I recently had a conversation with the CISO of a small company that has a relatively large target on its back. This company hosts Web portals for its clients to accept electronic payments. For example, when you go to an online retailer's checkout process and get passed to a secure site, it's possible that this company is hosting that payment site. You can see how this kind of activity would make this company attractive to hackers looking for credit card information.
Quite naturally, the CISO is concerned about website vulnerabilities. He says his staff used to try to provide all levels of IT security in-house, but "basically the bad guys got too big and it got impossible for us to do." He acknowledged that they just can't do it all with the resources available to a small business. He told me, "When you see Bank of America struggling with their budget for security, there is just no way that we can do this anymore."
The company has an HP Tipping Point IDS/IPS solution, a RioRey DDoS mitigation solution, and Barracuda Web application firewalls. But now instead of continuing to build up its infrastructure in-house, the company has taken up a new strategy. According to the CISO, "Rather than having anybody be able to find our data centers, we are completely reversing where we are hiding everything behind third parties that are much bigger and much more powerful and capable than we are."
For example, they use hosted DNS. "I don't think there is any way that anyone is going to take down our DNS because we have that out there with very powerful third parties," says the CISO. "DynDNS has an outbound SMTP product so we point our Exchange servers at them to do smart host transfer. That way when I send an email, it looks like it's coming from Dyn instead of our IP space. That makes it even harder to track back to us. If you pull our DNS records, you aren't going to see anything."
This CISO makes full use of the hosted services strategy. "We hide all of our inbound email behind Postini so if you try to look up our records to see where our mail servers are, you are going to hit Google. If you try to attack our website or a payment portal, you are going to hit Incapsula. You are going to have to take down their eight or so data centers with their multiple gigabytes of capacity to take us offline."
What a brilliant strategy for a small company -- or even a larger company that just doesn't want the hassles of continuously building up and maintaining a security infrastructure.
Sign up for CIO Asia eNewsletters.