E.B. Writers of Dallas

By Esther M. Bauer

From Web Hosting Monthly, June 2003 edition
July 9, 2003 -- (WEB HOST INDUSTRY REVIEW)

Security officers at many Web hosting providers are facing increasing demands on their time and budgets as they struggle to stay ahead of all manner of assailants trying to breach their networks.

Matej Sustic, chief technology officer for Canada-based Fusepoint Managed Services (fusepoint.com), spends fully half his time on security issues.

Although the four-year-old company is among the few North American xSPs still enjoying triple-digit growth, the success doesn't account for the increasing time demands necessary to stay up-to-date on security issues.

Sustic entered the Internet service provider side of technology 10 years ago when firewalls were considered a big deal. Until five years ago, only 15 to 20 percent of his responsibilities involved security, but since then the necessity of assuring secure networks gobbles more and more of his time.

"We have to find new ways to protect ourselves... a constant game that is getting faster; new ways of hacking are coming out faster and faster. It's a bad guy, good guy chase, and the criminals are inventing new ways of endangering Internet Web sites, e-mail, and whatever else," says Sustic, whose defense planning is much like a war game.

"We look at new products and new hacks and regularly review policies and procedures and keep up with what is happening. It's a game of what if, and how are we going to react. The situation is changing constantly."

Because security is a marriage of products and services that providers sell as peace of mind to customers, disaster recovery has been added to the responsibility of many security officers, like Sustic, within the last two years.

"These solutions are not cheap, and a big part of my job is to continuously improve these solutions. These days there is definitely way more focus on all these parts of the security solution," he says.

Offering a combination of security features and disaster recovery solutions is primary at Fusepoint, where core customers are brick-and-mortar medium and large enterprises that don't want the chaos or publicity caused by hackers penetrating their network. The Royal Canadian Mint, for example, sells pricey coins through Fusepoint's data center.

Sustic predicts a more dangerous hacker of the future will replace today's ego-driven mavericks.

"In the future, it won't so much be to prove a point; they will be going after the money where online transactions are happening," he says.

An even worse threat are worms, because they can damage the Internet itself by spreading unassisted and clogging Internet pipes with so much worm traffic that legitimate transit can't get through. "The volume base of these attacks is huge when it comes to worms," Sustic says.

Security at privately held Intermedia.NET (intermedia.net) of Mountain View, Calif., which was founded in 1995 to provide managed and shared hosting services to small and medium enterprises, is the responsibility of several individuals. Security focuses on the server side of the equation since the company doesn't own the data center its servers are housed in.

The focus on assuring the security of hosting servers is driven by the business model, says Serguei Sofinski, vice president of operations, "due to the nature of our business when we need to satisfy customers requirements to make various applications on the server available. Most attacks come directed to well known ports, like port 80, that are opened in firewalls."

Attacks on such ports are inevitable so security includes constant monitoring and the timely installation of patches. "In a hosting environment the biggest threat comes from inside - the customers themselves try to break into the system or into other customers' files," Sofinski says.

To decrease that level of threat, Intermedia.NET developed a customized setup for hosted servers that isolates customers from each other.

Within the last 12 months, the company invested in firewall, VPN devices, and other security measures, including encrypted Secure Sockets Layer (SSL) communication in the server management and account management systems. Shared and dedicated hosting customers also may install GeoTrust secure certificates on their Web sites through an automated five-minute procedure.

The company's security officials list as their top challenges patch management, balance versus security and function, and awareness training - each engendering sets of problems that Sofinski describes this way:

"Microsoft has just released a critical system patch, and you need to immediately install it on all servers and notify customers - not an easy task if a thousand servers need to be updated.

"Plain HTML sites are very secure, but customers demand sophisticated, and therefore more vulnerable, technologies, like the ability to register custom components and remote data access.

"A web site can be hosted on a properly configured server in an indestructible building. but an unaware customer can grant an anonymous user full access to the site. The responsibility to stay informed and aware lies on all sides - the Web hosting company and the end user. Awareness training is very important, but it's a very challenging task," he says.

Security at Englewood, Colo.-based NTT/Verio (verio.com), is handled by two teams, an IT team handling internal functions, and a customer team that concentrates on security for hosting clients.

"Each team worries about their part of the world, and then we come together as a team to talk about larger issues and policymaking," says Stan Barber, vice president of engineering operations.

Verio also plans to create a security management office to make management of such issues more explicit. The firm also has developed an "internal roadmap for the evolution of our security capability to map up against our security policy," which Barber explains ensures security products are purchased and deployed according to identified needs.

"We have to balance all of the priorities of the company against each other, and security is one of the priorities, so for every dollar that we have available to spend, we try to get the biggest bang for the buck."

He considers the biggest challenge to hosting environments denial of service attacks, whether caused by ill intent or the popularity of the Web site.

Among the defenses is monitoring suspicious traffic patterns, then taking one of two actions. Based on the customer's service plan, such traffic is either shunted away as bad traffic or handled through a content-distribution system that spreads across the network.

Security from a corporate level is first and foremost best expressed in a security policy that is integrated with technology to support the policy. Without that approach, security is largely a phantom, he says. "A lot of people miss the boat; they think, 'oh gosh if I go out and buy the latest and greatest security product, I am going to have security.' Well, that's a fallacy."