Greetings from Fort Knox

The range of possible physical protective devices clearly shows that outsourcing IT tasks to specialists gives customers added security. Which midsize company has eight different fire zones in its computer center, for example? Or infrared lights and close-circuit cameras to monitor who gained entry to the building, and when? In computer centers run by outsourcing service providers, this type of technology is a matter of course.

No chance for intruders

This is also true of the magnetic contacts on the entrance doors, which immediately trigger an alarm if unauthorized persons gain entry to the building. Another protective device is wallpaper with inset alarm wires, which sound an alarm if a door is drilled through or forced open. The safety features also include electronic locks with six-figure codes, which allow the computer center operator to store and evaluate information on people’s access to the building.
An outsourcing service provider’s computer center is usually designed redundantly. All data is mirrored in a second computer center, so that it can accessed immediately in the event of an incident. Connection to the power supply system and telecommunication provider’s lines are usually available in duplicate. If a power cut does happen, batteries ensure operation for a few seconds until a generator takes over electricity supply. The rooms also have an extremely sensitive laser smoke alarm, as well as extinguishing systems, systems for temperature monitoring, and damp alarms.

Ongoing analysis of weak points

To protect the IT systems in the computer center, outsourcing providers usually develop a multi-level security concept. At network level, systems such as firewalls and intrusion detection systems protect the IT from attacks from outside. But on top of this, an ongoing analysis of weak points (vulnerability assessment) ensures that any security gaps are identified quickly and closed immediately. Among other things, newly implemented IT systems undergo this analysis before productive startup.
Virus or hacker attacks are often directed at security-related faults in the operating systems or applications. As a result, one of the most important tasks at this level is the immediate import of patches. At organizational level, there must be clear rules and specifications relating to IT security. As a result, there are precise instruction on the measures that need to be initiated in the event of an incident. The computer center employees also frequently check the security settings – such as the user rights or the configuration of security solutions – as well as all the processes relating to access and access security. If acute security problems are identified, the service provider’s specialist team is on hand – around the clock if necessary.
A good provider creates a different security concept for each individual customer. Depending on requirements, one-level or multi-level firewall environments are possible for the IT systems, for example. In addition, the client can choose between shared services – where several customers share the same security components – and dedicated solutions, which are run on separate computers. At the highest security level, customers can even have their servers sealed in a cabinet.

Aware of the current dangers

The outsourcing service provider employs a team of security specialists who receive regular training. Employees are always aware of the latest information about viruses, malware, or hacker attacks, and pass this information on to the people or departments affected. In addition to the security information from individual manufacturers, the experts also make use of the relevant mailing lists and websites, such as the SANS Internet Storm Center (, for example. They also approach various organizations, such as the Center for Internet Security (CIS), for recommendations on the security-optimized configuration of IT systems and applications.
It goes without saying that an outsourcing provider will carry out fully automatic backups every day to guarantee the security and availability of data and applications. Special software that stores the data in storage media in encrypted form provides the necessary protection. With regard to availability, the service provider concludes individual agreements with its customers, based on specific requirements. The applications covered by the service level agreements (SLA) can be monitored with a monitoring software either during the day or around the clock, depending on what is required. Further high-availability solutions, such as fail-over cluster, are also available. If a server in one of these device clusters fails, another one takes on its function.

Data transfer on the safe side

The best precautions in the computer center aren’t worth a thing if the data can be accessed by unauthorized persons during transfer to the provider. Here, too, the outsourcing provider will ideally offer a tailor-made solution. The options range from an encrypted virtual private network (VPN) based on internet access right through to a multiply redundant encrypted VPN via dedicated lines or a combination of both connections.
Sufficient security is also required for the migration of customer data. Here, either individual systems or complete production environments can be moved to the service provider’s computer center. Alternatively, a secure connection is set up via which the data is transferred.

Service providers under the microscope

Outsourcing customers also benefit from the fact that independent experts regularly check whether a provider is observing the security standards. These standards include the national certification in accordance with international standard BS 7799-2, which in 2006 will be replaced by the new ISO 27001 standard for an information security management system. This specification is the first to provide an international framework that defines processes and sets standards for IT security in enterprises and government bodies. International certification also creates the prerequisites for integrated management systems, because ISO 27001 is structured in the same was as standards ISO 9001 for quality management and ISO 14001 for environmental management.
As a rule, outsourcing providers have certification not only for IT security but also for industry-specific quality and security standards. These include VDA 6.2 and ISO/TS 16949 for the automotive industry and GMP (Good Manufacturing Practices) for the pharmaceutical, food, and animal feed industry.
Regardless of whether an outsourcing customer requires basic protection or the highest degree of security, it will benefit from the high security standards imposed by the certification bodies and by the processes that the provider must employ to gain the certificate. A further significant advantage is the service provider’s combined knowledge and experience. Last but not least, the technical resources and number of security specialists also mean that an enterprise that works with a well-equipped provider can rest assured that its outsourced operations are in safe hands.

Knut Krabbes