Network Computingwww.networkcomputing.com

You won't find the huge security gaps and gaffes among The Great Eight that surfaced last year when we profiled many smaller commerce hosting providers (see "Cashing In on E-Commerce," www.networkcomputing.com/923/923f1csp.html). Still, no one offers a tatter-free security blanket.

Lack of experience is a plague on all our houses. Even huge telcos that have secured their own facilities since antediluvian times struggle to achieve the delicate balance between securing data facilities and giving collocated merchants access to those buildings and otherwise confidential security policy documentation.

When we sat down to evaluate Great Eight security practices, we, too, were forced to examine not only security basics, but the willingness of hosting providers to exhibit proof of their trustworthiness, while also providing services that keep merchants informed of security vulnerabilities and fixes.

Our evaluation was based on interviews with hosting company engineers and managers, customers and analysts, and responses to 18 detailed questions we thought you might ask of The Great Eight in planning your own outsourcing strategy. Those questions, responses and point totals can be found in the navigation to the right.

Although most of the hosting providers we evaluated pulled in roughly half the total 200 points possible in the security category, two stood above the rest--Digex and Sprint.

Digex, Sprint: Two Different Approaches
Digex probably outscored its competitors because it was among the first to enter the managed-hosting business and has had the time, discipline and entrepreneurial hunger to learn security in the school of hosting hard knocks. Sprint, which has been hosting for about 18 months, scored well because of a hosting model that essentially locks customers out of hosting centers while veiling them in many of the same policies and practices it uses for its internal network security.

What is perhaps most fascinating about these two companies rising to the top is the contrast in their staffing. Digex's full-time security staff of 15 (plus 10 consultants) is dwarfed by the force of 120 full-time employees who secure Sprint's network and its hosting facility. At least 50 are dedicated to the managed-security operations center, 15 to 20 review server change requests, 20 work in design and six in project management. The irony is that Digex claims about 600 Web sites, compared to about 140 at Sprint.

Still, it's a tall order to measure dedicated resources accurately, especially since employees like Sprint's may serve dual purposes. Many large networking companies claim to have hundreds of employees devoted to managed-services security, but that doesn't tell you how many of them have anything to do with e-commerce hosting activities. Uunet, for example, has 100 to 200 employees devoted to managed firewall and VPN (virtual private network) services, but only about 10 security personnel are dedicated to hosting. And though managed-security services, such as firewalls, can benefit hosting customers, it's rare for these services to be tightly integrated with hosting services at large network providers. Corporate inertia is simply too great.

So how does a company with a small security staff, like Digex, do so well? Credit the company's all-too-rare conscientiousness about security. It aggressively seeks out vulnerabilities by pursuing certifications like those offered via the ICSA (International Computer Security Association) and the accounting industry standard known as SAS70. It lets customers view administrative audit trails for their own machines and opens up its written security policies on a nondisclosure basis. Without this type of disclosure, it's very difficult to assess the security of a hosting provider.

Sprint takes a very different approach. It doesn't allow customers to conduct their own audits or evaluations or view Sprint's security policies. Sprint obviously decided to take this approach because the security for its own network is closely tied into its hosting security model. That's one measure of comfort, but alone, it wouldn't suffice. Sprint goes the extra mile, seeking security recertification from a Big Six accounting firm twice a year.

Both Digex and Sprint do a good job of managing security fixes--tracking a wide range of hacker, vendor and other lists to keep abreast of necessary security fixes. If a fix isn't immediately available, Digex says it will architect one. Sprint waits for alpha code from its vendors. Both companies promise that customers will be alerted up to a week in advance of any security fix or update in non-emergency situations, and both call for all fixes to be tested in advance of deployment.

Digex also deserves kudos for its new state-of-the-art East and West Coast data centers--each facility was designed with top-notch physical security in mind. We're talking palm scans and concrete bunkers here. While hackers grab the headlines, the reality is that servers are much more likely to be compromised by people with physical proximity. Digex's data centers are essentially buildings within buildings with five distinct security zones. Building and network maintenance occurs from utility rooms adjacent to server farms. Customers are restricted to specific access rooms requiring card and keypad entry.

All this isn't to say that Digex is absolutely impenetrable. But it joins Exodus, GTE Internetworking, Sprint and Uunet in telling us that managed-security customers haven't suffered any damages in the past year--something we report with a bit of a raised brow, given the pervasiveness of site cracking.