The hosting industry is often viewed with two lenses - “who” service is delivered to vs. “what” is being delivered. But the most common way of segmenting hosting is “mass market” and “complex hosting”. With the ever-increasing number of providers of hosting services and the explosion of cloud computing providers, it feels like the industry is really looking for more granularity when it comes to describing itself. In the early days, it used to be very easy, you either offered colo or managed services. Now with the lines being blurred and cloud somewhat making both terms irrelevant, a new segmentation is needed.
If you ask me how I would describe Carpathia Hosting, I would describe our services with these two lenses - Enterprise Hosting and Compliant Hosting.
Our typical enterprise hosting customer is running mission critical compute environments. Sometimes the mission is the company’s revenue generating business, other times the mission could be something as important as national security. We see enterprise as being a type of hosting and not necessarily describing the size of the customer – i.e., Fortune 1000 company, has X number of employees, etc. Our services and delivery is optimized to provide this type of hosting. If we were to revert back to old terminology, it would most closely match to “complex hosting” that typically requires a high degree of customization and specialization in the services delivered to customers.
I would argue that Carpathia is one of few (3 or 4 tops) companies that have the rigger in process to really claim this space. So what sets us apart from the others? It’s probably best described by WHO we deliver compliant hosting services for.
A large constituent in this area would be our government customers. For a government system to be connected and in production, it must achieve Authority to Operate (ATO), meaning that the Agency’s security team and CIO have reviewed the operational controls in place against the government computing standards (most often DIACAP or FISMA) and through a rigorous audit process “blessed” the system ready for production.
We measure success in this particular discipline by the number of ATO’s we have. At last count, we have ATO’s with 26 different government agencies (some with multiple systems, each with their own ATO hosted with Carpathia). Outside of the government vertical, PCI, HIPAA, GLBA and SOX are the other dominant compliance standards and guidelines we work with. Each has there own set of controls and frequency of inspection. For customers delivering healthcare solutions to the government for example, we have another intersection of HIPAA and FISMA/DIACAP to consider.
Not all customers have compliance requirements that are generated by an external body. We have many customers who have created their own information security policies - often based on existing standards such as ISO or NIST - and hold these up as a requirement for service. We also support these requirements and are often very involved in helping customers define them.
The way we go about delivering compliance is the same no matter where the requirements have been defined. We hold ourselves accountable to our own policies that are also a superset of government and commercially published requirements. We then map these back to relevant requirements within each published standard.
With close to 10 years of experience delivering “compliant” hosting, we can say that compliance is truly in Carpathia’s DNA.
I can think of no better endorsement for our capabilities than references from our customers. Today we have launched a number of case studies, customer references and white papers that really dig into the next level of detail in compliant hosting. Here’s hoping our analyst friends consider compliance as another view on the hosting industry.