Be aware of off-site storage security - Technology Information

The rise in cyberterrorism means off-site storage could be at risk.

Supporting a secure website and high-performance e-commerce system with on-site storage management can run into millions of dollars. Outsourcing to a hosting firm? A few thousand dollars a month.

Hosting services have the networking infrastructure, are equipped with the telecommunications equipment, and offer the technical expertise to deploy e-commerce systems--a luxury few companies can afford. Gartner research shows that the IT and personnel costs of securing Internet-exposed applications are three to five times higher than that of equivalent internal applications, leaving businesses with a skills shortage issue.

Additionally, dot-coms experiencing fast growth are having a hard time keeping up with the increasing number of transactions. Hosting services can provide relief to a company experiencing growing pains by enabling the company to affordably expand operations in its scalable infrastructure.

The trend of outsourcing Web hosting is driven not only by the cost of implementing a secure, scalable environment, but also by the rise in cyberterrorism. Off-site hosting and management can overcome the hazards of on-site data storage, including the theft or destruction of content and the physical sabotage of the storage server itself.

Most IT managers are generous when dedicating money and resources to implement the latest in data storage technology, yet few put any forethought and planning into securing the business-critical data or where the storage servers themselves reside. Such an oversight can prove tragic to businesses whose livelihood depends on content and intellectual property.

Often, on-site storage is left unsecured or loosely secured through password protection, leaving data open to harm and the company vulnerable to corporate espionage, hacking or natural disasters. On the other hand, off-site storage in a highly secured location, built to withstand physical and technological attacks on its servers, can help a business maintain its competitive edge while, at the same time, ensure protection of intellectual assets.

DETECTING THE CYBERTERRORIST

Gartner estimates that three out of four business websites are currently vulnerable to security attacks. Magnetic pulsing devices, the latest being used in the corporate "spec wars," can erase data from 100 yards without leaving any trace or evidence of their users. Yet, this powerful weapon is small enough to fit in a cigarette carton, making it easy to sneak into corporate offices or to hide in a decoy server at any co-location center.

Another cyberterrorist weapon is the HERF gun, that can fry a server from 30 yards away. Any technically adept person can make one for under $600. The gun, which essentially changes all the 0s and 1s into 0s, provides criminals with a simple way to take out a server without leaving a trace of evidence. HERF-gun damage is permanent; the data cannot be recovered.

The co-location server configuration widely used by hosting service providers is anything but secure. The self-serve environment where the customer is fully responsible for purchasing, installing and managing the Internet operations leaves servers open to attacks by exposing them to every customer who walks in the door. Servers share space on rows of racks or reside in separate fenced cages in open sight. Even when servers are fenced in, they run on the same network. Like most networks, each server is visible to users, making them vulnerable to security breaches.

Co-location services normally leave the problem of security to the customer. If lucky, the provider has reasonably well-configured switches that prevent other customers from sniffing its data. Unless the intruder is compromising the entire network's performance or security, the provider will not get involved. One common practice is to unplug the compromised host until the intruder leaves and then plug it back in--just as insecure as before.

THE THREAT FROM WITHIN

When protecting the integrity of business-critical data, even fewer businesses take any precautions beyond user authentication and permissions. FBI studies reveal that 80% of intrusions and attacks come from within organizations. Sabotaging the server is easy for an employee.

Any IT person set on revenge can pass through your data center or a co-location's security checkpoint virtually unnoticed and obtain access to the company server, since he is allowed to roam the facility unescorted and work unsupervised.

New managed hosting services, specializing in security, guard against both external and internal attacks by placing defense mechanisms at different areas of the network, including the switches, routers and transport protocol layers. Secure hosting services perform comprehensive filtering of well-known IP protocols at the network and firewall, and prohibit all other IP protocols that cannot be filtered.

Do not confuse superficial security measures with real security. In today's information age, the omission of the provider's name on the exterior of its hosting site or a caged server will do little to deter a breach from a determined attacker. Such installations instill in customers a false sense of security.

www.servervault.com

Circle 251 for more information from ServerVault

Sweeney is founder of ServerVault, Springfield, VA.

COPYRIGHT 2001 Nelson Publishing
COPYRIGHT 2001 Gale Group