The Trust Factor of Third-party DDoS Protection
If you inventory the basic security infrastructure of any organization across any industry, 99.9% most likely have antivirus protection. However, not 99.9% of these companies are investing comparable resources in robust and effective DDoS protection. Most organizations are depending on their service providers or scrubbing centers to protect them.
Putting all your trust into a third party isn’t always the best way to protect your organisation.
When working with a third party, you need to ensure that a system of checks and balances is in place to make sure everyone is keeping up with his end of the bargain. Here are some issues you may want to consider.
- Check What You’re Paying for. What is the service level you’re paying for? What is the coverage level you actually need? Do you have minimal coverage? Is DDoS protection included?
- Inspect the Security Infrastructure: Have you inspected their security infrastructure? What are their standards? Are they at the same level you would expect them to have? What are they missing? Do they have any references?
- Co-location: Who are you sharing space with? Major cloud service providers are attacked millions of times per minute, with cybercriminals trying every sort of attack imaginable to try find the vulnerabilities within the infrastructure. How will this affect your DDoS protection services?
- Your Obligations: What if you’re the weakest link? Every service provider has an SLA to provide a certain level of protection. The rest is up to you. Compare what the SLA provides to what your organization actually needs, and make sure you fill the gaps.
- The Right Protection: Do they have the right DDoS protection? Is your service provider offering CDN (DNS)* protection? Or are they providing BGP** protection? Is the provider offering a combination? Can they mitigate SSL attacks?
- Administration: Do they have the right technologies for the types of organizations they are protecting? Let them explain to you why, and see that it makes sense.
- Vendor Selection: Who are their vendors? How well are they bundled? Are those vendors providing the right technology to protect your organization? What are those vendors’ weakest links? Are they willing to give you a trial period to test their services?
- Updated Tech: How often is their technology updated? When was the last time they were put through objective testing to ensure that their systems were up to par? Will they provide you such reports? Have third parties reported on their technology?
- Threats Against You: Who is out to get you? What types of attacks are your industry facing? Is your service provider prepared to handle them?
- Penalty payments: Does your provider offer penalty payments for SLAs they didn’t stick to?
The issue is that your DDoS security protection may not be their priority, even if they say it is. While you may want to continue making it someone else’s responsibility, it may be time to sit down with your providers for an hour or two and ensure that everyone is on the same page when it comes to robust DDoS protection.
Keep in mind, your exposure is greater than theirs. If their systems fail during your next DDoS attack, your loss of business could be significantly greater than theirs if the only thing that happens to them is that they lose you as a customer.
*CDN (DNS) protection – This protects you against attacks using the name of your organization, such as www.bankingplusonline.com. If someone types in your IP address directly I.e. 10.249.3.2 – you aren’t protected, and your mitigation provider never even sees the attack.
**BGP protection -- This protects you against attackers targeting your direct IP or targeting DNS names . I.e. If an attacker targets your true source IP, your mitigation provider should be able to mitigate the attack if all is working as expected.