rackAID Blog

rackAID Joins Red Hat Ready Partner Program

2008-09-24T13:18:32Z

rackAID, a leading managed service provider, announced today that they have joined the Red Hat Partner Program as a Red Hat Ready business partner. Though the partnership, rackAID expects to increase their Red Hat Enterprise Linux service offerings and develop business through co-marketing opportunities. Jacksonville, September 24, 2008 -- rackAID, a leading provider of on-demand IT management services, has joined the Red Hat Partner Program as a Red Hat Ready Partner. The Red Hat Partner Program enhances rackAID's Linux operations by providing access to development, marketing and training programs. Through the Red Hat Ready program, rackAID will take advantage of the program's co-marketing and co-branding offerings to further industry awareness of rackAID's long history of Red Hat Enterprise Support. Red Hat's educational materials will allow rackAID sales and technical staff to stay abreast of the latest products and services available from Red Hat. "We have always been a Linux shop, but we selected Red Hat Enterprise Linux as our core focus because of the security, reliability and consistency provided by Red Hat," said Jeff Huckaby, President of rackAID. "We've always provided basic server management services, but the Red Hat Ready program enables us to design, deploy and manage complex IT platforms." rackAID provides system administration and IT management services. The company currently manages over 200 servers running Linux. Through rackAID's on-demand IT management program, they provide proactive server management, availability monitoring, disaster recovery and system administration services for hundreds of web and email service operators. Recently, through a partnership with ControlScan, rackAID added a PCI compliance program to their growing mix of IT services. "Through our partnership, we will be expanding our Red Hat based services. The Red Hat Ready program gives us access to product roadmaps, support and training services that will definitely benefit our staff and our clients," said Juli Zurovec, rackAID's IT Services Director. The Red Hat Ready Partnership continues rackAID's rapid service development. This year rackAID announced partnerships with SoftLayer, MySQL, R1Soft, and ControlScan. The Red Hat partnership marks a key development in their effort to deliver comprehensive, enterprise-class management services for Linux-based IT service platforms. About rackAID: rackAID provides on-demand IT management services suitable for small businesses. The company offers server management, patch management, monitoring and disaster recovery solutions for Linux-based systems. The company's small business clients benefit from better security, availability and reliability in their online operations

Get Ready for PCI Phase III with a Free PCI Scan

2008-09-17T15:44:34Z

One thing a partnership provides is education. ControlScan has notified us that Phase III of the PCI-DSS program is upon us (see the bulletin). If you are running an E-commerce shop or plan to, then you may want to review the upcoming changes in the PCI-DSS program. On October 1st, 2008, Phase III will be in effect. Under Phase III, banks cannot board new level 3 or 4 merchants that cannot attest to PCI compliance. If you need PCI compliance, now would be the time to get started. Best of all, ControlScan is providing a Free 14 day Trial for rackAID clients. Phase III The new rules are designed to stop some merchant shopping and raise overall compliance. Some e-tailers are jumping from merchant provider to merchant provider in an effort to escape the PCI-DSS requirements; phase III will put an end to that practice. With the holidays fast approaching, I recommend checking with your acquirer about your PCI compliance responsibilities. As I understand the regulations, if you accept any credit card information through your server, via email, web site or other method, then you may need to follow the PCI guidelines. If you 100% outsource your credit card processing and never receive the credit card details, then your processor is the responsibility party. However, if you get credit card number emailed to you, stored in a database or other computer system under your control, then you may want to check with your bank about your responsibilities under PCI-DSS. rackAID's PCI Services As we announce earlier this month, we have entered a partnership with ControlScan to provide PCI related services. We have both Managed PCI Compliance and a Scan & Fix service. Most Level 4 Merchants will be required to have quarterly audits. These audits consist of a Self Assessment Questionnaire (SAQ) and a security scan. rackAID can help you mediate the scan results. This often requires validation of specific security issues, documentation of false positives, and correcting security issues on your server. We focus exclusively on the server-level operations. Any application level exploits will need to be resolved by you or your software vendor. Verified Secure Site Seals

Through ControlScan, we also offer a Verified Secure service. This delivers both PCI compliance and site seals attesting to your site's security. Research has shown that the presence of these seals can increase conversion rates and buyer confidence, resulting in sales increases of 10%. If your ecommerce operations are busy during the holidays, this may be a good time to test these seals on your site. As you can see to the left there are two seals provided. The certifies your business background, meaning that control scan has verified your address, business registration, domain name, and business name. If you click on this you will get a pop-up stating that your business is a verified site. The second seal is a "Verified Secure" seal indicating that your site is actively scanned for exploits and has been tested by ControlScan. If you click on it, you get a verified site pop-up that states that the site does not contain any severe security issues as defined by the PCI DSS scanning guidelines (Payment Card Industry Data Security Standards). These seals have been shown to drive conversions, as you can see in this vendor list.
Breach Protection The Verified Secure Breach Protection program also provides up some additional services if an actual or suspected breach occurs. The program covers expenses from breaches of data security - regardless of your PCI compliance status - as long as the business owner is not involved in the breach:

A forensic audit when a breach is suspected
Credit card replacement costs and related expenses (printing and shipping new cards to consumers whose cards may have been breached)
Assessments and fines levied by card sponsors
Physical losses, such as if a laptop was stolen that had data on it or receipts were pilfered

You will need to review the full terms and conditions for the specifics, but think of this as an insurance policy for your site. Free Trial rackAID client's can sign up for a free PCI trial. This is a scan only. We do not provide fixes during the trial unless you convert to a paid subscription, but the trial is an excellent way to test the system and see what it provides. Through our partnership ControlScan will help you get up and running in their system. Questions If you have any questions about our PCI compliance services, just open a free estimate.

rackAID Joins Jacksonville Chamber of Commerce and IT Council

2008-09-16T13:35:56Z

rackAID, a leading managed service provider, has joined the Jacksonville Chamber of Commerce and the IT Council. rackAID's president, Jeff Huckaby, expects the company's involvement in the IT council will enable rackAID to continue its rapid growth and service expansion. Jacksonville, FL (PRWEB) September 16, 2008 -- rackAID, a leading managed service provider, has announced that they have joined the Jacksonville Chamber of Commerce and the Jacksonville Information Technology Council (JITC). The Jacksonville Regional Chamber of Commerce, started in 1884, fosters economic development by supporting the growth of more than 4500 area businesses, helping to attract and establish new businesses and creating a healthy and inclusive business environment. "I like to be involved in the local business community. I am looking forward to the meetings and events sponsored by the Jax Chamber. There are some prominent IT firms here in Jacksonville. Through the IT Council, we get to see what others in our area are doing and cultivate new business relationships," said Jeff Huckaby, president rackAID. "Partnerships are critical to expanding our services beyond server management and into other areas such as managed PCI compliance and server backup solutions." The JITC creates a clearing house for IT organizations to come together and increase the strengths and relationships within the local Jacksonville IT community. Members include IT directors, staff and others with a keen interest in technology. Those interested learning more about the Jacksonville Chamber of Commerce, or any of the programs that organization supports are invited to visit the Chamber website at www.myjaxchamber.com. Recently, rackAID announced a managed PCI compliance program tailored to small businesses. This new service follows the launch of a managed server backup solution earlier this year. About rackAID rackAID provides on-demand IT management services suitable for small businesses. The company offers server management, patch management, monitoring and disaster recovery solutions for Linux-based systems. The company's small business clients benefit from better security, availability and reliability in their online operations.

Anti Spam Service - Free Trial During Soft Launch

2008-09-10T19:33:00Z

We get asked about it all of the time. What? Spam. Dictionary attacks, backscatter, and those popular male enhancement messages can really kill you productivity. Fortunately, I think we've found a cost-effective solution. Control-Panel Woes If you are using a control panel, such as Plesk or Ensim, you likely have some level of spam control, but I bet you are not happy with it. The control panel tools are very poor at blocking spam and often do not provide the fine-grain control you require to fight spam effectively. Unfortunately, there is not a lot that can be done in a sustainable manner. Heavily modifying the default installation often leads to long-term management issues. Gateway Solutions To date, most of the anti-spam and anti-virus gateway solutions I have reviewed would not work well in a shared environment. They often lacked the features required to carefully manage accounts at a per-domain level. Fortunately, I've found a solution that does have hosting oriented features. The solution is from SpamTitan. They've been making anti-virus/anti-spam gateway software for years. I wish I had discovered them sooner. How it Works To use the spam filtering service, we have to re-route email through the appliance by updating your DNS records. Email will then go into the appliance where it is processed by the anti-spam and anti-virus engines. If the message is clean, it will be delivered to your server. If the message is a virus, it is deleted. If the message is flagged as spam, the system will quarantine the message. Once a day you will get an email notification about quarantined items. Should you find a false-positive, just click a link and the message will be delivered to you. There is also a web interface to process your quarantined messages and set per-domain and per-user white/black lists. Soft-Launch In order to get a good idea of the support required for this service, we are offering a 30-day free trial for one domain (up to 10 accounts) to any clients with a server under management. Seats are limited, so the service will be awarded on first-come first-served basis. You will get a free trial for 30 days, after which you can elect to continue the service or stop it. There are no fees or obligations. Pricing We have not set final pricing but expect it to be between $25-35/month for 10 mailboxes. You can add on a domain for $5.00/month. This is for both the anti-spam and anti-virus features. Discounts may be available for larger installations. We also have the ability to give you your own anti-spam appliance as a managed virtual system. The latter is suitable for deployment requiring more than 100 accounts. Getting Started if you want to sign up for a free trial, just log a ticket in our help desk. Please put: "AntiSpam Soft Launch" as the subject. This offer is for existing server management clients only. You must have an Plesk, Ensim or cPanel server to use this service during the Soft-Launch.

Our Backup Service Rocks! Just ask our clients.

2008-09-05T14:09:53Z

Early this year we announced a server backup solution (server backup press release). This solution is based on R1soft's backup software called CDP. Since launching this service, we saved many clients a lot of headaches. Scripting Slip-Ups We've had two clients (who'd rather not be named) have scripting errors truncate important access files on their site. In one instance, the file was used to authenticate forum users. In another, the file was used to authenticate members to a paid membership area. In both cases, we had the files restored within 10 minutes of the ticket being received. Logging into the web interface in CDP and restoring files is very easy. If you can use an FTP client, you can restore files with the system. Dimwitted Deletions We've also had a handful of cases where a client has slipped up and deleted a critical file. Without our server backup service, they would have been stuck. In one case, the client would have had to contact his client to get copies of the graphic files they had just submitted the day before. With CDP, he was able to avoid telling his client he just deleted their hard work. Hardware Hiccup Just this week, we used a combination of CDP backups and VMware to recover a crashed server at ThePlanet. Around 4:00 AM we sent the client's server down for a reboot. He is a server management client, and we had just pushed out a kernel update. Unfortunately, the server never came back online. While ThePlanet was looking for a new server chassis, we started to restore the clients backup to a VMware-based system on one of our NYC-based servers. With no ETA from ThePlanet, we had the client switch DNS to the backup system. A little over two hours later, his site was back in operation again. Backup Bliss Having good backups is a real peace of mind. I am glad we found R1Soft's CDP system. As we noted before, we searched quite a bit for a cost-effective, easy to use backup system and settled on CDP. We've used the built-in tools from Plesk, Ensim, and cPanel. We have built our own scripts around mysqldump, rsync and tar, but the CDP system is so much easier to use that we no longer support these other methods. If you are not already using our CDP backup system, I recommend you enroll today. Pricing is just $35.00/month for most situations. Pretty inexpensive for backup bliss.

Office Closed: Labor Day September 1st

2008-08-29T12:51:02Z

Happy Labor Day. Labor Day is an official US Holiday that was originally started by a labor union in New York City in an effort to give their hard working members a day off. Since, Labor Day has become a celebration to mark the end of the summer. We too will be closed on Labor Day. If we are lucky, we may even get out of here early today. As our offices will be closed, case-based support, billing and sales will not be available on Monday, September 1st, 2008. Clients with server management subscriptions will continue to receive services in accordance with their SLA. Low level tickets submitted after 5 PM Friday, August 29, may not be handled until Tuesday, September 2nd. Case-based support requests received after 2 PM Friday, August 29 may not be completed until Tuesday, September 2.

rackAID Announces Strategic Partnership with ControlScan

2008-08-27T12:57:09Z

Offerings Available through ControlScan Provide rackAID Clients with Quality PCI Compliance Solutions. Jacksonville, FL and Atlanta, GA -- (SBWIRE) -- 08/27/2008 -- rackAID (http://www.rackaid.com), a leading provider of managed services to small and medium-sized businesses, announced today its partnership with ControlScan (http://www.controlscan.com), an Approved Scanning Vendor (ASV) certified by the Payment Card Industry (PCI), to help its merchants meet mandatory requirements set forth by the PCI Data Security Standard (PCI DSS) Council. "ControlScan's easy-to-use PCI compliance solutions offer the best value and service available," said Jeff Huckaby, chief executive officer, rackAID. "This is a perfect add-on to our server management subscriptions." rackAID merchants will have access to ControlScan's full-service PCI solution, which includes a Self Assessment Questionnaire tool, on-demand security scanning and access to ControlScan's merchant portal. Merchants can also take advantage of ControlScan's security certification seals, which typically help e-merchants realize an increase in online sales and a decrease in shopping cart abandonment. "This partnership allows rackAID to complement its managed services with ControlScan's PCI compliance solutions to help their merchants comply with the standards and help protect their customers' personal information," said Joan Herbig, chief executive officer, ControlScan. For more information about the partnership visit http://www.controlscan.com/rackaid or call 800-879-6021. About rackAID rackAID is a leading provider of managed services to small and medium-sized businesses with critical online operations. Through their managed services, rackAID clients see improved up time, security and reliability in their operations. rackAID specializes in managing Linux-based hosted solutions. For more information visit http://www.rackaid.com. About ControlScan Headquartered in Atlanta, Georgia, ControlScan provides security and Payment Card Industry (PCI) compliance solutions designed exclusively for small- to medium-sized e-commerce businesses. The company's Verified Secure solutions make it easy and cost-effective for these businesses to protect their infrastructure and help keep their Websites safe so shoppers can purchase with confidence. Verified Secure is the security solution of choice for smaller e-businesses because it offers security solutions that fit their specific needs, a personal level of service and the best value. For more information about ControlScan and its Verified Secure services visit http://www.controlscan.com or call 1-800-825-3301.

Red Hat Network Hacked? OpenSSH Issue

2008-08-23T20:03:19Z

Red Hat has released a notice that they had a security intrusion on their Red Hat Network system that is used to update servers. Apparently attackers were able to sign a package. Signatures are used to verify the authenticity of packages. While Red Hat does not think there was any significant harm. They have released an updated OpenSSH Package and a test script to verify your system is not impacted. Red Hat noted, "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)." This is pretty serious and a critical patch has been released for OpenSSH. Server Management Clients Client's using rackAID's server management subscription service do not need to worry. We have checked all servers under management and did not find any corrupted packages. OpenSSH updates are being applied today.

Weathering Fay

2008-08-22T18:55:09Z

UPDATE (11:53 PM) Just returned from our office and we remained dry. Unfortunately, I cannot say the same for some of the surrounding businesses but even with high tide coming again in a few hours, we should be fine. (Flickr Photos) Our offices have been closed since noon yesterday. Tropical Storm Fay has been pounding Jax for two days now. Our office is in a low lying area, but I think we are safe. We have transferred critical operations to our secondary site and staff are working remotely. Flooding The St. Johns river breached its bulkheads this afternoon by about 6-12". This caused streets to flood in the area near my home and near the rackAID office. I visited the office about an hour ago. Had to take my bike as some water was too high for the car. We are about 6" above the water line right now. St. Johns is a tidal river and we just went through high tide. Waters should start receding as we finally got a break in the rain. Operations Operations should not be impacted. We've transferred some critical functions from our office to secondary locations. Staff are working remotely and will continue to service requests as usual. Telephone support will be limited for the next 72 hours, except for emergencies. Outlook We have one more high tide tonight. The rain has finally let up. A wind change should also help. So by Saturday afternoon we hope for the water to recede and we can start the clean up.

Security Scanning and PCI Compliance

2008-08-19T17:50:22Z

As I mentioned in our review of our PCI Compliance programs, we were working on a PCI and security scanning service using ControlScan's system. We've completed our partnership and are ready to start delivering PCI compliance assistance to Level 4 merchants. We have two offering a fully managed service and the Scan & Fix service. We've also arranged for our clients to enjoy a free security scan with ControlScan. Managed PCI Compliance In conjunction with ControlScan, rackAID is launching a managed PCI compliance service. The service is available as an add-on to our server management subscriptions. Under the service, the only thing you need to worry about is completing your self assessment questionnaire and your web applications. rackAID will handle all server level items. The key benefits of managed PCI compliance is that you know your server is routinely checked and secured by professional staff. You can pass those quarterly audits with ease and not have to scramble for last minute compliance. You can focus on your business rather than worrying if a TRACE-TRACK exploit on your server is a serious issue. The service is priced per domain based on the scanning frequency you require. Rates start at just $75.00/month. Scan & Fix In addition to our managed solution, we also offer a Scan and Fix service. We will scan your system and then do the fixes at our standard hourly rates for advanced services (currently $112.50/hr). In most cases, we can resolve the scan related items in 2-3 hours. If you do not already have PCI scanning service, then we highly recommend ControlScan. In our review of approved scanning vendors, we found ControlScan to be one of the best. Their easy to use interface and consistent results mean that we can often work through a scan with them more quickly than with other providers. So even if ControlScan's fees may be more than other providers (though they are very competitive), you need to consider the total cost of having the scan and fixing the items. Better Security Even if you do not need PCI compliance, the ControlScan is an good security tool. They use a number of scanning techniques to find exploits on your server. They combine tools like Nikto, Nessus and others into a single, easy-to-use scanning product. Regular scanning helps secure your system by finding potential vulnerabilities before the attackers. Combined with the patch management we provide in our server management packages, this is a excellent, cost-effective solution for server security. No it is not hacker-proof, but the combination of service monitoring, patch management and security scanning provides a very robust management package that will keep your system operating securely. Free Scanree security scan. Note that we can only provide the scan for free, should you need security items fixed, we can discuss if the Scan & Fix or managed solution is best for you. If we do need to fix items, you will need to convert your trial into a full version so we can produce the proper reports. If you have any questions, just post them as a comment on our blog or ask us in the help desk.

Monthly Management Clients are Happy Campers

2008-08-08T16:29:18Z

Back in May, we announce that we started using Ratepoint to assist us with collecting customer reviews. This week we conducted a survey of our client's subscribing to our monthly management services. The results are in the chart, but in general, our client's are highly satisfied with our services. The Survey We asked some very basic questions about our services. Are we courtesy, are we skilled, do we communicate well and respond promptly? You exact questions are listed in the chart. We also inquired how often people use our help desk to get assistance. On average more than 95% of our clients are satisfied with our services (the highest ranking) and nobody was dissatisfied. Help Desk Usage The good news is that the majority of our clients use the help desk monthly or rarely. To me, this means we are doing our job. Our monthly server management program is designed to prevent problems. If we deliver pro-active support successfully, then you should not need to use our help desk. Our service delivery process assures that we continually improve our management package. One way we improve service is through root cause analysis (RCA). RCA is an inherently reactive procedure. When you have a problem, we then try to diagnose the root cause of it. By doing so, we gain expertise to prevent the problem from recurring. Repeating this procedure over and over yields consider knowledge, which we document internally. In the end, this process yields a more valuable server management service. Sure we could simply reboot your server, check to make sure services are up and running, and close out a ticket. We have tools that can do that automatically! But what value do you gain? Through RCA and other processes, we continually enhance the value of your service. You have fewer problems. We have fewer 2AM emergency support calls. We gain efficiencies in our service delivery - you gain assurance that your systems run smoothly. We both win. Always, room for Improvement Overall the results of the survey were fantastic, we did however receive a few comments highlighting areas in which we can approve. One specific area that was mentioned was how updates often cause problems with 3rd party software or that customized solutions, such as custom PHP builds, would be disrupted. We are working on a solution for customized software. PHP is the major item. The stock builds often do not include the modules required by modern web applications. As a result, customization is required. We are looking into building our own software repositories for PHP, MySQL and other commonly modified items. We can then configure your system to use our repositories for updating these items. Third party products are more difficult to manage. We are working on generating some list of common add-ons and develop post-update procedures to assure they are working. More Feedback If you have more feedback, just comment on our blog or email us directly. We always want our client's feedback - good and bad. Through your input, we can build better value into your services.

rackAID Joins MSP Partners Vendor Alliance

2008-08-04T16:30:21Z

rackAID, a leading managed service provider in the web hosting industry, announced today that it has joined MSP Partners, a vendor alliance group. Membership in MSP Partners will accelerate rackAID's product service development allowing rapidly delivery of server management, monitoring and disaster recovery solutions clients. Jacksonville, FL (PRWEB) August 4, 2008 -- rackAID, a leading managed service provider for the web hosting industry, today announced that they have joined MSP Partners to accelerate expansion of their managed service offerings. MSP Partners was founded by Cisco, Intel, Ingram Micro, Level Platforms and Microsoft to educate IT solutions providers about managed service strategies and best practices. Jeff Huckaby, rackAID's CEO, commented, "We have always provided basic IT management solutions to our clients, but we see an opportunity to expand those offerings and become an end-to-end solution provider. Web developers, SaaS providers and E-commerce ventures will see the greatest benefit from new services under development. By joining MSP Partners, we gain access to market research, vendor channels and other solution providers that accelerates our ability to deploy new solutions for our clients." No one company can do everything well. You need a healthy ecosystem of infrastructure, software and service providers to cultivate new services. Mr. Huckaby said that rackAID's key focus this year has been partner development; "No one company can do everything well. You need a healthy ecosystem of infrastructure, software and service providers to cultivate new services." A sentiment clearly reflected by recent announcements. Earlier this year, SoftLayer, a leading provider of on-demand IT infrastructure, selected rackAID as their preferred managed service provider. Through the partnership, rackAID is delivering server management , deployment and optimization solutions to SoftLayer clients. In June, rackAID also announced a partnership with R1Soft to deliver online backup solutions. On the company blog, Mr. Huckaby hinted at an upcoming announcement about a managed security service to enable E-commerce operators to become compliant with new payment card industry (PCI) security standards. This will enhance their existing server management offerings. About rackAID rackAID is a leading provider of managed services to SMB's with critical online operations. Through their managed services, rackAID clients see improved uptime, security and reliability in their operations. rackAID specializes in managing Linux-based hosted solutions. For more information visit: www.rackaid.com. About MSP Partners MSP Partners is a vendor alliance formed to provide solution providers a comprehensive source of MSP education. Members benefit from cohesive new market research, solution provider success stories, and collaborative vendor solutions, all demonstrating a path to success in managed services.

Parallels Plesk 8.6 Released

2008-08-01T16:00:27Z

Plesk 8.6 has been released by Parallels. This release primarily tweaks and fixes bugs found in 8.4. We recommend updating to 8.6 if you have already updated to 8.4. New features of Plesk 8.6 include: PHP 5.2.6 is now supported. Improved DNS zone updating See all your zone changes before saving them. SOA serial number format Can now be changed from the Plesk default Unix timestamp to YYYYMMDDNN, the format recommended by RIPE and IETF. Several security and bug fixes have also been bundled in with 8.6. Users of Plesk on CentOS 3 will be disappointed to learn that as of 8.6 Plesk has dropped support for their OS. RHEL 3 is still supported and it is likely possible to update CentOS 3 servers to 8.6 using Plesk's RHEL 3 packages, but we have not tested this. We expect support for RHEL 3 to be cut soon, if not in the next release of Plesk then shortly after. While the update to 8.6 should run smoothly on most systems, we still prefer to run tests before pushing out updates. We are currently running 8.6 on several test systems and plan to start rolling out the update to our monthly management clients in the next few weeks.

PCI Compliance Project: ControlScan a Clear Winner

2008-07-31T14:14:32Z

If you are regular readers of our blog (we do have a few), you may have remembered I started looking into PCI Compliance scanning services. Rolling out our new dedicated server backup service put my PCI work on hold for a couple of weeks, but now I am back to wrap it up. I set out to review several approved scanning vendors (ASVs) in terms of cost, ease of use and additional service offerings. This post concludes the project which included information on PCI Scanning, approved scanning vendor, and the inital security scan results. After working with several companies, the results are in and ControlScan is a clear winner. As mentioned in our first report, we took a standard CentOS 5 server and subjected it to scans from ScanAlert, Comodo, and ControlScan. After the scanning we reviewed the reports, installed the Plesk control panel and conducted follow-up scans. Lastly, we corrected the broken items and re-scanned again. Consistency One of the key factors I wanted was consistency. During our ScanAlert trial, we found inconsistent scan alerts. Differential results on consecutive scans hinders our ability to properly secure a system, increases analysis time, and presents a confusing picture about a systems compliance status. New security signatures could lead to different reports, but in our trial, scans at different times revealed different ports being open -- though no changes had occurred on the server. To be effective, you need consistent audits between scans on identical systems. During our trial, we found ScanAlert produced 3 different results. This delays PCI compliance by requiring us to repeatedly re-check newly found items. While I understand that new signatures may contribute to differential results, any ASV should be able to produce consistent open port results. The other vendors we tested produced consistent scan results. This allows us to schedule a single review period and eliminate any security items with a single pass over the audit. This reduces the time required to achieve PCI compliance and lowers total costs. Note: Since we started the project, McAfee has re-branded and re-priced their service. From what I can tell, they are now calling it the McAfee Certified PCI Compliance Program. Pricing Comodo's HackerGuardian was very attractive given the price, just $79.00 for a scan. However, the low price comes at a huge productivity cost. The organization of the reporting format complicated efforts to identify key results. Few meta-reporting options, useful for client or executive reports, were available or at least easily producible. Though I love the low price point, the additional time required to read the reports would negate total cost savings. On average, I would expect it to take an additional 30-40 minutes per audit due to their reporting format. With PCI consulting rates ranging from $125 to $250 per hour, this quickly negates any cost savings. So while Comodo's offering may be the least expensive for a do-it-yourself approach, if you have to hire a consultant to help you with your audits, the total costs could be greater than you anticipate. Reporting ControlScan's system, though slow at times, works very well. I suspect the slowness may be due to some javascript related items on FireFox. You can product a number of reports for the bosses or clients. The results are clearly displayed by category, system, and threat level. Here are a couple of examples: PCI Report full-report.pdf If you have multiple domains, there are many consolidated reporting options that can give you a quick overview of your security status. False Positives The most time consuming issue when dealing with PCI-related security scans is the documentation of false positives. Having an easy to use false positive reporting system is critical. We did not even get to the false-positive stage with Comodo due to the onerous nature of the reports. But with ScanAlert and ControlScan the reporting is easy. ScanAlert has a web based system to report issue. ControlScan uses email. You just indicate your scan number and submit the documentation required to arbitrate a false positive. Emails to ControlScan were answered promptly, often same day. With some other vendors, such as Trustwave and SecurityMetrics we found poor communication hampered resolving false positives. If you are using rackAID's server management service, most of the issues on an audit will be a false positive, so having an reliable reporting systems is critical. Recommendation We currently recommend ControlScan as our preferred PCI Compliance vendor. We found their service reliable, support is prompt and the pricing comparable to other vendors. The report organization and formatting are some of the best available and we had no issues dealing with false positives. I had the opportunity to meet with ControlScan representatives this week while at HostingCon. My conversations with their sales and technical teams further assured me that we've made the right decision in recommending their services. Managed Security Scans We like ControlScan so much that we are currently working on a partnership with them. Look for an announcement in the coming weeks about a new managed PCI compliance and security scanning service. This new service will provide routine security audits by ControlScan with fixes delivered by rackAID. This will be available as an add-on to our monthly support plans. Pricing will be comparable to using a 3rd party scanner and using rackAID\'s services for repairing issues. With the managed service, you don't have to worry about co-ordinating the audits every quarter. We will handle them for you.

Hostingcon 2008

2008-07-28T18:08:50Z

The primary hosting industry conference (HostingCon) is going on now in Chicago. I will be there a couple of days to catch up on the latest trends in the industry. I typically spend most of my time meeting with our partners and service vendors. SoftLayer, R1 Soft, Ratepoint, DemoWolf, and others will all be in attendance. If you are a rackAID client and are attending Hostincon, be sure to let us know by opening a ticket in our help desk. We will try to get together for a face-to-face about our services. If you are looking for a new IT infrastructure management provider, also just let us know. I've a few meetings already lined up but can certainly take a few moments to address any questions about rackAID's services. If you are wondering why we don't exhibit? Well, we've done these type of shows in the past and found we spend most of our time giving out free advice that nets very little return. Also, the trade-show marking is not out style. We prefer to work one on one with clients to assure they get the best solution.