, Malaysia and Japan.

    Editorial standards