paulchinonline.com

The Pros and Cons of Third-Party Intranet Hosting

By Paul Chin

Originally published in Intranet Journal (01-Dec-2004)

back back to portfolio


There was an interesting post recently on Intranet Journal's Discussion Board from someone wondering about the viability of hosting an intranet via a third-party hosting service provider.

Although, traditionally, an intranet is thought of as a private and restricted internal Web-based network that's only accessible to users within an organization, there are those who choose to host their intranet with an external, third-party hosting service provider—either an Internet Service Provider (ISP) or Application Service Provider (ASP). Note that this shouldn't be confused with an extranet, whereby an intranet, or part of an intranet, is shared with external users by way of a virtual private network (VPN) that creates a secure and encrypted "tunnel" through the Internet.

So what's the big difference between internal and external intranet hosting? Well, it's basically the same as the differences between buying your own house and renting an apartment. As a homeowner, you're responsible for all repairs and improvements. Whether you decide to do this work yourself or contract it to someone else is up to you, but you're basically responsible for everything yourself. However, when you rent a home all you need to do is call your super to have something done—of course, you may have to wait a while until they get to you.

Many ISPs and ASPs offer both hosting and development services but whether you decide to develop an intranet yourself or outsource it, there are many things you need to consider before putting your intranet on someone else's real estate.


Why Third-party Hosting?

While some may consider an externally hosted intranet a contradiction in terms, preferring to call it a secured Internet site, there are cases where hosting externally is more desirable, or even perhaps the only option to consider. For instance, hosting externally would be a good option if you don't currently have your own intranet infrastructure set-up and simply need to find a quick home for your system where all of the security and network infrastructures are already in place. This is especially useful if your intranet is going to have a very short lifespan and is only being put into place to serve a specific time-sensitive event, after which your intranet will be discarded.

Then there are cases where hosting externally is the only feasible solution because of a lack of resources to implement and maintain an intranet infrastructure. Many smaller operations that lack a dedicated IT staff or the technological know-how may view the learning curve required to efficiently maintain an intranet too steep for their purposes.

Whether you house your intranet internally or through a hosting service provider is a decision that's based on one key question: Do you currently have an intranet infrastructure in place? And when I say "intranet infrastructure," I mean a real intranet infrastructure. Don't mistake a simple Windows server with a pre-installed Internet Information Server (IIS) for an intranet infrastructure. It needs to address issue such as (but certainly not limited to):

Like all things, there are pros and cons to hosting your intranet externally:

Advantages of Third-Party Hosting

Disadvantages of Third-Party Hosting


Security Issues Related to Third-Party Hosting

When intranets are housed internally, content will only be exposed to, and handled by, employees of the company. Content can, of course, be secured further depending on departmental or workgroup membership. But regardless of who has access to the information internally, content circulates within, and never leaves, that protective bubble we call the company LAN. You won't be able to access the intranet unless you're a valid member of the primary corporate LAN. And all of this is encapsulated within this protective bubble, away from the Internet and prying eyes.

Now this doesn't mean that a valid user won't print out a secure document and take it home, but this is another issue that's already been discussed in:

When you decide to host your intranet externally through a third-party hosting provider, however, you must expose your content and system to the hosting provider and potentially everyone who works there. This is not so much an issue of technology because any professional and experienced hosting provider used to dealing with corporate clients will have the necessary security mechanisms in place—firewall, data encryption, user authentication—and have run through all the security benchmarks to ensure that content is safe. This is more an issue of who's handling your content.

Whenever you place security of your intranet and content in someone else's hands you run the risk that they won't treat it with proper discretion. You can have them sign all the non-disclosure and confidentiality agreements you want, but nothing prevents an employee at the hosting provider who's unfamiliar with your content from accidentally putting sensitive information that should only be accessed by a few privileged users on an FTP server that allows anonymous log-ons. If this same thing were to happen on an internally hosted intranet, it would only be exposed to those within the company, not the entire Internet, since your system is sitting behind a firewall in a private network inaccessible by the outside world.

It's not that a third-party hosting provider intentionally means to do something malicious, but it's always safer to have those who know the content best handle this content. Sure, you can sit through meetings with the hosting provider and discuss what should be secure and what shouldn't, where everything should be stored, and how users can gain access to it, but you need to place a lot of trust in them to ensure that something doesn't slip through the cracks. And if it does, it won't only be exposed to those in the company, it will potentially be exposed to the entire Internet. Your only recourse at that point would be litigation, but that's a reactionary measure; your information has already been compromised and the damage already done.

Another security issue that needs to be addressed is how valid intranet users will gain access to the system—in terms of content owners maintaining the system and users viewing the information. If the entire intranet is housed at a hosting service provider, it must be protected by more than a simple user name and password; it must have a more elaborate security mechanism since externally hosted intranets are exposed to the Internet. Anyone can try their hand at cracking it. Developing an intranet with sensitive information and then hosting it externally, outside the protection of your corporate LAN, is exactly like buying a safe to keep all your valuables and then leaving the safe on the front lawn rather than inside your locked and secured house.


Total Cost of Ownership

While in-house intranets may require more initial time, effort, and money—especially if you don't already have an intranet infrastructure in place—the total cost of ownership may end up being much higher when hosted externally.

Setting up an internal intranet infrastructure needs to be done only once. After it's been established, all subsequent intranet projects can simply make use of it at minimal costs. On the other hand, the costs of third-party hosting are perpetual, lasting for as long as you decide to host externally. These costs will accumulate in the long run and can include:

Hosting in-house also pays for itself. Money is spent to pay for something that you will eventually own. The hardware and software you acquire for in-house hosting can always be shared among multiple systems, therefore splitting up the costs among several departments or groups. If your intranet ever outgrows your current equipment, they can always be "trickled down" and re-used for other purposes such as setting up a development and testing environment. However, the money spent for hosting externally is for a service; you're paying rent for something you'll never recoup.


The Questions You Need to Ask

Finding the right intranet hosting service provider requires a lot of homework; you don't want to be constantly moving because you find out after signing a contract agreement that they don't offer you the service and support you were expecting. So before you commit to placing your intranet and internal content in someone else's hands, you need to ask:


Final Thoughts

With so much Web freeware available for download on the Internet or software that's bundled into other packages, it may seem like hosting internally is a pretty simple affair. But hosting an intranet requires more than just a place to put your system; it requires an infrastructure—technology-wise and personnel-wise.

While hosting internally still provides intranet owners with the most freedom, control, and flexibility, if you're not set up to house one yourself, external third-party hosting may be your best option since it provides you with a ready-made home with an established security and network infrastructure. However, you need to realize that you're living under someone else's roof and subjected to their rules so you may find yourself taking cold showers for a while, waiting around for the hot water to be restored.


Copyright © 2004 Paul Chin. All rights reserved.
Reproduction of this article in whole or part in any form without prior written permission of Paul Chin is prohibited.