Hosted Applications and Security or Lack there Of

[eharrison at gmail.com (Erik Harrison)]

Tim,

Speaking from experience working in the hosting industry, here are
some things to consider before going down the long, thorny path of
managed anything.

Be sure you take a very careful read of any MSAs you sign. It would
seem reasonably straightforward, but many hosts take little
accountability or liability for much other than a base service
offering. In some cases, little more than network, power and hardware
replacement. Any other service may be best effort, and entirely up to
the accounting department or senior managers as to whether they decide
to let you break the contract without paying it out.

Of course, this is generally quite more refined when you outsource a
service, say mail filtering. The more specific the service, the more
specific the conditions and in most cases services will offer a
certain availability baseline. Availability won't include maintenance
windows. Read how these windows are defined, what notice is required
to set them and understand the impact. These maintenance windows will
probably still affect your business, but its usually carte blanche for
the provider.

When it comes to certifications, ISO, SAS70, PCI, etc.. be sure you
clarify the context of these certifications. What parts of the
operation or application are certified? Does that mean your account
will be managed within the same framework? You may be surprised the
answer to that. Chances are marketing will never let word of a breach
or noncompliance audit show up anywhere on the website or be
communicated outside the organization. Sure, they were certified, but
are they still? Was the infrastructure certified still what's the
default offering to new customers, more specifically to your account?

Managed service providers outsource, too. Do you know what those
relationship look like? What the outsourced company is, when they're
engaged, what their credentials are like?

On the topic of credentials, check the claims of 'all of our staff is
blah certified!'. Can they back that up with cert numbers? Are those
certs still valid?

With regards to security, good luck. The legal requirements will vary
wildly between jurisdictions, provinces, countries, assuming there are
any at all. Your service provider may not disclose a breach of your
system to you. Though, most will make a reasonable effort to manage
and monitor your services in a decent manner, I'd love to see a
provider that puts specific positive security clauses in their
contracts. Do they have a security team? Is it one guy? What's their
process like, and has that process been approved by the executive
level? How often do they enforce their AUP and affect a client's
service to uphold integrity?

In the end, the onus will be on you - the account owner - to ensure
that your environment, services, contacts all work for you. Don't
leave anything up to chance. At the end of it, if it all goes to hell
and your company suffers because of another's inability or
incompetence to deliver basic services, you're going to take a far
bigger hit than the company you're dealing with will when you decide
to cancel the contract.

Make sure you ask questions, make sure those questions are backed up
with real evidence, not sales yammering and assurances. If you have
specific concerns or requirements, make sure it's in the contract.
Assume nothing. If you have suspicions, monitor the situation yourself
- though that may cost more to do than to justify the reason for
having an outsourced provider to begin with..

Though, to be fair, it's not all doom and gloom and unfulfilled
promises. You'll find providers which stand up to your interrogation
or answer truthfully. Those are the rare ones, and probably the ones
you want to go with despite any obvious deficiencies or expense.

I hope some of this was useful and not all just incoherent ramblings.

2008/10/31 Bugbear <gbugbear at gmail.com>:
> Good Morning Everyone,
>
> I had an interesting discussion with my boss yesterday over a really great
> lunch and I decided to post it up here to see what dialog comes out of it.
>
> We certainly have come a long way from a service provider just providing a
> Virtual Web Server for our Corporate Web Page. Seems like everyone now is
> selling a "hosted" solution. There is Anti-Spam Services, Message Archiving,
> HRS Databases, Online Collaboration, Expense Reporting, DR Services, etc...
> Every time I see such a  request or project plan in my Company for a service
> such as these I get a twitch in my left eye and have a sudden urge to smoke.
> In most instances I would prefer to have the apps in house but the reality
> of being a mid-sized R&D company with no products yet and limited resources
> sets in quickly.
>
> What is everyone doing at work? Do you try to keep things in house? Maybe
> based on the nature of the data (i.e. Hosted website offering up generic
> info on Company is a lot different than a HR Database being out there)? What
> does everyone look for when evaluating a host (i.e. SAS 70, other
> independent audit reports, pens tests, site visits, etc...)?
>
> Fire away I am very interested in every ones opinion!
>
> Tim
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com