By Sathya Ashok
Entries to the NME Innovation Awards 2008 clearly shows that many end-users in the region understand and deploy IT security better than service providers
How does a service provider who offers data hosting and datacentre services in the region ensure that his/her customer information is secure?
This was the principal question that drove me to converse with a good number of the biggest hosting companies in the Middle East region. I discussed in length with them security across the physical infrastructure, the logical security - of where datacentres are located and manned - and application security. (Read in detail on the defence layers implemented by regional service providers in the March issue of NME).
It is a statement of fact that security measures undertaken by these hosting companies are often of the highest level. In most developed markets, they are trend setters in implementing the latest of security technologies and also in following the metrics of best practices. In most cases, this would mean the firm will need to be compliant to standards and have basic security certification, like ISO 27001, before it can expect to attract any customers. The certification is an indication to potential and existing customers, along with the rest of the market that the firm has put in place stringent processes across the handling, storage and management of data to ensure that there are no holes through which information can leak. In other words, that the company takes its customer information seriously.
The Middle East data outsourcing market is nowhere close to these developed markets. However, I was (understandably) expecting a certain level of standards implementations among these service providers, considering that this is one of the rapidly growing market segments. To my absolute horror, I found this not to be the case.
Many service providers in the region remain uncertified in any security standard. Some of them implement ISO 27001 in pockets but none of them do it across the organisation; in fact, one particular company spokesperson was kind enough to inform me that the Middle East did not need this yet. The majority of them - hold your breaths now - do not have a disaster recovery site by default for customers. This is almost always set up based on the end-user's preferences and is always a site within the same country. And none of them realise that this is a recipe for disaster.
Many IT managers in the region still fear the thought of allowing their data to reside in third party systems and considering what I have found so far, I would say that fear is completely warranted. While they do implement the latest in security standards, the ignorance or indifference of regional service providers to processes and best practices endanger their customer's data. With minimal vendor choices available in the market, the situation is not likely to change in the near future.
However, all is not bleak. Many IT managers and organisations continue to make wise choices in service providers by asking the right questions and by working with them to make sure that the firm's information remains at the safest levels possible. Many of these customers also drive the service provider to put in place certification and standards driven information protection pockets in their hosting infrastructure.
Security implementation and usage entries to the NME Innovation Awards 2008 clearly indicates that end-users are ahead of the game in understanding and getting more out of their defence layers. (Nomination deadline for the awards has been extended and you can still log in your entries to the awards by getting to www.itp.net/events/nmeawards08).
While the general level of security maturity among service providers in the region might be found lacking, end-users hold the ultimate power to make service providers work for them in the way that they should and protect precious data to the best of their availability.
As end-users up the ante with security - and this can be seen not just from the entries to the NME Innovation Awards but also other market deployments - they can force service providers in the region to fall in line and start putting in place considered measures to protect their customer's information.
One does hope that this turn of events happens sooner than later.
If you believe you have a trend-setting security story that you want to tell - or even one across infrastructure and networking - log onto www.itp.net/events/nmeawards08 and let us hear about it. Have some doubts on the awards, need some clarifications or just want to broach an idea for consideration? Write to me at firstname.lastname@example.org.