At work, we are seeing more and more requests for information (RFI) in regards to tenders we are involved in. These processes are getting harder and more involved than years ago where the process was a bit more ‘laxed’, the sections on security from both a data storage and infrastructure point of view are becoming more and more detailed on the requirements but also more generic.  This is made all the more difficult at the RFI stage as 9 times out 10 you won’t know yet, what the potential client wants and security varies depending on requirements. For example, security from the point of view of a Colocation contract is vastley different than a Managed Hosting contract. They share similarities but the main service is very different meaning that our answers have to be more generic rather than tailored to the solution required.

This process however, seems to stop at the hosting company, even when they aren’t used for the whole solution. As I mentioned above, how much consideration is given to things like who the SSL signing authority is and how secure are there systems (MD5 considered harmful today), who is providing recursive DNS for the clients internal systems and have they patched for last years Source port vulnerability) all the way through to major vulnerabilities on operating systems typically found running within organisations (RPC Vulnerability for example or even the latest iWork 09 OSX vulnerability). The client side systems are usually covered with corporate security policies (you do have one of those don’t you?) but things like Zero Day exploits are a bit more difficult to defend against but not totally impossible. I mean just imagine if someone could hijack your domain name traffic and then spoof the SSL certificate used for your 10,000 transaction a day ecommerce site. The short and long term effects of something like that on a business could see the end of it before the charge backs on credit cards have hit shoppers bank accounts.

Based on the fact that companies seem to just stop at the stage of choosing a hosting company means that the solution as a whole is vulnerable to security holes from other suppliers or areas of the business. It wouldn’t matter how secure the hosting solution is if someone can redirect traffic to a fake website elsewhere. So the best answer to this question is, companies need to go as far as possible to gaurantee security for there solution. Extend the RFI out to more suppliers to ensure that all aspects are covered – or choose a one stop shop for the entire solution.

Some companies are now making a big deal out of advertising that they don’t send your calls to anywhere other than say, your local branch like the Natwest do. Having today had to deal with, only briefly mind, but that was long enough, a company who have outsourced their support centre to India, it left me thinking that I could never even remotely consider outsourcing the support team I have to India. After the two calls I made with little joy in getting the information I needed, I didn’t know what else to do! The first phone call that I had the luck of having to make ended with me thinking that you wouldn’t want that type of company managing or having anything to do with your company. I called an 0871 number to speak to someone in support to try and get a number redirect working, when I was told that they couldn’t assist because basically they didn’t understand what it was I was referring to, they asked me to redial and press the same option I had for the current call!!!

I stated that surely that would just get me back through to them again and was told, “maybe”?!?! Unbelievable – but I tried anyway
So what happened, well I’m sure you can guess, I called, pressed 1 for support and got a lovely person on the end of the phone – from the same call centre. So went through the same thing as before to see if I got anyone else with at least some clue. Of course that didn’t work and I should have hung up a long time ago, or not even bothered to actually call them back in the first place.

To top all of this off as well, not only could I not speak to someone who understood our account and knew what I wanted or could point me in the right direction but the website for the company had zero contact details that were of any use or actually allowed me to speak to someone in the UK. Not what I would call customers service at all!