For instance, your business is hosting your corporate website with a hosting company, the vetting process for this decision can be quite intense depending on the size of your company but obviously now concentrates on security amongst the service itself. However, security for your application doesn’t just stop at the hosting company, it goes much further than that, your DNS provider, SSL signing authority, etc.
At work, we are seeing more and more requests for information (RFI) in regards to tenders we are involved in. These processes are getting harder and more involved than years ago where the process was a bit more ‘laxed’, the sections on security from both a data storage and infrastructure point of view are becoming more and more detailed on the requirements but also more generic. This is made all the more difficult at the RFI stage as 9 times out 10 you won’t know yet, what the potential client wants and security varies depending on requirements. For example, security from the point of view of a Colocation contract is vastley different than a Managed Hosting contract. They share similarities but the main service is very different meaning that our answers have to be more generic rather than tailored to the solution required.
This process however, seems to stop at the hosting company, even when they aren’t used for the whole solution. As I mentioned above, how much consideration is given to things like who the SSL signing authority is and how secure are there systems (MD5 considered harmful today), who is providing recursive DNS for the clients internal systems and have they patched for last years Source port vulnerability) all the way through to major vulnerabilities on operating systems typically found running within organisations (RPC Vulnerability for example or even the latest iWork 09 OSX vulnerability). The client side systems are usually covered with corporate security policies (you do have one of those don’t you?) but things like Zero Day exploits are a bit more difficult to defend against but not totally impossible. I mean just imagine if someone could hijack your domain name traffic and then spoof the SSL certificate used for your 10,000 transaction a day ecommerce site. The short and long term effects of something like that on a business could see the end of it before the charge backs on credit cards have hit shoppers bank accounts.
Based on the fact that companies seem to just stop at the stage of choosing a hosting company means that the solution as a whole is vulnerable to security holes from other suppliers or areas of the business. It wouldn’t matter how secure the hosting solution is if someone can redirect traffic to a fake website elsewhere. So the best answer to this question is, companies need to go as far as possible to gaurantee security for there solution. Extend the RFI out to more suppliers to ensure that all aspects are covered – or choose a one stop shop for the entire solution.