A Take on Security in An Insecure World
The recent news stories of rising unemployment rates hit my family very hard a few weeks ago when PricewaterhouseCoopers laid me off. The Fed may be insisting that we arent in a recession, but that is little solace when you have just moved to a new state, have few friends or local contacts, and suddenly find yourself unemployed and looking at just a few short weeks before all your savings are gone.
While I wouldnt recommend involuntary unemployment to anyone, the experience has given me an opportunity to interview with a wide range of companies and to learn about a number of new businesses. I have been fascinated by the discussions I have had with several telecommunications companies that are trying to break into the managed service/co-location business. These companies are each investing billions of dollars to gain an entry into this market. They are building data centers housing thousands of high-performance servers.
Their business models assume that these telecom companies can get a large number of businesses to put the bulk of their Internet and IT operations under their control. Im not so sure thats an accurate assumption.
But what about the central issue of trust? Can you trust these services to protect your critical business data in the same way you would? Lets use firewalls as an example. In your business, the firewall is custom-configured, designed to implement your unique security policies. But how can managed services effectively provide firewall services for your data? They have a thousand firewalls to manage. The security tools dont exist that would allow a small staff to maintain and monitor such a large range of configurations, audit logs and alarm states.
There are only two possible solutions. Either the range of possible configurations must be drastically reduced, forcing customers to lose flexibility, or (as is most often the case) the security of these installations is not well-maintained. The second scenario is the most frightening, since it gives the illusion of security without actually achieving it.
Some of these businesses try to address the trust issue by obtaining a third-party accreditation, such as an SAS-70. You should take these with a large grain of salt, since certified public accountants, who have no understanding of security issues, perform these accreditations.
The best advice I can give is to not enter into an agreement where you give up control of your systems. You should retain the ability to monitor and configure your systems to meet your needs.