Wednesday, February 20, 2008

The truth about fortresses (ISO 27001 Paradigm)

How does a service provider who offers data hosting and datacentre services in the region ensure that his/her customer information is secure?

This was the principal question that drove me to converse with a good number of the biggest hosting companies in the Middle East region. I discussed in length with them security across the physical infrastructure, the logical security - of where datacentres are located and manned - and application security. (Read in detail on the defence layers implemented by regional service providers in the March issue of NME).

It is a statement of fact that security measures undertaken by these hosting companies are often of the highest level. In most developed markets, they are trend setters in implementing the latest of security technologies and also in following the metrics of best practices. In most cases, this would mean the firm will need to be compliant to standards and have basic security certification, like ISO 27001, before it can expect to attract any customers. The certification is an indication to potential and existing customers, along with the rest of the market that the firm has put in place stringent processes across the handling, storage and management of data to ensure that there are no holes through which information can leak. In other words, that the company takes its customer information seriously.

The Middle East data outsourcing market is nowhere close to these developed markets. However, I was (understandably) expecting a certain level of standards implementations among these service providers, considering that this is one of the rapidly growing market segments. To my absolute horror, I found this not to be the case.

Many service providers in the region remain uncertified in any security standard. Some of them implement ISO 27001 in pockets but none of them do it across the organisation; in fact, one particular company spokesperson was kind enough to inform me that the Middle East did not need this yet. The majority of them - hold your breaths now - do not have a disaster recovery site by default for customers. This is almost always set up based on the end-user's preferences and is always a site within the same country. And none of them realise that this is a recipe for disaster.

Source: By Sathya Ashok ( )

No comments: