It has been a couple of scary six months in the hosting industry. It seems as though we and our fellow hosting companies are always under attack, from all different directions, all the time. In the past 12 months alone there have been numerous data breaches and security problems at numerous hosting companies, including one where 6,000 clients private information was leaked. Not to sound entirely grim, since these breaches were all of different varying degrees of severity, however, combined thousands of customer's private information did get leaked, thousands of passwords needed to be changed and lots of damage control specialists were deployed to help cull the PR nightmare that typically occurs immediately after a security breach.
There were so many reported incidents (and many more unreported ones) that we decided that we won't be next -- and implemented a security technology which is used by most banks and financial institutions to protect and properly restrict access to critical systems. We hired a security consulting firm (Chicago's Halock Security Labs -- www.halock.com) to help us select and implement the best solution. In the end, we went with RSA's SecurID system (http://www.rsa.com/node.aspx?id=1156).
Here is a brief synapsis of what it is and how it works:
SecurID uses what is known as two-factor authentication, meaning in order to access any internal system of SingleHop (such as our billing system, server provisioning systems, etc.) you must have two pieces of information: something you know (your password) and something you have (your RSA SecurID token.) The "something you have" part is a randomized number and the "something you know" is your standard password.
It works like this:
- Every employee is assigned a token. The token is basically a little plastic key chain that has a small LCD screen on it. The screen displays a six-digit randomized 'token code' which changes every 60 seconds.
- Everyone employee logs in the first time and creates another 'pass code', which is 6 to 8 digits long -- they keep this one secret and in their head... and no one, not even the system administrators managing SecurID or our consulting firm know what it is. This pass code must also be changed frequently and users are prompted to do so when logging in.
- When someone logs into the system, they must enter their selected secret pass code followed by the the token code displayed on their RSA SecurID key chain. These two combined are your temporary password. The token code changes every 60 seconds automatically, and a token code can only be used to log in once.
This, combined with other security technologies such as firewalls, encryption and our internal VPN provide a lot of peace of mind for us here at SingleHop by allowing us to protect our customers details, keep our network and servers clean from intrusions and most importantly protect our customers accounts with the best technology.
We know that when it comes to security, especially in the dedicated server industry, nothing is 100%... Anyone who tells you otherwise either does not know what they are talking about, or is delusional. Our system administrators and programmers are always watching out for 0-day exploit releases, and the like, but with SecurID we have the peace of mind of knowing that it is much, much, much more difficult -- with odds in the billions that a pass code + token code can be guessed -- making it nearly impossible (but we never say never) to gain any level of unauthorized access.