Finding The Hidden InfoSec Story

Automobiles & Hosting

Photo Credit: Hugo90 via Compfight cc
Photo Credit: Hugo90 via Compfight cc

Shopping for a hosting provider can be just as painful as shopping for a car. There are so many things to consider, and there are a lot of things that will still remain your responsibility as a customer.

Some people spend a lot of time shopping for that perfect car. Aside from the obvious appeal of the interior and gadgets, they want it to be dependable, affordable, and secure. The same is true when looking for a hosting provider. There are few things to think about before buying a new car.

  • What type of warranty does it provide?
  • What kind of experience can you expect when dealing with the dealership for repairs (covered by warranty or not)
  • What is the maintenance schedule like to keep your car performing optimally?
  • Will it fit in your garage? What about most drive-thrus like the ones at the bank?
  • How much is insurance coverage?
  • How much do the major parts generally run for non-warranty repairs?
  • What type of safety features does it provide?
  • Does it come with a security system?
  • If equipped with fancy technology like GPS and sensors, how painless are the updates to these things? If any of them break, what is the impact to the car operationally?

When shopping for hosting, it’s not that different:

  • What is covered under the SLA? (Service-level agreement)
  • How often is maintenance performed to keep the network, logical systems, and physical systems operating optimally?
  • What is provided in regards to security?
    • Network Security
    • Data Security (transmission and at rest)
    • Physical Security
    • Privacy
    • Disaster Recovery
    • Data Recovery (backups)
  • How are updates to the hosted systems handled?
    • OS updates
    • Third Party software updates
    • Driver updates (if dedicated instead of Virtual)
  • What kind of performance can you expect?
    • Storage
    • Network

In order to get a better idea of what you need from your car dealership, it is good to assess the reasons you are looking to buy a new vehicle. For example, if you are a farmer, and haul large cargo, a sports car would not be your ideal vehicle. You must also account for capacity, and horsepower. Should you be looking for a luxury or sports vehicle, you’d possibly like to start with features, and suspension quality, while those shopping for an economical choice will be more concerned with fuel efficiency, and reliability. Once you’ve decided on the model of vehicle you’d like to purchase, you should begin assessing what you may be responsible for if something goes wrong.

In relation to hosting, you’d be assessing what features you absolutely need to keep your hosted application and services running according to your business needs. For example, if you are hosting static sites compared to dynamic content, or running an application that attracts 50 visitors per day compared to thousands of visitors per hour. Each scenario will require different performance needs.  The same goes for your security needs. If you have a requirement to be PCI compliant, or sensitive information that needs particular security controls instituted around it, you’ll need to know what information needs to be protected, and determine the risk associated with a breach that exposes that information, the risk associated with your application being offline due to denial of service attacks, and the risk involved if your systems get hijacked to serve malware, botnets, or other nefarious data all of which can impair your reputation as a business.

Once you’ve done all the homework and you’ve picked out your car or provider, you’ll be faced with the hard part. What exactly are you responsible for in relation to the deal? What are the limits of the agreement with  the dealership or hosting provider? What exactly is covered under warranty repair? What is covered in regards to a hosting provider’s SLA for various products and components of their service?

Let’s explore software updates as an example:

Dealership Vehicle Updates: The dealership will cover software updates for factory installed devices such as GPS, Vehicle sensor displays and data, and the security system. Anything you install after you’ve driven the car off the lot will not be covered by the warranty, and could possibly violate provisions of the warranty if rewiring or modification of standard equipment has taken place. If you upgrade your stereo system after driving the car off the lot, and it causes serious issues with your alarm system to a point that it cannot arm itself, the problem will lie with you and not your dealership should the car get stolen, or broken into.  This is why your dealership may stress that you bring the car to them for repairs and modification.

Hosting Provider Updates: The hosting provider may or may not cover operating system updates (Windows, Linux, Solaris, etc) If they do cover updates to the base OS, they may either elect to tell you when they perform the updates, or the systems may be configured to auto-update without any notification. Any software you install once they provision the system and hand it over to you may or may not be covered by the provider’s support agreement. Any changes you make to the system once you receive it can also impair your ability to claim any compensation as a result of an SLA not being met. If you install out of date and vulnerable software on systems that face the internet and end up getting breached, or your system becomes part of a botnet, that responsibility is yours to resolve with an update to the software. This is why it is always advised by security experts to keep your software updated.

Leaving your applications unpatched, or improperly installed or unsecured is like taking your brand new car and leaving it unlocked and the keys in it to an attacker.  Once your car is stolen or broken into the toll it takes on you is emotional and costly.  This is just as impactful for a business whose data has been stolen, or whose online reputation is questionable.  I urge you to do the footwork required to ensure that you are getting what you pay for, and that you have ascertained the threats and risks that could potentially hurt your business, and your customers and taken steps to ensure that those gaps are closed to the best of your ability.

Author: Alicia Smith

Share This Post On