Are your customers covered?

No one likes being called names, especially ones such as alarmist, zealot or tyrant. But security mavens overhear these aliases daily as they patrol the network - at least in those companies that have information technology staff overseeing security, which is decreasing in record numbers.

In fact, most companies are moving away from deepening their IT staffs. Whether it is due to decreasing numbers of qualified IT personnel or reduced budgetary resources, companies of all sizes are looking to service providers to manage - and protect - the valuable data stored on e-mail servers, Web servers and other application servers.

Carriers have been tripping over themselves to be first to market with their own brand of hosted application services. At May's Networld + Interop in Las Vegas, Qwest Communications, U S West, Sprint and Frontier Corp. announced new software partners and hosting services designed for companies choosing the application outsourcing route. An additional 25 companies formed an advocacy group to educate and expand application hosting services. Since then, more carriers have joined the fray and have added their twist to application hosting.

One of the biggest hurdles these companies face is convincing potential customers that their systems are secure. Carriers that offer co-location services, host front-end databases that are integrated with customer premises equipment or provide managed services often have to prepare credible song-and-dance routines that qualify the measures they take to protect customer data.

Early education

A second hurdle service providers face is customer education. All the security experts among the carriers say that educating the customer about potential threats is the most important service they can provide because no network is bulletproof. More often than not, customers give lip service to security rather than the respect it deserves.

"Ultimately, security begins at home. Most customers know this, but they don't necessarily do it. It's like backups - everyone knows they should back up their hard drive, but they never do it until after they've lost valuable work," says David Schairer, vice president and chief systems architect at Concentric Networks. "The weakest link is the customer - you really have to protect the customer from themselves."

Enterprise customers are well aware of their security requirements, but the growing small to medium-size business market relies heavily on service providers to create effective security measures and to educate them on possible threats.

"There hasn't been enough time taken to educate customers on how to protect themselves," says Marketta Silvera, CEO at Pilot Network Services. "Almost 50% to 60% of electronic crime comes from internal folks. It is irresponsible for companies to not establish security policies and educate themselves."

While service providers can't be held accountable for the carelessness of its customers' employees, indoctrinating customers about potential security threats should be the standard.

"Service providers can't take responsibility for their customers' security policies. Customers must have their own security policy, and they must educate the employees about not sharing passwords, security door cards or other confidential information," says Greg Tennant, senior director of product management and product development at Convergent.

"You can identify these variables and educate the customers, but there are so many variables that are out of our control. We can only provide the tools - the customer has to take responsibility for its own security policies," he adds.

Carriers that offer managed services often include security assessments of the customer premises equipment. AT&T has a security consulting center that will work with companies anywhere from two weeks to one year to set up their security policies. "We help the customers create a detailed checklist, which could be a 30-page to 40-page document," says Ed Amoroso, chief technical officer of the Information Security Center and technical manager of the Internet Security Group at AT&T. "We also take them through a structured exercise to help them understand what assets they want to protect."

In addition to creating security policies, educating customers includes exposing them to the possible threats that come from within the company (see sidebar on page 30) and from predators roaming outside the company. These policies include revealing the different network layers of security to clients - from both a physical and an engineering standpoint.

Physical obstacles

Standard fortification among carriers at co-location and hosting facilities includes 24-hour guards, electronic card verification and locked cages. Many companies within the booming Silicon Valley and Eastern beltway have upgraded their existing facilities or built new ones with increased security features such as bulletproof glass, motion sensors, retina or palm scanners and private vaults.

Concentric has a typical co-location facilities with a 24-hour guard, fire- and earthquake-protected buildings and an unlimited power supply. Customers can choose locked cages for their co-located equipment or enclosed cabinets with protected wiring. For extra security, the owners of the cages are not identified on the equipment unless they request it.

Exodus Communications now offers Exodus Vault, a private server hosting space that includes high impact resistant walls and windows, fire protection and electronic emission shielding. Access to the 10 to 20 vaults, housed within Exodus' data centers, is controlled with biometric scanners, motion and temperature sensors and surveillance cameras that can record and report authorized access and break-in attempts.

Netcentives and NextCard Visa are two e-commerce companies taking advantage of Exodus' added security measures. Both companies were interested in Exodus' ability to provide physical protection and secure on-line transactions for their e-commerce business plans. Netcentives is a developer of on-line rewards, which is an incentive and loyalty marketing program, and NextCard Visa provides application processing and on-line account management.

Frontier GlobalCenter finished construction on its new data center in Sunnyvale, Calif., early this year. The facility was fitted with ramming boards that will stop a Mac truck traveling at 35 mph from knocking down the walls. To enter the area, authorized personnel are required to enter a personal identification number and hand prints for the biometric scanner. The center also includes multiple mantraps that isolate unauthorized personnel from moving freely throughout the building.

The physical measures used to keep prying hands and eyes away from equipment is one aspect of the security story. How the systems are engineered to protect the data is another weighty factor.

Invisible armor

Carriers are adding another layer of security to calm customer fears of outsourcing: engineering high-tech armor within their network and within the applications. Once a service provider has assessed a customer's specific needs, it works with the customer to decide the level of security necessary for the data.

As more sensitive data is stored on the Web or transported over the Internet, security requirements increase exponentially. Carriers are confronted with - and solving - a host of security issues that they previously had limited exposure to. Extranets and virtual private networks (VPNs) within communities, such as the legal, medical, financial and government sectors, reveal new security obstacles daily.

"Each time we touch a new vertical industry, there are a new set of issues to deal with," says John Herbers, senior vice president of Internet services group at Convergent. "Some issues are common across all the groups, but in each case there are unique situations that require unique solutions."

Y2K concerns have Convergent thinking about new security problems, but not the typical system disintegration scenarios. One of its clients sells state lotto tickets over the Web, and on Jan. 1, 2000, the jackpot is expected to be much higher than the usual weekly giveaway. Convergent is already discussing and implementing ways to protect lotto hopefuls' information and the client's sensitive data.

For now, most hosted services are e-mail or Web server applications. Because e-mail requires minimum security and the majority of Web servers are not e-commerce enabled, most small and medium-size businesses don't need elaborate network security solutions. But as more mission-critical applications are outsourced and more businesses move to the Web, customers will expect increased security measures.

In general, carriers catering to these customers try to limit their security responsibility for applications on co-located equipment. In shared and dedicated server environments, they limit the customers access as much as possible.

"We contain customers to their own segments; their traffic cannot go outside their machine," says Concentric's Schairer. "We encourage customers to be proactive about leaving no open entries, putting [Internet Protocol] filtering on all access mechanisms and providing lists of security patches. If someone is bringing in their own servers and putting them into a cage, we can't ensure that their boxes are secure from an operating perspective."

PSINet takes many of the same safety measures. In shared environments, each customer area is carved out and protected to keep intrusions to a minimum. "The PSI intranet is secure and encrypted. There's little, if any, risk of messages being tapped into," says Mike Binko, manager of corporate marketing for PSINet. "Our service has a higher security level than the typical [VPN]."

Firewalls and Radius servers are one of the first layers of security that carriers will add to their customers' line of defense. These tools, from vendors such as Ascend, Checkpoint, Sun Microsystems and WatchGuard, authenticate and filter who can come in and into what segment of the network. Many software developers have added a secure sockets layer to e-commerce applications to secure the transfer of data and provide mutual authentication. As security demands increase, carriers can look to digital certificates, digital signatures and secure tokens to ensure that the transmitted data is secure.

As more applications move to the Web, carriers may look for security partners such as Argus, which offers a trusted operating system, a much more secure setup than a standard operating system. Trusted operating systems originated in the government and are crossing over into many e-commerce environments. If someone does move past a firewall and into the system, Argus keeps the culprit from going any further.

"It hardens the network operations center and partitions the hard drive into multiple components. If someone gets into one segment, they can'tget into another," says Convergent's Herbers.

"As these business models mature and as data managers begin to examine the business environments, they will realize that they must have trusted operating systems to host these applications," says Randy Sandone, president and CEO at Argus. "The very last line of defense is the operating system. It doesn't matter if a firewall is in front of it - if the operating system is a standard commercial one, the system will inevitably fail."

Higher learning

Carriers are trying on the application service provider (ASP) label to see if it's a good fit. The outsourcing application model, like the new ASP acronym, is struggling to carve its niche within the market and among prospective customers. Although a number of carriers expect high returns from this market, it's too early to label it as a sure thing. IT staffs at large enterprises are just beginning to give credence to the argument for outsourcing applications, and small and medium-size businesses are only starting to explore their development options.

In the meantime, new data centers on the East and West coasts are springing up and have acres of space available. A number of these hosting providers have more expansion plans underway. These include adding centers in second- and third-tier markets such as Denver, Raleigh, N.C., Minneapolis and Austin, Texas.

Blueprints for these new facilities include physical security fortifications on par or more extensive than those recently constructed. Now the questions will become: Will carriers find customers to fill the space? And what security measures will these customers demand? While the current list of hosted applications does not demand high-level security, future rosters - that include accounting, human resources, e-commerce and other business-critical transactions - will certainly raise security to maximum priority.

Until recently, the government has instigated the development of security protocols and software. Now, the private sector, driven mainly by the financial, medical and legal communities, is demanding heightened security measures. Equipment vendors expect that the government may mandate compliance with these standards and they are now including these standards within their products. A few of the most well known standards and applications follow.

Federal agencies and other groups outside the government use the Data Encryption Standard (DES) to protect sensitive information. First issued in 1997, the standard is reviewed every five years. The DES algorithm is old news among code breakers, and the government and private sector are now using Triple DES, which is currently the highest security algorithm available.

Developed at MIT, Kerberos is designed to perform distributed authentication in an open network environment - many of the hosted e-mail servers in service provider networks tout that they are Kerberos protected. Kerberos is a mechanism used to authenticate a user or network service identity. Applications using Kerberos reduce the risk of password theft because they do not require passwords to authenticate users. Requirements include a trusted network entity that acts as an authentication server for clients and servers requesting authentication information. Authentication occurs as special messages are passed among client applications, server applications and the Kerberos authentication server.

The Internet Protocol Security (IPSec) standard is used in instances where only authorized users should be allowed access to network resources. Currently, IPSec is receiving lots of attention within the virtual private network sector. IPSec specifies ways for securing private information transmitted over public networks. Services supported include confidentiality, authenticity, integrity and replay protection. It also specifies methodologies for key management.