I recently had a conversation with the CISO of a small company that has a relatively large target on its back. This company hosts Web portals for its clients to accept electronic payments. For example, when you go to an online retailer's checkout process and get passed to a secure site, it's possible that this company is hosting that payment site. You can see how this kind of activity would make this company attractive to hackers looking for credit card information.
Quite naturally, the CISO is concerned about website vulnerabilities. He says his staff used to try to provide all levels of IT security in-house, but "basically the bad guys got too big and it got impossible for us to do." He acknowledged that they just can't do it all with the resources available to a small business. He told me, "When you see Bank of America struggling with their budget for security, there is just no way that we can do this anymore."
[ IN PICTURES: 7 faces of 'hacking' hysteria ]
The company has an HP Tipping Point IDS/IPS solution, a RioRey DDoS mitigation solution, and Barracuda Web application firewalls. But now instead of continuing to build up its infrastructure in-house, the company has taken up a new strategy. According to the CISO, "Rather than having anybody be able to find our data centers, we are completely reversing where we are hiding everything behind third parties that are much bigger and much more powerful and capable than we are."
For example, they use hosted DNS. "I don't think there is any way that anyone is going to take down our DNS because we have that out there with very powerful third parties," says the CISO. "DynDNS has an outbound SMTP product so we point our Exchange servers at them to do smart host transfer. That way when I send an email, it looks like it's coming from Dyn instead of our IP space. That makes it even harder to track back to us. If you pull our DNS records, you aren't going to see anything."
This CISO makes full use of the hosted services strategy. "We hide all of our inbound email behind Postini so if you try to look up our records to see where our mail servers are, you are going to hit Google. If you try to attack our website or a payment portal, you are going to hit Incapsula. You are going to have to take down their eight or so data centers with their multiple gigabytes of capacity to take us offline."
What a brilliant strategy for a small company -- or even a larger company that just doesn't want the hassles of continuously building up and maintaining a security infrastructure.
According to the CISO, "I've been following very closely a lot of the DDoS attacks and other recent attacks. The power is within the hands of the hackers and the people who can easily run a botnet and DDoS you, but once your website is behind CloudFlare, or Incapsula, or some other CDN, it can't be found."
There are other advantages to hiding behind big third-party providers, such as the redundancy afforded by the high-end infrastructure in their data centers. "If we have a carrier outage in one of our data centers, we are quadruple homed into our data centers so it makes it very easy for us to reroute around a carrier failure within seconds. If we had to failover DNS or something like that ourselves, there would be a five to 10 minute outage. Our third party host adds a lot of flexibility from an architecture standpoint. We can route just about anything, just about anywhere."
According to the CISO, the cost of hosting his infrastructure with third parties is another big benefit. "These hosting services are cheap relative to the value that they add," he says. His company is keeping the security infrastructure it already has, but it can avoid buying upgrades or replacements because Incapsula basically provides all the necessary security services. What's more, Incapsula caches so much of the company's content that the CISO says that Incapsula "probably pays for itself in bandwidth alone. They save us so much bandwidth that if we didn't have them we would be buying more bandwidth from our upstream carriers, and that isn't cheap."
Even as the DDoS attacks continue against U.S. financial institutions, the CISO is confident about his mitigation strategy. "For the payment sites, we just block off the whole world except for the United States," he says. "There is no reason we need anybody from outside the country to hit our sites. That takes about 75% of the threats and vulnerability scanning and SQL injections and all the other junk that comes with it -- it just bounces right off of them [the sites] and we don't even see it. Incapsula is just invaluable in reducing our attack surface."
These days it's possible to find every aspect of infrastructure as a hosted service. The ability to hide behind third party providers when hackers may be seeking you can bring real peace of mind.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.