Re: UKNM: Onffsite Applications - Security and trust

[Chris Heathcote]

(off-topic, but hey)


At 9:49 am +0100 on 29/7/99, Chetan Damani wrote:


>How can we convince people to move there applications offsite. security and

>trust wise..?


This is what I'd look for (off the top of my head):


Physical access:

24/7 security, passcard, PIN number *and* pref. biometric security

(Globix have fingerprint readers), constant video monitoring of racks

and access to racks.


Virtual access:

Good trusted (independently tested?) firewall

Authentication to server better than plaintext passwords (ie. SSL +

maybe digital IDs)

Box locked up sufficiently for most hackers (ie. no telnet access,

shell accounts use different passwords to mail/FTP/whatever, strong

password policy (and much more))


Software:

No unencrypted data *ever* kept on the server

proper regimented testing of software for security flaws/backdoors



As for convincing them that you yourself are not hooky, references,

past clients etc. all help.


There are Government security classifications (eg. US C2 level), but

I think you'll find getting your systems tested will be prohibitively

expensive.


NDAs strike me as security through obscurity, and therefore no security at all.


If you want lots of techies on the case, I'd recommend the squack list

http://www.pineal.com/ , but be prepared for long arguments about 

your choice of OS :)


hth

c.

-- 

            "I am not a geek, I am a Renaissance nerd"

   http://www.head-newmedia.com      http://www.head-space.org 

********************

UKNM is sponsored by Excite UK, visit us at http://www.excite.co.uk.

Email Khalil Ibrahimi

khalilexcitecorp [dot] com (mailto:khalilexcitecorp [dot] com)

 to advertise on Excite.

********************

Change your UKNM subscription use http://www.chinwag.com/uknm.html