PaulDotCom mailing list archives
Hosted Applications and Security or Lack there Of
From: eharrison at gmail.com (Erik Harrison)
Date: Mon, 3 Nov 2008 21:08:18 -0500
Tim, Speaking from experience working in the hosting industry, here are some things to consider before going down the long, thorny path of managed anything. Be sure you take a very careful read of any MSAs you sign. It would seem reasonably straightforward, but many hosts take little accountability or liability for much other than a base service offering. In some cases, little more than network, power and hardware replacement. Any other service may be best effort, and entirely up to the accounting department or senior managers as to whether they decide to let you break the contract without paying it out. Of course, this is generally quite more refined when you outsource a service, say mail filtering. The more specific the service, the more specific the conditions and in most cases services will offer a certain availability baseline. Availability won't include maintenance windows. Read how these windows are defined, what notice is required to set them and understand the impact. These maintenance windows will probably still affect your business, but its usually carte blanche for the provider. When it comes to certifications, ISO, SAS70, PCI, etc.. be sure you clarify the context of these certifications. What parts of the operation or application are certified? Does that mean your account will be managed within the same framework? You may be surprised the answer to that. Chances are marketing will never let word of a breach or noncompliance audit show up anywhere on the website or be communicated outside the organization. Sure, they were certified, but are they still? Was the infrastructure certified still what's the default offering to new customers, more specifically to your account? Managed service providers outsource, too. Do you know what those relationship look like? What the outsourced company is, when they're engaged, what their credentials are like? On the topic of credentials, check the claims of 'all of our staff is blah certified!'. Can they back that up with cert numbers? Are those certs still valid? With regards to security, good luck. The legal requirements will vary wildly between jurisdictions, provinces, countries, assuming there are any at all. Your service provider may not disclose a breach of your system to you. Though, most will make a reasonable effort to manage and monitor your services in a decent manner, I'd love to see a provider that puts specific positive security clauses in their contracts. Do they have a security team? Is it one guy? What's their process like, and has that process been approved by the executive level? How often do they enforce their AUP and affect a client's service to uphold integrity? In the end, the onus will be on you - the account owner - to ensure that your environment, services, contacts all work for you. Don't leave anything up to chance. At the end of it, if it all goes to hell and your company suffers because of another's inability or incompetence to deliver basic services, you're going to take a far bigger hit than the company you're dealing with will when you decide to cancel the contract. Make sure you ask questions, make sure those questions are backed up with real evidence, not sales yammering and assurances. If you have specific concerns or requirements, make sure it's in the contract. Assume nothing. If you have suspicions, monitor the situation yourself - though that may cost more to do than to justify the reason for having an outsourced provider to begin with.. Though, to be fair, it's not all doom and gloom and unfulfilled promises. You'll find providers which stand up to your interrogation or answer truthfully. Those are the rare ones, and probably the ones you want to go with despite any obvious deficiencies or expense. I hope some of this was useful and not all just incoherent ramblings. 2008/10/31 Bugbear <gbugbear at gmail.com>:
Good Morning Everyone, I had an interesting discussion with my boss yesterday over a really great lunch and I decided to post it up here to see what dialog comes out of it. We certainly have come a long way from a service provider just providing a Virtual Web Server for our Corporate Web Page. Seems like everyone now is selling a "hosted" solution. There is Anti-Spam Services, Message Archiving, HRS Databases, Online Collaboration, Expense Reporting, DR Services, etc... Every time I see such a request or project plan in my Company for a service such as these I get a twitch in my left eye and have a sudden urge to smoke. In most instances I would prefer to have the apps in house but the reality of being a mid-sized R&D company with no products yet and limited resources sets in quickly. What is everyone doing at work? Do you try to keep things in house? Maybe based on the nature of the data (i.e. Hosted website offering up generic info on Company is a lot different than a HR Database being out there)? What does everyone look for when evaluating a host (i.e. SAS 70, other independent audit reports, pens tests, site visits, etc...)? Fire away I am very interested in every ones opinion! Tim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Hosted Applications and Security or Lack there Of Bugbear (Oct 31)
- Hosted Applications and Security or Lack there Of Brian Gray (Nov 03)
- Hosted Applications and Security or Lack there Of Paul Asadoorian (Nov 03)
- Hosted Applications and Security or Lack there Of Bugbear (Nov 03)
- Hosted Applications and Security or Lack there Of Erik Harrison (Nov 03)
- Hosted Applications and Security or Lack there Of Bugbear (Nov 04)