Docstoc

OPPORTUNITIES

Document Sample
OPPORTUNITIES Powered By Docstoc
					   C O N N E C T W I T H T H E W E B H O S T I N G I N D U S T RY AT W W W. T H E W H I R . C O M



                           OCTOBER 2010                     VOLUME 7, NO.2




                                                      WWW.THEWHIR.COM




                  CLOUD
O PP O RTU NI TI ES
TH E PUND ITS HAVE PR OMI SED A B IG DE MAN D F OR C LOUD S E R V IC E S IN T HE S MB
MARKE T. WE LOOK AT WHERE SOME O F T H O S E O P P O R T U N I T I E S L I E F O R T H E S MA L L E R
H OSTS TH AT LACK THE MEANS TO D E V E LOP C LOUDS IN T E RN ALLY (PAG E 2 6)


     A COMPLIANCE PRIMER
IT IS WOR TH A HOSTING PROVIDER ’S TIME TO UNDERSTAND SOME OF THE REQUIREMENTS
FO R CO MPLI ANCE, AND HOW THE Y M IG HT IM PAC T ITS C US TOM E RS . (PAG E 3 4)



                                                     TIER1 SUMMIT FOCUSES ON CLOUD (PAGE 12)

                                                     INSIDE THE HOST EUROPE DEAL (PAGE 18)
                                                     MARKETING IN THE CLOUD ERA (PAGE 46)
                                                     Q&A WITH GO GRID (PAGE 20)
                                                     MEET THE MONEY (PAGE 24)
       F E AT U R E




                                                                                A

            COMPLIANCE                                   P R I M E R

         It is certainly worth a hosting provider’s time to understand some of the potential requirements for compliance, and how they might impact
         its customers. Industry standards can be a good way to evaluate your own supplier of facilities and services
                                                                                                                                By Dennis McCafferty


     With an endless amount of information be-           responsible for this. But this means they’ll         SAS 70 – or Statement on Auditing Standards
     ing stored in data centers – everything from        look for a hosting provider who meets these          No. 70 – compliance is intended for hosting
     social security numbers to credit card data         standards. Meeting them provides a dis-              operations that seek to provide basic facility
     to medical testing records and sensitive            tinct, and almost quantifiable, advantage            services. It allows data center operators to
     corporate financial figures – hosts are now         for the host.”                                       work with auditors representing the Auditing
     under more scrutiny than ever to ensure                Compliance is more of an up-front objective       Standards Board of the American Institute of
     that they’re properly protecting the data. In       for data center operators than perhaps it is for     Certified Public Accountants to choose a set
     the US, this means complying with an ever-          the smaller host that might be a customer of         of physical and environmental controls that
     evolving series of regulatory standards. Rig-       those facilities. Some standards apply strictly      will apply to the facility. This includes controls
     orous as these standards are, experts say,          to the physical facilities. But some run over        over the information technology within.
     a hosting company will only reap the re-            into the smaller service provider in significant        “Most of our customers – or potential cus-
     sults of an increased capacity for customer         ways. In any case, it is definitely worth it for a   tomers – come to us because we can deliver
     growth if they maintain a proven track re-          host to know what the potential requirements         our services out of SAS 70-compliant data
     cord of meeting them.                               for compliance are, and how they might im-           centers,” says Allen Allison, chief security offi-
        In the end, the data being protected is          pact its customers. Understanding compli-            cer at NaviSite, a managed hosting and cloud
     irrelevant, says David Froud, director of de-       ance standards can be a good way to evaluate         services provider. “It is often a base expecta-
     livery for Europe, Middle East and Africa for       a supplier of data center facilities.                tion of our customers.”
     Trustwave, a Chicago-based information                 Of course, this is not an exhaustive look            But there have been published reports
     security and compliance solutions provider.         at any one of these standards (which would           that SAS 70 will be retired at the end of the
     What matters is the hosting organization’s          take more room than we have), nor is it a com-       year and replaced by new auditing standards
     strategy for protecting it.                         plete list of every standard affecting the host-     on internal controls. The reports indicate
        “It’s just data,” he says. “What makes the       ing business. But the information is out there       that the new standards will require auditors
     difference is the environment in which it’s         (check the web links). Here’s a look at some of      to provide greater definition of what will be
     housed. That environment either adheres to          the big ones that will help you put the entire       tested during engagement, as opposed to
     best business-practice frameworks – such            compliance landscape in perspective.                 only at the end of the process.
     as Control Objectives for Information and                                                                   Regardless of shifts in these standards,
     related Technology or those set by the In-          SAS 70                                               hosting providers will do well to focus on
     ternational Standards Organization for ex-                                                               the standards their customers require, says
     ample – or it doesn’t. If it does, it will mostly                     WEB LINK                           Urvish Vashi, vice president of marketing
                                                                                            As
     support compliance for all standards. Ul-                     Am erican Institute of CP                  for Alert Logic, a managed solutions com-
     timately, it’s the data owners who are fully                       ww  w.aicpa.org                       pany specializing in security and compli-


34     WEB HOST INDUSTRY REVIEW OCTOBER 2010
ance. “Data-privacy compliance is a common           in time’ audit. If at any time one your clients    is rarely built into any business or service line
thread across the most pressing drivers we           was to suffer a compromise, you, as the fully      from the beginning, where it both makes the
encounter among customers in the hosting             managed web host, are going to experience a        most sense, and is much cheaper.”
industry,” he says.                                  very high level of scrutiny by the client, mer-
   SAS 70 focuses on descriptions and ef-            chant bank and card consortium. If it is deter-    HIPAA
fectiveness of controls. If a hosting opera-         mined that you, as web host, are at fault, your
tion concentrates only on these qualities, it        compliance is immediately invalidated and                          WEB LINK
may be missing the boat on greater oppor-            you are required to undertake a remediation          Department of Health and Human Services
tunity provided by setting the bar higher,           Level 1 onsite audit.”                                    ww w.hhs.gov/ocr/privacy/
says Froud. “Top-to-bottom best business                The high level of scrutiny can lead to some
practices across the enterprise would cover          discord within the IT services community, as       The Health Insurance Portability and Account-
all regimes, regardless of data type,” he says.      there’s a perception that PCI DSS standards        ability Act, has, since 1996, presented federal
“The issue is that if the business only certi-       require service providers to “cover some an-       standards for the storage of electronic health
fies the infrastructure that deals with data of      gles and exposures that may not pose a grave       care information for providers, health insur-
a certain type, they have limited their ability      threat, at the expense of other avenues that       ance plans and employers, addressing the is-
to be compliant with all regimes. Good secu-         do,” Bell says. “Each subsequent revision of       sues of security and privacy related to health
rity can prevent an incident from becoming a         the compliance standard strives to be more         data. As a result, hosting companies provid-
disaster, which leads to substantial financial       flexible without significant compromise of         ing storage of protected health information
liabilities, loss of client base, loss of brand      the intended baseline.”                            must comply with strict privacy and security
reputation and trust.”                                  Overall, however, the lofty requirements        rules. In addition, the new Health Information
                                                     of PCI DSS 2.0 – soon to go into effect – will     Technology for Economic and Clinical Health
PCI DATA SECURITY STANDARD                           enable hosts to better help customers, says        Act requires that companies comply with the
                                                     Vashi. For example they’ll now be required         technical security and encryption measures
                                                     to properly scope out their customers’ envi-       recommended by the National Institute of
                  WEB LINK
        PCI Security Stan                            ronments instead of allowing customers to          Standards and Technology.
                          da
       w w w.pcisecuritys rds Council                merely list the IP addresses of their public          “The HIPAA security rule requires a multi-
                          tandards.org
                                                     servers. The standards will address the need       faceted approach to data security,” says attor-
Payment Card Industry                                for centralized logging and monitoring of          ney Robert J. Scott, who serves on the board
compliance – a standard developed by credit          security and access data, he says, and take a      of the MSPAlliance, an international associa-
card companies – takes the process a few steps       risk-based approach to prioritizing the reme-      tion of 10,000 managed service providers and
further than SAS 70. It’s for a fully managed        diation of vulnerabilities.                        web hosts. “Not only are there technical safe-
hosting provider that seeks to serve as a one           “A hosting provider needs to understand         guard requirements, but also requirements
stop shop to customers. If a client has an on-       and stay current on these changes in order to      for administrative safeguards, physical safe-
line shopping cart with a merchant account, it       be able to answer the increasingly common          guards and organizational requirements.”
needs to be PCI compliant. And it needs to en-       question, ‘Is your hosting service PCI compli-        The administrative safeguards require se-
sure that its service providers are also PCI com-    ant?’” says Vashi. “By complying with PCI DSS,     curity management with ongoing evaluation;
pliant, says William Bell, director of information   any organization is fundamentally validating       information-access management; and work-
systems for Phoenix NAP, a colocation provider       that there is an information-security program      force training, all with periodic assessments.
based in Phoenix.                                    in place and it takes data privacy seriously. In   The physical safeguards include both limit-
   That means the web hosting provider. The          addition to the technical requirements such as     ing physical access to facilities and height-
process can be costly, especially if you adhere      enabling encryption, deploying firewalls, stor-    ened workstation and device security. The
to all the controls required by the PCI DSS          ing and monitoring logs and performing vul-        technical safeguards require access, audit
and your client list exceeds $300,000 in total       nerability scans, PCI DSS compliance requires a    and integrity controls and transmission secu-
transactions under management. This quali-           security program that goes beyond technology       rity. The organizational requirements result in
fies you as a “Level 1” service provider under       and addresses both people and processes.”          the need for hosts to adopt acceptable pro-
the PCI Standards Council, which can result in          Any hosting operation that’s embracing ISO      cedures and policies and maintain six years’
an on-site audit that will cost the hosting op-      and COBIT frameworks should already be com-        worth of documentation that these practices
eration anywhere from $20,000 to more than           pliant with PCI DSS, says Froud. But if business   were adhered to.
$50,000 a year. Phoenix NAP is PCI compliant,        is entirely function-driven and security is an        “The rule also requires regular and ongoing
and has to provide controls such as 90-day           afterthought, the challenge is much greater.       analysis of the efficacy of implemented secu-
video retention of cardholder environments,             “And staying compliant is impossible unless     rity procedures,” says Scott, who is managing
visitor logs and equipment resiliency to re-         the culture changes along with the new pro-        partner of Scott & Scott LLP, a Dallas, Texas-
main in good standing.                               cesses,” he says. “The biggest issue that host-    based law firm specializing in legal issues
   “The hardest part of PCI is continuous            ing providers face is that security expertise is   impacting technology and the media. “At this
compliance,” Bell says. “Each year’s audit and       still relatively hard to come by, and expensive    point, a hosting service provider may say to
subsequent certification is just a ‘snapshot         to maintain in-house. For this reason, security    themselves, ‘That seems like a lot of work –


                                                                                                               OCTOBER 2010 WEB HOST INDUSTRY REVIEW   35
     we’ll just stay away from the health-related        prises and federal agencies.                             “To achieve an accreditation, each hosting
     industries.’”                                          Certification is accomplished through the          provider must undergo a certification process
        The problem with this kind of thinking is        independent validation and certification of           that independently validates that all of the
     that, overall, scrutiny of companies that store     the implemented security controls that sup-           mandated security controls required to support
     private information about citizens is only on       port an information system and organization.          the information system have been success-
     the increase. The state of Massachusetts, for       Each compliance standard provides guide-              fully implemented,” says McCurley. “Compliant
     example, recently launched a strict privacy         lines and validation procedures that the inde-        hosting is a specialized niche business that
     law that may set a standard other states will       pendent IT security auditor will use to certify       requires significant investment in infrastruc-
     also implement. Which means all hosting op-         that the required security controls have been         ture and subject matter expertise to achieve
     erations – regardless of their involvement with     implemented, McCurley says. Certification             compliance. Most commercial hosting com-
     servicing health industry-related customers –       of physical controls such as access-controls          panies have not made the full investment in
     may be subject to HIPAA-level standards. The        devices – card keys and biometrics – used to          infrastructure, people and processes required
     Massachusetts rule requires the same sort of        control unauthorized access into restricted           to comply with rigorous compliance standards
     technical, administrative and physical safe-        or sensitive areas must be independently              such as FISMA or DIACAP. Federal and DoD IT
     guards, Scott says. All of this is driven by the    validated to ensure the devices work properly.        security and compliance professionals have
     fact that data privacy remains big news, and        Adequate audit logs are created in the event          few options to choose from when seeking to
     should remain so for the indefinite future.         there is a breach of security that requires non-      outsource their sensitive information systems
        “If a company can market itself as compli-       repudiation and investigation.                        to a commercial hosting company.” n
     ant with the leading data security standards,
     it should have a significant advantage over
     other data-hosting companies that cannot
     make such a claim,” Scott says. “We’ve seen ad-
     vantages in the closing of large hosting and
                                                             W A I T ,                      T H E R E ’ S                                M O R E
     cloud-service deals when the service provid-
     er can confidently enter into an agreement            Other standards impacting how “green” a hosting operation is – and the privacy level of data
     where they’re happy to take the appropriate           overseen for trans-Atlantic enterprises – are also making a significant impact within the hosting
     amount of risk related to data breaches. This         industry. Here are three more certifications of note:
     is because they are fully compliant with the
     applicable privacy and security standards.            ENERGY STAR: The US Environmental Protection Agency announced earlier this year that
     Right now, compliance can be a differentia-           data centers can now become Energy Star certified. To qualify, a data center must command
     tor. In the near future, it will be a requirement     level of energy efficiency that’s within the top 25 percent of their industry. Similarly, the En-
     of doing business. We say start now.”                 ergy Star for enterprise servers standard includes benchmarks for power-supply performance,
                                                           function in a virtualized environment and server efficiency. The EPA estimates that the use of
     OTHER FEDERAL STANDARDS                               energy by data centers could reach $7.4 billion in annual electricity costs by next year – a rate
                                                           that would nearly double the consumption levels of the mid-decade point. In July, NetAPP
     Other federal compliance standards include            announced that its Research Triangle Park facility in North Carolina became the first data cen-
     the Federal Information Security Manage-              ter to earn the Energy Star. NetAPP’s data-center design has reduced CO2 emissions by an
     ment Act and Department of Defense In-                estimated 95,000 tons per year.
     formation Assurance Certification and Ac-
     creditation Process. DIACAP is a Department           LEED: The Leadership in Energy and Environmental Design certification is provided by the US
     of Defense compliance standard that seeks             Green Building Council, a Washington-based non-profit organization that qualifies and pro-
     information assurance throughout a system’s           motes “green” buildings (including, but not limited to data centers). To qualify for LEED certifica-
     life cycle. FISMA is one of the most rigor-           tion, a data center must meet standards impacting the use of energy, materials, water and other
     ous sets of standards for hosting companies           resources. It must also ensure a minimal level of indoor environmental quality. There are three
     working with federal customers. Enacted in            levels of LEED certification: silver, gold and platinum. Data centers that qualify for these certifica-
     2002, it mandates that all federal agencies           tion levels may qualify for various federal, state and local tax-incentive programs.
     must develop, document and implement
     an agency-wide security program to protect            SAFE HARBOR: This requires hosts doing business in Europe to meet minimal standards for pri-
     information and information systems that              vacy protection. It stems from the European Commission’s Directive on Data Protection, which
     support the operations and assets of the              was established in 1998. Since then, the US Department of Commerce has worked with the EU
     agency. Security controls are organized into          to come up with acceptable standards. As a result, there are seven principles that build the foun-
     18 families, each with its own standards, says        dation for Safe Harbor, including the need for data subjects to be given notice when data is
     Mark McCurley, who oversees the informa-              being collected; that they have the choice to opt out of the collection; that reasonable efforts
     tion assurance practice at Carpathia Hosting,         must be made to prevent loss of collected information; and individuals must be able to access
     a managed hosting company specializing in             information held about them, and correct or delete it if it’s inaccurate.
     compliant hosting solutions for large enter-


36     WEB HOST INDUSTRY REVIEW OCTOBER 2010