ASP's and security

This month's topic is application service providers (ASP) and secure computing practices.

A growing number of companies are using software hosted by application service providers. That means that business information is running on systems managed by a third party and accessed over a virtual private network (VPN) or over the Internet using secure socket layer (SSL).

On the plus side it is generally a lower cost of ownership. Pay for what you need when you need it, and let the ASP worry about issues such as software upgrades and patch management. The downside is the potential security holes that this could pose. Are the servers and networks as secure as your own systems? If you are outsourcing an application that deals with credit card numbers or consumer credit reports or a patient's medical records, these are critical issues that must be addressed.

In order to consider an ASP, they must meet some basic security standards. Secure firewalls, authentication systems, antivirus software and securely built infrastructure architecture. Physical aspects of security, such as a robust and well-practiced disaster plan, are also important. But it is the policies and procedures that are the most important and most overlooked aspect of information security. If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to the network. And by not asking their ASP for enough details, many companies are in danger of flunking Infosec 101.

There are no single or simple answers. The point is that a few simple yes and no questions won't generally get you enough information to know whether the ASP offers an appropriate level of security for your particular application. Here are some general questions that you should ask the ASP to provide some insight into their information security practices.

PHYSICAL SECURITY

Describe the physical security and disaster recovery procedures of the ASP's data center.

Who has physical access to the host servers?

NETWORK SECURITY

Are current industry standard firewalls deployed and where?

How does the ASP keep the software for the firewalls current?

Is administrative access to firewalls and other perimeter devices allowed only through secure methods or direct access serial ports?

What protocols and services are allowed to traverse the network and firewall?

Does the ASP use intrusion detection systems (IDS)?

How long are IDS logs retained?

Are formal incident-response procedures in place, and are they regularly tested?

Does the ASP engage independent security services providers to perform ongoing audits and analysis of the environment?

SYSTEMS SECURITY

How are the operating systems updated?

Are vulnerability assessments performed against the systems?

Are file permissions set on a "as needed" basis?

How does the ASP track software vulnerabilities?

What is the procedure for installing software updates?

Are audit logs implemented on all systems that store or process critical information?

Are root and administrative commands logged?

What change control procedures are in place?

STAFF SECURITY

What are the credentials of the systems administration staff?

Are hosting staff onsite or on-call 24/7?

SECURITY POLICY

Describe the user account and password policy.

Do sessions automatically time out?

Are screen saver password mechanisms deployed on all employee workstations?

Are user accounts for consultants and temporary personnel created with expiration dates?

How are user accounts closed after termination?

In closing, their are numerous concerns that must be addressed before you entrust an ASP with your most important electronic asset, your data. Please proceed with due diligence and caution.

More Articles by Michael Desrosiers

Macworld Digital Music & Video Superguide $12.95

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.