The war of the worms and managed hosting services

The latter half of 2003 saw substantial damage caused to Internet systems by computer viruses and their demonic brothers, worms. Despite the fact that these nasty little creations - with comic book names such as "Blaster" and "Slammer" - have managed to shut down online applications, phone services and travel reservation systems, the worst is yet to come.

So if your business relies on a hosted application, how safe is that application system? Does your hosting provider understand the risk, and do they have systems and processes in place to counteract this problem? Ultimately, when the next flood arrives, as it undoubtedly will, is your application server defensible? Most IT risk management strategies gloss over the potentially devastating effect that worms and viruses impose on hosted systems by assuming, incorrectly, that a server(s) located behind a firewall is safe from malware attacks. It isn`t.

Firewall and intrusion detection systems offer little protection once a worm is on the attack. The most practical defence is to maintain a higher level of security for the hosted servers themselves and the (only) weapon of choice is a regime of strict operating system (OS) software management.

Greg Payne, GM of IS Hosting, is clear about this: "The regular, scheduled patching and updating of critical flaws in operating systems is the single most important factor in securing hosted servers from worm attacks and other exploits."

It is with this in mind that IS Hosting`s latest corporate offering, the Managed Hosting Service (MHS), has been developed. Derived from a standards-based best practice methodology, MHS includes a suite of professional server-management offerings: managed installation, OS hardening and a staging environment for pre-deployment and change control, advanced monitoring and backups.

Most importantly, MHS will manage updates to the Microsoft operating system, Internet server (IIS) and database (SQL). Patching is a time-consuming process and once applied, some patches affect the stability of critical hosts. But neglecting to patch these systems leaves them ripe for compromise. Payne adds: "We often find hosted servers that have not been patched for months. Some organisations develop strategies for applying updates, but scheduling and poor business processes undermine the task."

MHS also takes into consideration the "hardening" of the OS during installation, thus avoiding the pitfall of installing unnecessary software components which can contribute to system instability and reduced security. All updates and service packs are tested via a rigorous staging phase before they are applied to live systems.

Indicative of the effectiveness of MHS is that during the recent worm onslaught, not one of the systems benefiting from MHS was affected by the attacks. AngloGold, one of the first subscribers to use the service, is emphatic about the benefits. Says AngloGold`s IT Global Programme Manager, Karl Schoemaker: "By outsourcing this critical area of IT to IS Hosting, we are confident about the integrity and security of our servers and Web site. In addition, as patches, fixes, and updates are released by Microsoft, they are tested on IS`s staging servers before being applied to ours, thus reducing the risk of server crashes and possible introduction of weaknesses to server security."

Schoemaker concludes by saying that the MHS was a natural addition to the hosting service provided by IS: "AngloGold have been hosting their Web infrastructure with IS for a number of years. When the Managed Hosting Service was made available, it made sense to use it as the service was a completely logical extension of what we had in place."