Security: Cover Your ASP

Using an application service provider (ASP or MSP) means your computer application is running on someone else's server. Is the provider's security up to snuff? Better know which questions to ask.

January 01, 2004 — CSO — Instead of buying licenses to run software on their own computers, a growing number of businesses are "renting" software hosted by application service providers (ASPs). That means the business is running on systems managed by a third party and accessed over a VPN or over the Internet. The upside: a generally accepted lower cost of ownership. Pay for what you need, when you need it, and let the ASP worry about pesky issues such as software upgrades. The downside? Potential security holes. Are the external servers and network links as secure as your own systems? If you are outsourcing an application that trucks in sensitive data, credit card numbers or consumer credit histories, say, that's a most critical question.

According to Mike Arnavutian, head of security strategy at BT Global Services (an arm of the company formerly known as British Telecom), any ASP his company would consider needs to meet some basic security standards: secure firewalls, authentication systems, antivirus software and a secure architecture. Physical aspects of security, such as a robust and well-practiced disaster plan, are also important, he adds. But it's the policies underpinning those security issues that are the most important and most overlooked potential security loopholes, Arnavutian says.

"Most ASPs are weakest on the development and maintenance of security policies," he says. But he doesn't blame the ASPs so much as the companies that use them. "A lot of the time, companies are being sold what they ask for, and if they don't ask about security policies, then they aren't going to be sold them," says Arnavutian. "If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to the network."

Typical of the details that probing an ASP about its security policies should reveal, he says, are such things as employee background checks. "It's not just asking, Are they carried out? but instead asking, What checks are carried out on the people who might have access to my data?" he says. BT, Arnavutian points out, must carry out positive security background investigations on all employees with access rights who work in data centers handling government projects. But the private sector doesn't automatically benefit from such checks: "We don't have the same level of vetting for all our data centers," he notes.

These days, throughout the world of business, managers in functions as diverse as accounting, human resources and marketing are seeing ways to boost their departments' productivityand cut costsby outsourcing some aspect of their operations to an ASP. But in the process, they're opening the door to potential security breaches. Is data held at one or more third-party locations as secure as data held on your own systems? How secure is the link between the ASP and your own systems? And are the people looking after your data doing it as diligently as would your own people? Those broad, high-level questions are easily posed. The detailed questions underpinning them, thoughtogether with the answersare much trickier. And by not asking their ASPs for enough details, many companies are in danger of seriously flubbing Infosecurity 101.ASP, and Ye Shall Receive a ProjectIn fall 2001, Paul Saunders, a credit manager at The National Magazine Co. in London, complained to his bosses about the level of control that the company was able to exercise over the management of employee expenses. The result: He got handed a project to figure out if the company could outsource expense management to a third party instead, via an ASP.