Extreme Security For Web Servers

[InfoSec News <isn () C4I ORG>]

http://www.washingtonpost.com/wp-dyn/articles/A16197-2001Feb1.html

By Dina ElBoghdady
Washington Post Staff Writer
Friday, February 2, 2001; Page E05

To enter the vaults inside the windowless bunker-like compound
requires punching in key codes and slipping your fingers into a series
of scanners similar to those used at the U.S. Navy's nuclear
facilities.

The scanners leave little to chance. Their sensitive glass touch pads
read thumbprints and detect body heat and pulse.

"So if someone cuts your thumb off, they can't use it to get in,"
Patrick Sweeney said.

Welcome to ServerVault. Sweeney, its founder, hopes the Dulles
facility he opened in January will be a standout among the
increasingly crowded field of Web-hosting centers.

Such centers were built to provide the pipes, power and space needed
to house computers that manage Web sites. But their proliferation
during the past few years has left many of them competing for a niche
market. The security paranoid seems to be the target of choice in the
scramble for customers.

Corporate espionage. Disgruntled employees. High-tech pranksters.
Debilitating brownouts. Cyber-terrorism. All have increased demand for
centers built to withstand physical intrusions, ward off network
tampering and keep Web sites running at all costs.

"For many businesses, their information is like gold and they want
something the equivalent of Fort Knox for holding that information,"
said Counse Broders, senior Internet service analyst with
Sterling-based Current Analysis.

A scare at Colorado-based Verio Inc. demonstrates the high stakes. The
company's Springfield office, which houses about 800 servers that
power business and other Web sites, received two written bomb threats
in mid-January. The threats, which proved to be fake, are under
investigation by the Fairfax County Police Department.

More high-profile cases have increased security awareness. Consider
the recent attacks that crippled Microsoft Corp.'s Web sites by
flooding them with false requests for information. Or the hackers who
may have gained access to credit card information at Egghead.com, an
online computer-shopping site.

Most Web hosting firms, including Verio, tout security to some degree.
But the levels range from the rent-a-cop variety to the extremes
offered by ServerVault.

Wrought-iron fences that can withstand 50,000 pounds of force -- like
that produced by a fast-moving car -- enclose the company's
steel-lined building, set back 200 feet from the street and patrolled
by armed guards.

There are two diesel generators, enough to power the city of Herndon
for 12 days, to provide electricity in case of a blackout. And the
network itself has many sources of Internet access, so if one system
goes down, another takes its place.

The vaults holding the computers, or servers, that manage customer Web
sites were built to withstand fire, floods or interference from
outside signals.

Such security measures mark a return to the mentality of the 1970s and
early 1980s, when data and telecommunications centers were built to
shield against spies trying to intercept government information
electronically, said Brenda Medlin, senior vice president of Lee
Technologies Group in Fairfax.

"The Internet has brought back the need for security in these centers,
but for a different reason," Medlin said. "It used to be people were
looking for a way to not lose data. Now businesses and individuals are
looking for data not to be interrupted."

Lee Technologies, which specializes in security for data centers, has
seen the phenomenon firsthand. The company has grown steadily since
its creation in 1983. But business surged in 1998 because of the
Internet boom, Medlin said.

Still, unless government requires businesses to meet certain security
standards, as it does the insurance industry, some analysts predict
that ultra-high security Web hosting centers might not be lucrative.

"Typically, it's a tough sell because the stakes are so high," said
Joel Yaffee, an analyst at the Giga Information Group. "If the data
were somehow compromised, it would have tremendous impact on some
businesses. It's a matter of balancing the risk with the rewards."

Martin Tessler, chief operating officer at Cardobe Technologies Inc.,
said many potential clients at first are reluctant to turn over
sensitive data to an outside company such as Cardobe, which stores
business documents.

"They don't have confidence because they don't trust technology or
because it's out of their control," Tessler said. "But if we discuss
the way they handle their information versus how we handle the
information, we can convince people that putting it in our hands is
much safer."

ServerVault is banking on that sales pitch. Cardobe turned over to
ServerVault its data, Web site management, and the external network
its customers use to view applications.

ServerVault engineers, three-quarters of whom held top security
clearance from former government jobs, will be allowed into to the
rooms where servers are kept. Clients who want a peek at the machines
must rely on a virtual tour, through headsets mounted on the
engineers' caps.

"Someone who keeps this information in-house could never recruit this
kind of talent or expertise," said Sweeney, who was a data center
consultant at Trammell Crow Co., a commercial real estate provider,
before creating ServerVault. "Even the background investigations on
the engineers would be cost-prohibitive."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".