NetStandard Inc. | Kansas City Data Center Blog

NetStandard was recently asked “How can I ensure that my data is secure in the cloud?”  John Leek, NetStandard Director of Operations answered that question.

NetStandard employs CISSP security professionals and CISA auditors that all have evaluated controls in the hosted application environment to ensure controls are in place.  We continue to evaluate and look for ways to improve the controls in place and know that we have taken reasonable steps to address the security of both hosted apps as well as the virtual environment.  I may “over answer” your question, but I have been wanting to publish a BLOG or white paper on this anyway so thanks for the prodding;-) I think we can definitely do a better job of describing our security to partners.  Here are some key controls in place today:

1. Weekly vulnerability scans – vulnerability scans identify risks that include open ports, missing patches and the like.  We evaluate these weekly to ensure vulnerabilities aren’t missed.  We use a Gartner magic quadrant tool called “NexPose Rapid”.
2. Regular patching schedule – NetStandard uses regular scheduled change requests and a commercial patching tool to ensure appropriate patches, MS roll-ups and firmware are applied to all infrastructure, applications and services managed by NetStandard.  These controls are audited annually in our SAS70 audit.
3. Web Application Firewall – in the last year, we have implemented one of the leading web application firewalls (in a high availability pair) called the Citrix NetScaler.  NetScaler protects web applications from the growing number of application-layer attacks and prevents the loss of valuable corporate and customer data. In addition to proven attack defenses, NetScaler Application Firewall aids in compliance with information security regulations, such as PCI-DSS.  Find out more information at http://tinyurl.com/392yumn
4. Network—Virtual LAN’s are used to isolate traffic that is unique to each customer’s VM’s from other customers and the hosted environment.  Network firewalls add the ability to add granular controls that limit what IP addresses can access certain servers in the network.  NetStandard has built a secure infrastructure featuring “zones of trust” that limit access to certain servers and data to only those on the internal hosted application network.
5. Anti-spam, anti-malware and anti-virus – NetStandard uses leading commercial products from Trend Micro and Barracuda that are designed to limit the risk of viruses and malware.
6. The attached whitepaper on VMWare’s ESX security highlight the approach used by VMWare to architect security into their systems.
7. Each of the applications hosted by NetStandard have a unique security architecture.  For instance, e-mail uses a secure protocol: RPC (not secure) over HTTPS (SSL secure) from the client to the server.  GP users utilize Citrix which uses the ICA protocol.  ICA traffic is efficient and the data is encrypted. CRM and SharePoint web interface users utilize HTTPS (http over SSL) to secure traffic.
8. Microsoft Active Directory is used to uniquely isolate one company from another company’s information.  A user id must be added to each separate OU for someone to gain access.
9. User ID’s are unique from individual user to individual user.  Initial passwords are set and sent separately (usually via phone call) from the user ID.  Individual company users usually have an initial password that is the same.  Each customer is encouraged to have each user use the web portal to change their password.  It is suggested that they use the one they use internally on their network to avoid confusion.  NetStandard realizes that each company has a unique password and expiration policy.   
10. The Cloud ID/Password conundrum.  We have been working diligently to address the ability to synchronize passwords and group policy with individual customer domains.  We have solutions identified and are testing them in-house before rolling them out.  The products vary in their level of functionality and maturity and most require some additional money per user AND modifications to their AD controller.  

The term “cloud computing” is great as a metaphor, but doesn’t quite explain what happens in real life.

That’s not to say that cloud computing doesn’t hold great promise, particularly for small and medium businesses. With cloud computing, these organizations can substantially reduce their IT investment while increasing their capabilities and security. By engaging the services of a third-party technology provider, businesses can get access to technology and systems that they might ordinarily have.

But cloud computing doesn’t just involve technology. Services are equally important and are key to a successful cloud implementation.

NetStandard, a technology services provider in Kansas City, Mo., serves small and medium businesses. Over the years, NetStandard developed a checklist of expectations. For businesses considering a cloud computing arrangement the checklist includes these topics:

• Staff – does the provider have a dedicated technology manager assigned to the business? Does the supporting team include networking, software and security specialists? What sort of certifications does the staff have? What planning can the staff provide to make sure your system requirements will be met in the future?

• Data Center – The data center’s hardware and systems should be redundant so there is no downtime when a failure occurs. An N+1 redundancy designation means that each component has at least independent backup component.

• Certifications – Partnerships and certifications with technology partners indicate that the provider meets or exceeds the required standards.

• SAS 70 – SAS 70 is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) regarding the internal controls of service organizations, including data centers. Increasingly, data centers have conducted SAS 70 audits and obtained SAS 70 certification so they can prove to their clients in regulated industries that they are compliant. However, you should discuss the audit to see that the provider understands the process. Like any audit, an SAS 70 audit is designed to uncover weaknesses so the organization can improve, not get a certification for marketing purposes.

• Consulting – does the provider offer any consulting services to help a business prepare for the transition to cloud computing? For example, NetStandard assists businesses in creating a business case and will analyze a business’s server capacity to estimate the amount of virtual servers needed and the estimated cost savings.