Sidebar Two


Outsourcing

While this article has discussed resistance to hostile attack, in its broadest sense, security encompasses everything that is done to ensure that computerized data is usable when it's needed. In addition to cracking attempts, Web servers are also subject to power failures, Internet connectivity problems, and system crashes. Even if you have the wherewithal to properly maintain your Web host, you might not be able to afford redundant network connections and an emergency generator with several days of fuel. No matter what your budget, a Web-hosting firm can usually provide a more reliable level of service than you can provide yourself.

The best ISPs offer a higher level of protection than is practical for virtually any organization to provide for itself. The worst ISPs will put your critical Web pages on a casually administered server shared by several hundred other customers--some of whose pages might attract undesirable attention. To some extent, you get what you pay for. While a $25-per-month Web service might very well offer you a more secure host than you can provide yourself, evaluating its offerings will be difficult.

To appraise a hosting service's security posture, ask for details on the qualifications of its security administrators. Find out how many years of experience they have administering that specific operating system. Find out what their security policy is and if they will let you review it. Ask them specifically how they isolate security between clients, what they do to monitor for attacks, and whether the service is staffed around the clock. If one person is managing Web service, the operating-system platform, the routers, and security, that individual is spread too thin and doesn't have the time necessary to become a security expert (or an expert on anything else). Ideally, try to visit the hosting site and meet with the security administrators.

Most inexpensive hosting services use UNIX, especially BSDI, because it supports multihosting--the ability for a single server to support several hundred different domain names and IP addresses. This is very cost effective, and performance is acceptable, even on Intel platforms, for sites that don't attract huge amounts of traffic. ISPs usually also use UNIX for their busiest sites. Most of the prominent Web sites are running on huge rack-mounted Suns, which are scalable and robust. Certainly ISPs and Web services attract people who tend to be UNIX-oriented, but NT is becoming more visible. Customer-oriented hosting services realize that many companies do not have their own UNIX shops and prefer NT, so they support both platforms.

Don't expect your ISP's Web farm to be protected behind a firewall--the overhead and inconvenience are too great to make it practical. If the servers are properly maintained and monitored, a firewall would add very little additional protection. --JH