Service providers start to secure hosted data

The security of hosted data took a step forward this week as two major managed hosting companies, a top-tier ASP and the leading ASP aggregator all announced a la carte hack-prevention services.

The security of hosted data took a step forward this week as two major managed hosting companies, a top-tier ASP and the leading ASP aggregator all announced a la carte hack-prevention services.

While the timing of the announcements was coincidental, it's no coincidence that such companies are thinking about security, say customers, who add that there's still much room for improvement.

The first two announcements, Digex Inc.'s TruDefense and Data Return Corp.'s Reactive Intrusion Detection Services, are essentially the same. Since the new products reside on the customer's server instead of directly on the data center network, they buffer the servers from denial-of-service attacks, officials from both companies said.

YES

"When the device is on the network, it's very difficult for it to respond, it can only watch," said Sunny Vanderbeck, CEO of Data Return, in Irving, Texas. By using server-based detection, he said, "It looks at the traffic before it ever gets to the rest of the servers. It can discard the packets completely - it's not just looking at network-based attacks, but application-level attacks. It's a far deeper level of detection."

Laurel, Md.-based Digex's service runs technology from Entercept Security Technologies Inc., of San Jose, Calif.; Data Return's service runs products from Network ICE Corp., of San Mateo, officials said.

But Randy Hompesch, chief technology officer for agricultural e-commerce site XS Inc. of Raleigh, N.C., suspects that the new services aren't necessarily the best solution.

In a year of being a Digex customer, XS had only one detected intrusion. "Digex's service detected that in minutes and they stopped that particular attack - the server kept on running," he said.

Hompesch said he's more concerned about how much processing power the new offering would use on his servers. Also, he said, such security services, as well as things like periodic recovery tests, should be included in the core service, not offered as options.

"Right now I'd have to put in a special request. ... We're one of their platinum customers, so we pay top dollar. It's well worth the money, so don't nickel and dime me for every bell and whistle," he said. Meanwhile, the new security services from Corio Inc., a pure-play application service provider in San Carlos, Calif., and Jamcracker Inc., an ASP aggregator in Cupertino, are both based on technology from Counterpane Internet Security Inc.

Counterpane's Managed Security Service product beefs up Corio's and Jamcracker's security, said Counterpane officials in San Jose, by monitoring their networks and applications for intrusion much as Digex's and Data Return's new services do.

"I guess I would definitely like that, especially with the risk of intrusion," said Jamcracker customer Dan Smereczynski, a systems engineer with Chicago-based First Analysis Corp.

Like Hompesch, however, Smereczynski thinks there are still concerns. By using Jamcracker or any ASP or hosting firm, he noted, a hacker could access many customers by breaking into the back-end network. Rather than adding a service like Counterpane's, service providers could improve security just by choosing different firewall ports for different customers' network connections, he suggested.

Jamcracker officials acknowledged that point and added one of their own: Service provider security will someday be greatly improved by new XML specifications under the joint development of the private sector and the United Nations' OASIS team. Those specifications include ebXML (or E-Business Extensible Markup Language) and SAML (or Security Assertions Markup Language), they said.