Security Issues Take Center Stage When it Comes to ASPs

Imagine it: A cost-efficient information system that handles your payroll, benefits, accounting, and other HR functions while you only pay for the software you need. A system that doesn’t require the hiring of extra IT staff to manage key functions.

A system that lets your business focus on what it does best while someone else worries about upgrading to the latest software. You can stop wishing. Such systems are here, in the form of Web-based outsourcing companies known as application service providers (ASPs). International Data Corporation sees Web-based outsourcing through ASPs as a $2 billion market within the next three years.

Both Microsoft and Oracle are reconfiguring key software to make it possible for you to work with ASPs over the Internet.

But ASPs have a downside: a nagging worry that priceless information could be compromised by entrusting it to a third party. It’s a rough world out there.

The Love Bug and related viruses can play tricks on your operating system. Credit card numbers pop up on illicit Web sites and computer break-ins make headline news. Security experts agree that these fears are well founded, though not for the reasons most people think.

Despite public perceptions, sending your information over the Web is perfectly safe. “The Internet is not a party line,” says Peter S. Tippett, chief technologist at ICSA.net, a global provider of computer security assurance and certification services.

“The risk of being intercepted is not even in the top 1,000 concerns for companies today. Web sites make a point of using encryption to guard against a problem we do not have.”

Issues like these are ICSA.net’s bread and butter. The company once worked with MCI to collect data (at the behest of the FBI) from a particular address as it moved over the Net. The project involved building a so-called “sniffer” to capture such data on disk.

At then-current Net backbone speeds, it proved impossible to collect anything more than the message headers for all that traffic.

Since then, the speed of the Net’s backbone has increased by a factor of 64.

“Getting data where it’s going,” adds Tippett, “is an entirely secure proposition.” A case in point: ICSA.net has verified with all major credit card companies, security firms, numerous banks, and law-enforcement agencies the number of cases in which credit card information was intercepted over the Internet.

The answer: none. Ever. The real security issue when dealing with an ASP is much closer to home. It involves locking down security inside your own company and ensuring that your ASP does the same. When problems occur, it’s at either end of the data transmission, and it’s clear that on that score, both companies and the ASPs they use have a lot to think about.

We’re no longer living in a world where security means keeping a mainframe computer in a protected room. The advent of PC networks has changed everything. “We started moving our information onto PCs as an afterthought,” says Randall Bennett, president of Secure Enterprise Computing, a security consulting and implementation firm based in Cary, North Carolina.

“All of a sudden we network these together and they’re on the backbone with our mainframes and the Internet at large. The technology has moved too quickly ahead of the security model, and now companies have to play catch-up.”

And as Frank Prince notes, the Net keeps changing the equation. A senior analyst in e-business infrastructure at Forrester Research, Prince says that extending company operations to an ASP should make management more security conscious than ever.

“The Internet has lowered the threshold for doing things people might have done anyway,” he says. “Twenty years ago, if you wanted to steal the design for a new truck, you’d have to roll up the blueprints, put them under your arm, and carry them out. Ten years ago, you’d copy them onto a floppy and stick them in your pocket. Today, you can simply attach them to an e-mail message.”

It’s here that we leave the realm of the theoretical and roll up our sleeves. When you choose to outsource, it’s up to you to evaluate security at your ASP’s site, Secure Enterprise’s Bennett says. That usually means a visit to the ASP home base and a thoroughgoing examination of its policies, physical security, and network procedures.

“When you use an ASP, they have become your partner,” says Bennett. “That’s what connectivity is all about. You’ve got to treat an ASP the same way, and with the same diligence, as you treat your own internal IT department.”

Start with physical security. You should ask questions about where the company keeps its servers. Are they in a properly secured area, or in a place accessible to anyone clever enough to crack a password and gain access to a machine? Disaster recovery is likewise critical. A firm isn’t secure if it loses its files because its ASP doesn’t have sufficient backups to survive a disaster.

The better ASPs know that security is critical and take active measures to protect their information. One such company is Spectrum Human Resource Systems Corporation, a Denver-based ASP with a set of Web-based tools developed in-house for the HR market.

The firm provides software for HR management, benefits administration and training and development, along with related services in data conversion, data transfer, system planning, and implementation and support services.

According to president and CEO Jim Spoor, the Spectrum facility is protected against power loss, tightly secured against intrusion, and located near a major Internet backbone network.

“We have an extremely secure facility,” Spoor says, “one that is secured with not just passwords but also biometric systems that can read your handprint. We also require photo ID onsite, and people dealing with your account must use ‘smart cards’ or key fobs — forms of authentication that guarantee you are who you say you are.”

Authentication is a system that recognizes and verifies the identity of a user. A smart card has an embedded computer chip that can verify a user’s identity. A “token,” often in the form of a key fob with displayable digits, provides a constantly updated set of numbers that the user enters to complete his log-on to the network. Because the numbers change so quickly, even a person with a password can’t gain access without the token itself.

But not all problems come from inside a company. In an Internet-connected world, ASPs can be vulnerable to attacks from the outside, as can the corporations they serve. A hacker breaking into a company database can uncover a rich harvest of passwords and other sensitive information. In fact, more than half of stolen credit card numbers are now being swiped by hackers attacking corporate databases, says ICSA.net’s Tippett. That puts a premium on securing all possible points of entry and making sure they stay shut.

One answer is to install firewalls — hardware or software that restricts internal traffic to the private network — but computer-savvy thieves sometimes get through anyway. “When you put in a firewall, everything is closed,” says Secure Enterprise’s Bennett. “You have to start opening ports to let things happen if you want to do e-mail or browse the Web. So I may have created a choke point at the firewall, but as I open more doors to the outside, I may be creating a channel for intruders to use.”

For that matter, external attacks can shut down a company’s mail servers, as was demonstrated by recent attacks on some of the Internet’s biggest sites — Yahoo!, eBay, CNN.com, and Amazon.com — using a technique called distributed denial of service, or DDoS.

In this scenario, hackers use software to bombard computers with requests for service, which can quickly bring big systems to a crawl. These attacks depend on vulnerabilities in the sites they’re attacking and the servers that unwitting owners have left insecure enough to participate in the assault.

EmployeeService.com is a San Francisco-based ASP that has worked with crack teams of intruders (“the same spooks who crack systems for the CIA,” says CEO Jay Whitehead) to locate holes in its system and plug them. And so far, so good. Even the Love Bug, the widespread virus that shut down mail servers at many companies and caused billions of dollars of lost productivity worldwide, only created a problem in one server. That problem was quickly fixed, according to Whitehead.

Companies also should check ASP internal policies to make sure that they’re not selling clients’ private data, Whitehead says.

When Internet advertising firm DoubleClick was discovered linking anonymous user information to actual names and addresses, the resulting controversy alarmed privacy-minded computer users and showed the potential for the abuse of information assumed to be private. Whitehead recommends asking ASPs about both data selling and the creation of “cookies” that track a user’s progress through Web sites.

In a world where technology changes by the month and sometimes by the day, constant vigilance is critical. Potential clients should check security audits at the ASP they’re evaluating, says Carl Bennett, director of e-business for Application Outfitters, a consulting and implementation firm based in Linthicum, Maryland.

“Visit the ASP site and examine how they do business. Make sure they are up to speed with all current patches for their software. Many companies have really been too trusting in their dealings with ASPs, and it will pay to demand thorough and conscientious security.”

Software patches can fix potential security holes, and because they’re issued regularly, companies need to have procedures in place for seeing that they’re used. Hardware changes must also be tracked. Every time an administrator adds a node to the network or an employee installs a modem to access an outside line to the Internet, a potential vulnerability has been created. Security specialists agree that companies need checklists to control how devices are configured and added across the network.

And make no assumptions about the time it takes to evaluate an ASP. As Cendant Corp. has found, even a simple transaction with an outside provider can raise more issues than anyone had expected.

When the company, a global provider of real estate, travel, and direct marketing- related consumer and business services, chose to work with an ASP to provide an employee-discount Web portal, the risk seemed low. After all, the only information required for entry to the site for Cendant employees was a user identification, a password, and the employee’s name.

But how to set up the passwords? Freddye Silverman, vice president of human-resource management systems for the company, says the rules used to create them quickly became an issue inside Cendant. Its information-protection team wanted completely random passwords, rather than passwords created by plugging in employee-specific identifiers like initials or the last digits of a social security number. The HR team, meanwhile, argued that setting such passwords for all 30,000 employees was unnecessary.

The ensuing debate about passwords for an ASP-based benefits and enrollment package finally ended in the vendor accepting the responsibility for generating the necessary passwords. But the point was made. Adapting internal processes to third-party providers takes a lot of planning. “We’re just writing policy and rules as we go along,” says Silverman, “and that’s where a lot of companies are as they begin to explore this ASP picture. This is happening everywhere.”

In the frantic world of Internet time, getting to market fast has proven to be a successful strategy, but it leaves ASP clients vulnerable as outsourcing companies rush to bring their security up to speed. In that environment, demanding and verifying tight security from potential ASPs is not just common sense — it’s a necessary survival tactic.