Services Winn Schwartau InfosecGate Home Site Map Contact
Interpact Security Awareness For Today's Business

Check out our FREE security awareness promotional art.  Download your copies today!

Security Awareness Promotional Art



Security and Your ASP

By Winn Schwartau, President and CEO of Interpact, Inc.

Just the other day, I listened to Floyd Rimcrust, the CIO of Big Financial Deals Corporation tell his staff, "our security worries a re now over!"

He boldly proclaimed that, "we are going to migrate our key services to an ASP, an application service provider. Now we can concentrate on our core business and not this piddling security interference." Rimcrust went on to explain that ASPs were going to revolutionize the way business is done, and the outsourcing of their application hosting was going to save them a ton of money. Not to mention that all of BFD's security woes would be relegated to an historical footnote.

The BFD staff silently nodded their agreement with their zealous leader while I openly cringed as Rimcrust piled more and more inane statements upon his equally ignorant foundations. "So what do you think? You do agree, don't you?" Rimcrust challenged me. In the desperate balance of maintaining brutal honesty and a client base, I said, "I've never heard anything so incomprehensibly ridiculous. No offense."

True, ASPs are the current hot button for re-engineering corporations in an attempt to outsource and streamline business processes. Cost savings, easier revision migrations and updates are the promise: time will tell if this vision holds true. However, security concerns do not disappear from your radar screen merely because a third party is taking over a piece of your infrastructure. In fact, quite the opposite is true.

In my Network World column of XXXXX, I discussed how the corporate perimeter is extending way past the traditional boundaries of the company's internal IT infrastructure. Business partners tie their networks to yours which brings many security woes if improperly attached; migrating and roving employees and consultants connect from home and hotel which also has many security implications.

So, now BFD, Corp. (and many others) wants to outsource their applications to an ASP and think that security is an also-ran after-thought? I think not, Mr. Rimcrust! Security and ASPs: let me count the whys. Your desktops will connect via middle-ware to the ASP where your applications and data are housed. You will likely connect over the Internet. Security?

1. Authentication. You want to make absolutely sure that your desktop (or remote) user is absolutely, positively identified. Forget this password garbage as a prime means of User_ID. You could choose to use one-time passwords and/or token generators like SecurID. Or, you extend your enterprise with PKI and appropriate certificate authorities of whatever flavor you prefer. Your ASP should be able to tie into your PK environment with minimal hassle.

2. Your corporate data is now floating up and down the Internet by the droves, to thousands of your employees. And it's naked. Do you really want that? Of course not. Cryptography is the answer here and can be implemented as part of your PKI which ideally will tie into your ASP. In web-centric views, SSL is a reasonably simple approach but the location of the middle-ware component is critical, especially considering the Internet as a transport medium.

3. In legacy systems, access control mechanisms mediate who can read/write data (records or fields). Your new ASP and your corporate security group need to ensure that your policy is enforced across your extended enterprise. You should be able to add/delete/modify user and groups rights with ease.

4. How many back-doors to your ASP (and your data) are in place for maintenance, remote administration or other access? You need to examine this and understand the implications just as you would if the applications (and data) were still housed at your location.

5. Physical and logical connections of the ASP's backbone can have an impact upon your security, too. How 'dedicated' are the ASP's 'dedicated' circuits, backbones, servers and connectivity for your organization? How much sharing occurs within their infrastructure? Better to know now.

6. How does the ASP secure their operating systems on top of which your applications will function? Are they using a trusted O/S or is it merely hardened? In NT-clusters, how do they insure the latest and greatest of the service packs? How is the security extended through the middle-ware to you?

7. Firewalls, gateways and other isolation mechanisms are still necessary. Keep in mind that your intrinsic business functions and security needs haven't changed just because the systems are out of sight.

8. Backup procedures do not go away because you have outsourced your applications. Service contracts should be clear about standard protection mechanisms. IP communications redundancy becomes more critical as you rely upon the Internet for 100% operation-high status. Make sure that your have both logical and physical redundancy; remember that a few blocks from your office, a number of lower bandwidth cables often merge to a single high bandwidth cable.

No, Mr. Rimcrust, your BFD Corp. security problems do not go away because you write a check every month to a third party supplier. If anything, you can and should concentrate on your security even more because you are extending your enterprise, broadening its perimeter, including the Internet as part of your networks and adding an entirely new infrastructure to your existing one.

Make sure that your ASPs take your security as seriously as you do - or maybe even more so. Your business depends on it.

Winn Schwartau's Writing and Publications
Interpact's Security Services and Solutions
Interpact's Security Awareness Brochure
Online Information Security Library
Learn more about Interpact, Inc. Learn More About Interpact:


Copyright © 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley Walker, Interpact, Inc.
Copyright PolicyPrivacy Policy

Interpact Inc Security Awareness

eRibbons are courtesy of Alon Cohen and are available at CURRENT EVENTS READING: Asymmetrical Adversarialism by Winn Schwartau NEW: Internet and Computer Ethics for Kids by Winn Schwartau Free! Download the 1st edition of Schwartau's classic: Information Warfare Cybershock: Schwartau's guide to protecting yourself on the Internet