Printer Friendly Version

Security Issues Related to Third-Party Hosting

When intranets are housed internally, content will only be exposed to, and handled by, employees of the company. Content can, of course, be secured further depending on departmental or workgroup membership. But regardless of who has access to the information internally, content circulates within, and never leaves, that protective bubble we call the company LAN. You won't be able to access the intranet unless you're a valid member of the primary corporate LAN. And all of this is encapsulated within this protective bubble, away from the Internet and prying eyes.

Now this doesn't mean that a valid user won't print out a secure document and take it home, but this is another issue that's already been discussed in:

• Managing the Keys to Your Intranet
• The Spy Who Flubbed Me: Intranet Security Begins With Education

When you decide to host your intranet externally through a third-party hosting provider, however, you must expose your content and system to the hosting provider and potentially everyone who works there. This is not so much an issue of technology because any professional and experienced hosting provider used to dealing with corporate clients will have the necessary security mechanisms in place — firewall, data encryption, user authentication — and have run through all the security benchmarks to ensure that content is safe. This is more an issue of who's handling your content.

Whenever you place security of your intranet and content in someone else's hands you run the risk that they won't treat it with proper discretion. You can have them sign all the non-disclosure and confidentiality agreements you want, but nothing prevents an employee at the hosting provider who's unfamiliar with your content from accidentally putting sensitive information that should only be accessed by a few privileged users on an FTP server that allows anonymous log-ons. If this same thing were to happen on an internally hosted intranet, it would only be exposed to those within the company, not the entire Internet, since your system is sitting behind a firewall in a private network inaccessible by the outside world.

It's not that a third-party hosting provider intentionally means to do something malicious, but it's always safer to have those who know the content best handle this content. Sure, you can sit through meetings with the hosting provider and discuss what should be secure and what shouldn't, where everything should be stored, and how users can gain access to it, but you need to place a lot of trust in them to ensure that something doesn't slip through the cracks. And if it does, it won't only be exposed to those in the company, it will potentially be exposed to the entire Internet. Your only recourse at that point would be litigation, but that's a reactionary measure; your information has already been compromised and the damage already done.

Another security issue that needs to be addressed is how valid intranet users will gain access to the system — in terms of content owners maintaining the system and users viewing the information. If the entire intranet is housed at a hosting service provider, it must be protected by more than a simple user name and password; it must have a more elaborate security mechanism since externally hosted intranets are exposed to the Internet. Anyone can try their hand at cracking it. Developing an intranet with sensitive information and then hosting it externally, outside the protection of your corporate LAN, is exactly like buying a safe to keep all your valuables and then leaving the safe on the front lawn rather than inside your locked and secured house.

Total Cost of Ownership

While in-house intranets may require more initial time, effort, and money — especially if you don't already have an intranet infrastructure in place — the total cost of ownership may end up being much higher when hosted externally.

Setting up an internal intranet infrastructure needs to be done only once. After it's been established, all subsequent intranet projects can simply make use of it at minimal costs. On the other hand, the costs of third-party hosting are perpetual, lasting for as long as you decide to host externally. These costs will accumulate in the long run and can include:

• The costs for initial set-up
• The raw real estate (i.e., the disk space required for your intranet and content)
• The costs for technical support
• Additional costs that may be associated with exceeding upload/download quotas

Hosting in-house also pays for itself. Money is spent to pay for something that you will eventually own. The hardware and software you acquire for in-house hosting can always be shared among multiple systems, therefore splitting up the costs among several departments or groups. If your intranet ever outgrows your current equipment, they can always be "trickled down" and re-used for other purposes such as setting up a development and testing environment. However, the money spent for hosting externally is for a service; you're paying rent for something you will never recoup.

The Questions You Need to Ask

Finding the right intranet hosting service provider requires a lot of homework; you don't want to be constantly moving because you find out after signing a contract agreement that they don't offer you the service and support you were expecting. So before you commit to placing your intranet and internal content in someone else's hands, you need to ask:

• What types of system integrity measures — backups, data and server redundancy, disaster recovery procedures, data restore procedures — do they have in place?

• What security measures do they have in place to protect content from external users, and what type of measures are in place to protect the content from unauthorized internal access?

• What is the availability and average response time of their technical support staff? Is it 24/7 or only during business hours? This is even more important if your hosting provider happens to be in a different time zone. Intranets requiring a high level of availability can't withstand long periods of downtime while you try to chase down their technical support staff.

• How much access will your content owners have to the site in order to maintain and update their content?

• How are support fees worked into the total cost of hosting? Are they based on a flat fee or on a per-incident basis?

• What is their experience and how long have they been in the industry?

• Who are their other clients? Hosting providers with many high-profile clients are usually more reliable that those with only a handful of small operations.

Final Thoughts

With so much Web freeware available for download on the Internet or software that's bundled into other packages it may seem like hosting internally is a pretty simple affair. But hosting an intranet requires more than just a place to put your system; it requires an infrastructure — technology-wise and personnel-wise.

While hosting internally still provides intranet owners with the most freedom, control, and flexibility, if you're not set up to house one yourself, external third-party hosting may be your best option since it provides you with a ready-made home with an established security and network infrastructure. However, you need to realize that you're living under someone else's roof and subjected to their rules so you may find yourself taking cold showers for a while, waiting around for the hot water to be restored.