NetStandard Inc. | Kansas City Data Center Blog

NetStandard was recently asked “How can I ensure that my data is secure in the cloud?”  John Leek, NetStandard Director of Operations answered that question.

NetStandard employs CISSP security professionals and CISA auditors that all have evaluated controls in the hosted application environment to ensure controls are in place.  We continue to evaluate and look for ways to improve the controls in place and know that we have taken reasonable steps to address the security of both hosted apps as well as the virtual environment.  I may “over answer” your question, but I have been wanting to publish a BLOG or white paper on this anyway so thanks for the prodding;-) I think we can definitely do a better job of describing our security to partners.  Here are some key controls in place today:

1. Weekly vulnerability scans – vulnerability scans identify risks that include open ports, missing patches and the like.  We evaluate these weekly to ensure vulnerabilities aren’t missed.  We use a Gartner magic quadrant tool called “NexPose Rapid”.
2. Regular patching schedule – NetStandard uses regular scheduled change requests and a commercial patching tool to ensure appropriate patches, MS roll-ups and firmware are applied to all infrastructure, applications and services managed by NetStandard.  These controls are audited annually in our SAS70 audit.
3. Web Application Firewall – in the last year, we have implemented one of the leading web application firewalls (in a high availability pair) called the Citrix NetScaler.  NetScaler protects web applications from the growing number of application-layer attacks and prevents the loss of valuable corporate and customer data. In addition to proven attack defenses, NetScaler Application Firewall aids in compliance with information security regulations, such as PCI-DSS.  Find out more information at http://tinyurl.com/392yumn
4. Network—Virtual LAN’s are used to isolate traffic that is unique to each customer’s VM’s from other customers and the hosted environment.  Network firewalls add the ability to add granular controls that limit what IP addresses can access certain servers in the network.  NetStandard has built a secure infrastructure featuring “zones of trust” that limit access to certain servers and data to only those on the internal hosted application network.
5. Anti-spam, anti-malware and anti-virus – NetStandard uses leading commercial products from Trend Micro and Barracuda that are designed to limit the risk of viruses and malware.
6. The attached whitepaper on VMWare’s ESX security highlight the approach used by VMWare to architect security into their systems.
7. Each of the applications hosted by NetStandard have a unique security architecture.  For instance, e-mail uses a secure protocol: RPC (not secure) over HTTPS (SSL secure) from the client to the server.  GP users utilize Citrix which uses the ICA protocol.  ICA traffic is efficient and the data is encrypted. CRM and SharePoint web interface users utilize HTTPS (http over SSL) to secure traffic.
8. Microsoft Active Directory is used to uniquely isolate one company from another company’s information.  A user id must be added to each separate OU for someone to gain access.
9. User ID’s are unique from individual user to individual user.  Initial passwords are set and sent separately (usually via phone call) from the user ID.  Individual company users usually have an initial password that is the same.  Each customer is encouraged to have each user use the web portal to change their password.  It is suggested that they use the one they use internally on their network to avoid confusion.  NetStandard realizes that each company has a unique password and expiration policy.   
10. The Cloud ID/Password conundrum.  We have been working diligently to address the ability to synchronize passwords and group policy with individual customer domains.  We have solutions identified and are testing them in-house before rolling them out.  The products vary in their level of functionality and maturity and most require some additional money per user AND modifications to their AD controller.  

John Leek, NetStandard’s Director of Operations, was recently asked why companies are choosing hosted applications.

Overview

Most small businesses (under 100 users) should not attempt to operate IT if they are not an IT-centric business.  Its not their competency and most of the time they spend significantly more money per employee  than the cost of hosted solutions.  In fact, on a pure business case basis there is no payback for doing solutions in-house vs. hosted/cloud based.

 The key benefits to this approach is:

1. Agility – add services or people rapidly with just a phone call or e-mail OR use our online portal.
2. Its our Business – NetStandard must deliver applications reliably and securely.  Our annual SAS70 audit guarantees that we do what we say we do.  See our SLA’s that provide credits if we fail to deliver.  We are celebrating 3 years of 100% application availability.
3. References – Call our references, they will talk about reliability, responsiveness and performance.
4. Breadth of Offerings – NetStandard offers 30 different integrated applications.  Integrated solutions maximize productivity.  Key applications provide e-mail, calendaring, scheduling, information management, process workflow, CRM, call management, dispatch, warehouse management, document imaging, executive information portal, general ledger, accounts receivable, accounts payable, BlackBerry, e-mail archival, e-mail encryption, conference bridge, video conferencing, desktop sharing, instant messenger, secure access, 3^rdparty application hosting, retail management system and more.  We can consult with any business and assist them in how to leverage hosted applications to optimize their business.  We can establish a roadmap to address how these applications might be added as their company grows and scales.  

 These are my observations after meeting with customers in the Kansas City area.

1.  Most companies don’t see investing in core hardware and software as strategic or valuable to their business.  Many see it as a necessary evil.  Some actually leverage IT assets for extended periods of time (>4 years) in the hopes of lowering TCO and avoiding capital expenditures.
2. Most companies do not possess a core competency in IT (or accounting for that matter).  What they have is a core competency in their business.
3. Most companies cannot afford the diversity of talents to deliver solutions safely, reliably  and cost effectively.  They go months or years without protecting their resources by applying server and network patches.  Many have significant vulnerabilities and viruses and take risks with their environment, like not performing adequate back-ups.  Software patches and updates are a nuisance.  Many feel that they are held hostage by Microsoft and other vendors because of the need to pay to keep their environment modernized.
4. Many CFO’s complain that in-house IT staff are always asking for more servers and software.   With myappsanywhere, the company can greatly reduce their IT costs. 
5. With myappsanywhere, clients gain the ability to scale back costs in down economic times.  They cannot do that with solutions they purchase.  NOTE:  while they really don’t like to scale up, it can be argued that they should consider these costs as part of an employee’s “load”.  Its predictable and provides an easy path to stay on current technology.

To effectively utilize cloud-based services, like myappsanywhere, customers must have adequate bandwidth to provide a satisfactory user experience.  The happiest clients seem to have at least 100kbps of bandwidth per user.  So a T1 could support 15 users.