Developer

Security still top issue for using an ASP

CIOs often worry about outsourcing critical applications. In particular, many IT executives question the ability of ASPs to protect sensitive data. In this article, Bob Weinstein shows you how to evaluate your ASP?s security standards.


Application service providers (ASPs) have proven themselves and endured the test of time. The industry grew rapidly, endured a shakeout, and consolidated. Now, even ASP critics say it’s passed its infancy. Yet the industry is not out of the woods. ASPs still face big problems, the biggest of which is convincing potential customers their data is secure, more secure than hosting it in-house. Decision makers are uptight—for good reason. A bad decision could mean the end of a promising management career.

Paul McNabb, senior vice president and CTO of Argus Systems Group, Inc., a security products company in Champagne, IL, says three questions keep CIOs awake at night:
  • Can an ASP protect data?
  • Can I trust an ASP?
  • Would my data be safer in-house?

Part of the reluctance to try an ASP is that many cautious CIOs still consider it unproven technology and the new kid on the block. McNabb likens the apprehension to late 19th century fear of depositing hard-earned savings and important documents in banks. “Concerns were legitimate, and it took several years before people pulled their money out of their mattresses and turned it over to banks,” he says. “Those early skeptics didn’t know their money was a lot safer in a bank vault than it was stashed under a mattress.”

The same rationale applies to outsourcing applications to an ASP. “Data is safer in a well-controlled external environment (the ASP) than in an internal environment,” says Richard Brock, CEO of Atlanta-based Firstwave Technologies, Inc., and founding chairman of the Technology Association of Georgia. Brock says, “The person most likely to steal data is a current employee. Approximately 75 percent to 80 percent of security breaches come from within an organization rather than from hackers on the outside.”

The limitations of firewalls
One of the myths that reliable ASPs debunk about security is that firewalls are the best deterrent for safeguarding data and keeping hackers at bay. If an ASP CEO tells you that, head for the door.

McNabb stresses the importance of understanding what firewalls can and cannot do. “Even though many ASPs think they have ‘secure firewalls,’ low-level hackers can easily gain entry to data and files,” explains Paul Slavin, cochairman of the ASP Industry Consortium, an educational and trade association for the ASP industry in Framingham, MA. “Seasoned ASP CEOs admit the most advanced firewalls are not solving the security conundrum. Firewalls manage traffic to the Internet while preventing access into your network from the outside. Open a hole in your firewall for inbound access and you've opened the door to hackers.”

McNabb agrees. “Firewalls restrict the types of traffic flowing from the Internet,” he says. “But firewalls are designed to let people into a site. All you need is a password or code. Firewalls just filter out some kinds of traffic.”

Finding an ASP consultant
The challenge in hiring an independent technology consultant is finding one who is highly qualified and not only understands ASP technology but has created and debugged it. Beyond using your own industry network, consider contacting the Computer Security Institute and the International Association for Computer Systems Security for referrals.

It’s easy to get an access code, especially to a bank, for example. An average hacker can open an account for a few dollars and get into the site with a username. Then, he or she is free to roam the corridors of the site, steal money, destroy accounts, and create all kinds of havoc. A hacker can do similar damage to a brokerage house with a large online presence. All it takes is an account number and a username to get through a firewall. “Once hackers have crossed a firewall, they’ve gone through the intrusion system and are hard to stop,” adds McNabb.

"To secure and monitor your enterprise, you need to know every vulnerability that can be exploited internally and externally," explains Will Chan, vice president of training of Foundstone, Inc., a security services and training company in Irvine, CA. "Attackers no longer need back doors or sophisticated tools to compromise a system. The way into a network is often right through the lobby." All you need is a security code to get you past the guard (firewall).

How to evaluate ASP security
You don’t need to know all the complex technical details, but you must find out how the ASP will secure your data. “There are many types of threats against a site, and no single product on the market can protect it,” McNabb explains. “If an ASP boasts a panacea product, I’d be real suspicious because it doesn’t exist.”

Your goal is to secure data on a server. Encryption protects confidential data as it moves from one point to another by scrambling it so hackers cannot lock into a code or password. “A number of sophisticated security products also allow you to create a unique environment for users sharing an application on an ASP server,” says Slavin. ASP security experts support proven operating systems and endorse security prevention software that logs and reviews events and catches problems early.

How do you pick the right ASP that will secure your data appropriately? Start by speaking to several ASPs and showering them with questions. McNabb offers the following advice.
  • First, meet the ASP’s security team and find out about their qualifications. If they have Computer System Security Professional (CSSP) certification, all the better.
  • Second, find out exactly what they will do to secure your data (what security processes and procedures are in place).
  • Third, ask what fail-safe mechanisms they have (backup servers should their system be compromised). If there is an intrusion, what happens? If an ASP has to figure out what has to be done, chances are hackers have already penetrated the system and done their dirty work.
  • Fourth, speak to past and present customers to find out what services the ASP provided and whether they were satisfied. (I’d be reluctant to only call customers given to you by the ASP. Naturally, they’re going to offer glowing endorsements.)
  • Fifth, consider using an independent ASP consultant to evaluate whether the ASP best meets your needs.

You can’t be too careful. A poor choice could put a serious crimp in your company’s performance. A disaster could wipe out critical information. If that’s not pause for thought, I don’t know what is.

Are ASPs more secure than internal data?
Send us your ideas about ASPs and security. Share your experience by posting a comment below or send us an email.
 

Editor's Picks