A host of trouble

Many a service provider in the region is still lacking in basic security standards certification and sometimes do not even offer disaster recovery provisions, making data outsourcing still a prospect for most IT managers to fear.
A host of trouble
By Sathya Mithra Ashok
Mon 03 Mar 2008 04:00 AM

Many a service provider in the region is still lacking in basic security standards certification and sometimes do not even offer disaster recovery provisions, making data outsourcing still a prospect for most IT managers to fear.

Outsourcing is one of the fastest growing markets in the Middle East. While the market is nowhere close to the level of maturity displayed by Western countries, an increasing number of enterprises are opting to have service providers host all or part of their information outside the firm's premises.

Datacentres are quite process driven; processes are a very critical factor. Datacentres are less about technology and more about processes.

A large number of enterprises from governments, banks, financial institutions, airlines, electronics and manufacturing industry are already hosting their applications in an external datacentre provided by a service provider," says Sachin Bhardwaj, marketing manager from e-Hosting Datafort (EHDF).

However, this trend is still hampered by the majority of IT managers in the region who fear for the safety of the data that resides on third party servers and sometimes rightly so.

To counter this notion, the larger service providers in the region have put in place multiple levels of physical and logical security to protect customer data. Nevertheless, ensuring effective security of information might lie as much with the enterprise in question, as with the outsourcing provider, in ensuring that proper policies and procedures are adhered to.

The onion peel perspective

"There are three types of security infrastructure that is required. One is physical security - so you don't have untested equipment in datacentres. Second is logical security - which means that it is isolated from the rest of the apps and third is security from the perspective of applications," says Amir Rashid, director of product marketing at Etisalat.

Etisalat itself prides itself on offering seven layers of physical security at its datacentres. The minimum layer four includes physical guards and smart cards but the firm also offers highly secure infrastructure options.

"At the highest layers we have biometric based retinal scanners. We even have options where two people would need to take the biometric scan simultaneously within a specified period of time. Additionally, if a customer is hosting and managing equipment himself, he can choose to have his own security requirements in place," he adds.

Etisalat, which currently operates four datacentres in the UAE and will open two more in Dubai in one month, ensures logical security by keeping each customer's equipment and network separate from the other. Injazat, another well-established service provider based in Abu Dhabi, has also established a stringent security setup for its customers.
The safety of the hosting facilities is ensured by the definition and implementation of physical security, governed and enforced in line with a physical security policy. The ‘Onion Peeling Principle' is one method that has been used in the security design of hosting facilities. This Principle splits the business into several layers. The aim at each layer is to delay and put off the criminal and to protect or remove any possible targets.

This physical security specification addresses layers one through four," says Eddie Cunningham, sales and marketing director from Injazat.

The safety of the hosting facilities is ensured by the definition and implementation of physical security, governed and enforced in line with a physical security policy.

According to him, the six layers of the principle include the environment, the perimeter, the shell (including walls, windows, doors etc.), the interior, people and procedure within the hosting facilities.

"The unauthorised physical access to these facilities is prevented through an access control system, linked to an approvals process. Environmental controls for fire protection, air-conditioning, cable management and redundant electrical power sources are installed to protect computer equipment against environmental threats.

"At the outset, the identification of the location, size, type, environment, security and operational needs are taken into consideration before a facility is established. At this time, external influences are considered and the risk involved is evaluated. These will include flood, damage, impact, crime, penetration risks," adds Injazat's Cunningham.

Most providers design customer premises only after taking into account the exact requirements of the firm in question. They claim that customer requirements are met precisely - nothing undersecured or overpriced.

"We are very strict about ensuring data security and have strictly enforced a datacentre security policy, information handling policy and acceptable use policy for customers. In addition we have an in-house security team who conduct regular training for customers and employees in order to familiarise them with the policy document. We are completely prepared to provide the highest levels of security to our customers.

Our team works very closely with customers in order to define their security requirements and propose solutions that address their requirements in great detail," says EHDF's Bhardwaj.

Apart from providing most tenets connected to physical and logical security, most providers also do regular vulnerability assessment of infrastructure and the defence layers based on the customer's service requirements.
The core of the problem

While most large service providers in the region put in extra investment and effort in ensuring the highest levels of physical and logical security, they often lag behind in terms of policy enforcement and standards certification. This does not mean that they do not have internal policies, but that these tend to be implemented and managed with a lax attitude and not often backed by third party certifications.

"Our datacentres are Suntone certified which provides an in depth view of processes. Datacentres are quite process driven; processes are a very critical factor. Datacentres are less about technology and more about processes. As for information security certification ISO 27001, we have some operations certified. You could do a very very minor scope and say this is ISO 27001 certified and publicise it.

But in terms of having everything certified end-to-end I don't think there is anybody in the region who has done it. There are only a few scopes here and there which are certified and we have similar situation," says Rashid from Etisalat.

If that was not scary enough, many service providers in the region still operate without a basic business continuity and disaster recovery site. Some of them do provide mirroring and data replication but only based on the customer's demands and how much the enterprise is willing to pay.

However bad the scene though, customers still have the power to search well and choose right depending on their specific requirements and security concerns.

"We always suggest that clients either outsource to reliable and well respected vendors that have achieved ISO 27001 certification. Also it is a good business practice to separate IT outsourcing from security outsourcing to avoid putting all your eggs in one basket. This way you can perform audits against the IT outsource service provider and can rely on the third party external audits like ISO 27001 against the security outsourcing," states Samer Omar, GM for I(TS)2 (IT Security Training and Solutions).

Omar also states that ISO 27001 should be considered as minimum requirement by clients while accepting that very few service providers have that minimum standard in place. Saudi Arabia based I(TS)2 operates four different security business lines and offers managed security services under the brand name of Raqeeb. Raqeeb has global partners backing it up including the likes of VeriSign and Cisco.

The firm prides itself on having achieved both ISO 27001 certification and tier 4 security requirements from VeriSign.

Khaled Chatila, senior systems engineer at Symantec Middle East points out, "The lack of legal enforcement in the region means that consumers don't really have much of a choice. If certain things become mandatory by law, more service providers will put policies into place. As of now, there are not many service providers in the region and security remains to be improved a lot.
Nevertheless, he states that customers can check on a service provider's capabilities by looking beyond standards or the lack of them.

"There are a lot of questions that customers can ask to assess the host and get a clear idea of the services offered. Even if they are not certified, many service providers will be following processes that are akin to certification and this can be checked by the customer to ensure that it is suitable to the information being stored," points out Khaled.

Safe and sound?

While more enterprises are considering outsourcing, the truth of the Middle East market is that they have few good choices in service providers and almost no assurance of policy enforcement if the providers are neither standard certified nor provide effective disaster recovery solutions.

Further, this is an additional indication that it will take some time before the market achieves the maturity or even come close to that of its Western peers. Nevertheless, customers can still make wise decisions armed with the right tools and backed by a good understanding of what they want to outsource and why.

Before you outsourceNME gives you all the steps that you should be doing before outsourcing any of your data to a service provider.

1. References - it is crucial for potential customers to analyse the existing customers that a company claims. A check with these customers on service offerings can be beneficial.

2. Richness of offerings - it is essential to be sure that the service providers offers a wide range of hosting options and that this fits with your organisational requirements.

3. Due diligence and visit to hosting facility - whatever references you might get and however good they might be, a visit to the hosting facilities is crucial. A pilot, if possible, is always preferrable.

4. Levels of physical and logical security - always check on the different layers of security that is available within the facility.

5. Third party certification - look for third party standards certification. You can be certain that a firm which is willing to invest in these are pretty serious about their business and are there to stay.

6. Business continuity and disaster recovery - if they firm does not offer a default DR option, insist on your information being mirrored periodically in one of its other datacentres.

7. Processes and policies - if the firm lacks in standards certification, check for process and policy implementation across the organistaion. This should include the emergency escalation procedure and knowledge transfer among others.

8. SLAs - have strong service level agreements written up for your relationship with providers. This is doubly important whenyou have multiple partnerships for different data sets.

9. Partners - check on the kind of partners the firm has in the region. This can be indicative of the global nature of the business and the kind of efficiency they bring to their business.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.