Security and Your ASP
By Winn Schwartau, President and CEO of Interpact, Inc.
the other day, I listened to Floyd Rimcrust, the CIO of Big Financial
Deals Corporation tell his staff, "our security worries a re now
boldly proclaimed that, "we are going to migrate our key services
to an ASP, an application service provider. Now we can concentrate
on our core business and not this piddling security interference."
Rimcrust went on to explain that ASPs were going to revolutionize
the way business is done, and the outsourcing of their application
hosting was going to save them a ton of money. Not to mention that
all of BFD's security woes would be relegated to an historical footnote.
BFD staff silently nodded their agreement with their zealous leader
while I openly cringed as Rimcrust piled more and more inane statements
upon his equally ignorant foundations. "So what do you think? You
do agree, don't you?" Rimcrust challenged me. In the desperate balance
of maintaining brutal honesty and a client base, I said, "I've never
heard anything so incomprehensibly ridiculous. No offense."
ASPs are the current hot button for re-engineering corporations
in an attempt to outsource and streamline business processes. Cost
savings, easier revision migrations and updates are the promise:
time will tell if this vision holds true. However, security concerns
do not disappear from your radar screen merely because a third party
is taking over a piece of your infrastructure. In fact, quite the
opposite is true.
my Network World column of XXXXX, I discussed how the corporate
perimeter is extending way past the traditional boundaries of the
company's internal IT infrastructure. Business partners tie their
networks to yours which brings many security woes if improperly
attached; migrating and roving employees and consultants connect
from home and hotel which also has many security implications.
now BFD, Corp. (and many others) wants to outsource their applications
to an ASP and think that security is an also-ran after-thought?
I think not, Mr. Rimcrust! Security and ASPs: let me count the whys.
Your desktops will connect via middle-ware to the ASP where your
applications and data are housed. You will likely connect over the
Authentication. You want to make absolutely sure that your desktop
(or remote) user is absolutely, positively identified. Forget this
password garbage as a prime means of User_ID. You could choose to
use one-time passwords and/or token generators like SecurID. Or,
you extend your enterprise with PKI and appropriate certificate
authorities of whatever flavor you prefer. Your ASP should be able
to tie into your PK environment with minimal hassle.
Your corporate data is now floating up and down the Internet by
the droves, to thousands of your employees. And it's naked. Do you
really want that? Of course not. Cryptography is the answer here
and can be implemented as part of your PKI which ideally will tie
into your ASP. In web-centric views, SSL is a reasonably simple
approach but the location of the middle-ware component is critical,
especially considering the Internet as a transport medium.
In legacy systems, access control mechanisms mediate who can read/write
data (records or fields). Your new ASP and your corporate security
group need to ensure that your policy is enforced across your extended
enterprise. You should be able to add/delete/modify user and groups
rights with ease.
How many back-doors to your ASP (and your data) are in place for
maintenance, remote administration or other access? You need to
examine this and understand the implications just as you would if
the applications (and data) were still housed at your location.
Physical and logical connections of the ASP's backbone can have
an impact upon your security, too. How 'dedicated' are the ASP's
'dedicated' circuits, backbones, servers and connectivity for your
organization? How much sharing occurs within their infrastructure?
Better to know now.
How does the ASP secure their operating systems on top of which
your applications will function? Are they using a trusted O/S or
is it merely hardened? In NT-clusters, how do they insure the latest
and greatest of the service packs? How is the security extended
through the middle-ware to you?
Firewalls, gateways and other isolation mechanisms are still necessary.
Keep in mind that your intrinsic business functions and security
needs haven't changed just because the systems are out of sight.
Backup procedures do not go away because you have outsourced your
applications. Service contracts should be clear about standard protection
mechanisms. IP communications redundancy becomes more critical as
you rely upon the Internet for 100% operation-high status. Make
sure that your have both logical and physical redundancy; remember
that a few blocks from your office, a number of lower bandwidth
cables often merge to a single high bandwidth cable.
Mr. Rimcrust, your BFD Corp. security problems do not go away because
you write a check every month to a third party supplier. If anything,
you can and should concentrate on your security even more because
you are extending your enterprise, broadening its perimeter, including
the Internet as part of your networks and adding an entirely new
infrastructure to your existing one.
sure that your ASPs take your security as seriously as you do -
or maybe even more so. Your business depends on it.
© 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley
Walker, Interpact, Inc.