Wednesday, August 02, 2006

Managed Hosting Companies - Internal Employee Access Policies

The saga continues...In search of a new managed hosting company.

Seems like most companies do not have well documented processes in terms of how and when employees can access managed systems and how this access is audited. To me I find this scary. I am working with some mid range hosting companies that support multi-million dollar businesses. I know because the reason I found out about one of these companies was through one of my $150 million per year clients.

One company was able to have a tech respond to me and outline the process. The company I was at previously could not articulate their processes and apparently did not have them written down anywhere - or want to provide me these documents in writing - because they constantly wanted to call me. The third company I am speaking to tells me that they have very stringent processes but no customer facing documents to explain these processes.

Since system administration is one of the very weakest points in the whole process - typically errors and hacks are caused by humans and most easily someone who has open access to the machine already - this is a huge problem! Yes so someone can't get into the building because you have biometric controls and chainlink fence lockers and separately locked cabinets. So what if your administrator is the one causing the problem!

This was highlighted by an instance at Internap that took down their whole Fisher Plaza facility one fine Friday evening - when I just happened to have a potential customer looking at my web site and freaking out, thinking I am some fly by night operation. Someone who had access to the building already went and flipped off the power switch somehow and for whatever reason in such a way that the generators didn't kick in. Seems they pushed that big red button that says "do not push" all over it way up in the air and Internap reported to me that it was "an accident"?? Hmm.

Internap is a good company but things happen. In "Who Says Elephants Can't Dance" Lou Gerstner says "People do what you INSPECT, not what you EXPECT." I wholeheartdly believe this after being ripped off by some of my own employees. Hosting companies want me to "just trust them" but that is foolish. You need to have good auditing in place in your hosting environment for true security - both internally and externally.