August 13th, 2010 chentsch No comments

NetStandard was recently asked “How can I ensure that my data is secure in the cloud?”  John Leek, NetStandard Director of Operations answered that question.

NetStandard employs CISSP security professionals and CISA auditors that all have evaluated controls in the hosted application environment to ensure controls are in place.  We continue to evaluate and look for ways to improve the controls in place and know that we have taken reasonable steps to address the security of both hosted apps as well as the virtual environment.  I may “over answer” your question, but I have been wanting to publish a BLOG or white paper on this anyway so thanks for the prodding;-) I think we can definitely do a better job of describing our security to partners.  Here are some key controls in place today:

  1. Weekly vulnerability scans – vulnerability scans identify risks that include open ports, missing patches and the like.  We evaluate these weekly to ensure vulnerabilities aren’t missed.  We use a Gartner magic quadrant tool called “NexPose Rapid”.
  2. Regular patching schedule – NetStandard uses regular scheduled change requests and a commercial patching tool to ensure appropriate patches, MS roll-ups and firmware are applied to all infrastructure, applications and services managed by NetStandard.  These controls are audited annually in our SAS70 audit.
  3. Web Application Firewall – in the last year, we have implemented one of the leading web application firewalls (in a high availability pair) called the Citrix NetScaler.  NetScaler protects web applications from the growing number of application-layer attacks and prevents the loss of valuable corporate and customer data. In addition to proven attack defenses, NetScaler Application Firewall aids in compliance with information security regulations, such as PCI-DSS.  Find out more information at
  4. Network—Virtual LAN’s are used to isolate traffic that is unique to each customer’s VM’s from other customers and the hosted environment.  Network firewalls add the ability to add granular controls that limit what IP addresses can access certain servers in the network.  NetStandard has built a secure infrastructure featuring “zones of trust” that limit access to certain servers and data to only those on the internal hosted application network.
  5. Anti-spam, anti-malware and anti-virus – NetStandard uses leading commercial products from Trend Micro and Barracuda that are designed to limit the risk of viruses and malware.
  6. The attached whitepaper on VMWare’s ESX security highlight the approach used by VMWare to architect security into their systems.
  7. Each of the applications hosted by NetStandard have a unique security architecture.  For instance, e-mail uses a secure protocol: RPC (not secure) over HTTPS (SSL secure) from the client to the server.  GP users utilize Citrix which uses the ICA protocol.  ICA traffic is efficient and the data is encrypted. CRM and SharePoint web interface users utilize HTTPS (http over SSL) to secure traffic.
  8. Microsoft Active Directory is used to uniquely isolate one company from another company’s information.  A user id must be added to each separate OU for someone to gain access.
  9. User ID’s are unique from individual user to individual user.  Initial passwords are set and sent separately (usually via phone call) from the user ID.  Individual company users usually have an initial password that is the same.  Each customer is encouraged to have each user use the web portal to change their password.  It is suggested that they use the one they use internally on their network to avoid confusion.  NetStandard realizes that each company has a unique password and expiration policy.   
  10. The Cloud ID/Password conundrum.  We have been working diligently to address the ability to synchronize passwords and group policy with individual customer domains.  We have solutions identified and are testing them in-house before rolling them out.  The products vary in their level of functionality and maturity and most require some additional money per user AND modifications to their AD controller.