A couple of years ago, when I decided to re-focus ServerChoice’s hosting products around ultra-high-security hosting, I didn’t fully appreciate at the time how much work was involved and just how difficult it would be to create what we now call our “Security First Culture”.
Starting with standards
Our starting point was getting certified for ISO 27001. This was an obvious first step and allowed a framework to be created from which we could then build upon. I have a lot of respect for the ISO standards and I believe 27001 is a vital ingredient to enable solid security practices within any organisation. The problem I have though, is that too many companies purely use it to get the ISO 27001 Certified badge, allowing them to tick the “Do you have ISO 27001 certification?” box when bidding for new business and not integrating ISO 27001’s important security concerns into their on-going operations.
I must admit, however, that our very first experience of getting ISO 27001 certified did accidentally end up becoming more about getting the badge. As mentioned, I wanted us to become a security-conscious hosting company and I knew we needed ISO 27001 to help demonstrate we have good security practices in place. So I set the task to one of our employees who had some prior experience with ISO standards. He assured me he could get us certified and to trust him on the project, so I left him to it. He booked the audit for a few months’ time and worked alone to draft the various documents and policies required. I later come to realise that allowing him to work in isolation was a big mistake. Yes, he got the job done and we passed our audit to become certified, but essentially the documents and policies he had come up with were formulated from templates and were not built from the ground up to be tailored to the particulars of our business.
So we got the ISO 27001 certification we needed, and it was largely fit for purpose, but we did it in exactly the way I didn’t want us to – it had just become a box ticking exercise. I blame myself for not getting more involved: I suppose I knew we needed the certification to get the ball rolling for our new Security First approach and I also knew we needed it quickly – so I entrusted someone with experience to get the job done. In many respects, he delivered – after all, we now had our certification. That was my goal wasn’t it? Yes, but I wasn’t happy and soon came to realise that if we were merely using templates that had just been tweaked here and there, then we weren’t being true to our mission of creating a Security First culture. I knew at that point if we truly wanted security to become a key seam running throughout the core of our business, then we need to start from scratch and scrutinise every little detail and process within the business. We had to ensure rock-solid security practices were baked into everything we do.
A secure start
This became a turning point for the company and it wasn’t long before we recruited our first dedicated security professional Jason, who became instrumental in building security into the company’s DNA. Initially he was tasked with two medium-term projects, one doing our ISO 27001 re-certification and the other to lead a project to become PCI DSS compliant on the new v3.0 standard as a Level 1 Service Provider. However, before even starting those projects Jason embarked on developing a whole new set of policies and procedures for the company. In many respects, Jason being new to the business worked in our favour – he didn’t know anything about our then-existing policies and processes and for this reason wasn’t tied into old/bad habits that other long-serving employees may have become accustomed to.
This time around, everyone within the company was involved. It had to be this way if security was going to become a cultural thing for us. Every procedure and policy was started from scratch, and to add to this Jason also put in place regular security awareness training and internal security newsletters. It’s all very well having lots of policies and procedures, but we knew if people are not regularly updated and trained on them then they would be wasted. Additionally, the awareness training means we get to keep our staff up-to-date with the ever-changing threat landscape. The training we do is mandatory for all of our employees… me included!
The project to become a PCI DSS v3.0 Level 1 Service Provider was another eye opener for us. It became a very big project and owing to our (back then) relative inexperience in this area, we worked with a QSA company to help ensure we understood things and went about it in the right way. Unlike our ISO 27001 experience first time round, I was determined to get this right and ensure we were meticulous in everything we did. To achieve PCI DSS Level 1 compliance as a service provider is no mean feat: it involves a lengthy audit from a QSA who has to be approved by the PCI Security Council. As part of this audit, all of our policies would be scrutinised, much like on ISO 27001, but unlike ISO 27001 we would also need to demonstrate that our data centres, networks, servers and storage infrastructure (etc) are locked down and secure. We also needed to demonstrate complete separation of customers’ data. Additionally, our entire internal and external-facing infrastructure had to pass vulnerability scans and penetration tests, which also have to be performed on a regular basis once compliant status is achieved. The whole process took about 6 months and involved many late nights (especially for Jason!), but after all of the blood, sweat and tears, we finally achieved PCI DSS compliant status on version 3.0 in May 2014. We were one of the first service providers in the UK to achieve this and still only one of a handful who have.
Since that time we’ve further expanded our security portfolio, with DDoS Mitigation, IDS/IPS, and Penetration Testing to name but a few. All these managed security services complement our core cloud and colocation hosting platforms, and some are available in their own right. We’ve not stopped there either, as we have more plans for the future – though I’ll save that for another blog.
It’s now accurate to say that, through a lot of hard work and a learning curve, we truly are a high-security hosting company, with a culture of security that is at the heart of everything we do. And in this day and age, security is only of ever increasing importance.