ASP's and security

By Michael Desrosiers
m3ip Inc.
Email: mdesrosiers@m3ipinc.com
Web Site: http://m3ipinc.com

This month's topic is application service providers (ASP) and secure computing practices.

A growing number of companies are using software hosted by application service providers. That means that business information is running on systems managed by a third party and accessed over a virtual private network (VPN) or over the Internet using secure socket layer (SSL).


Hate these ads?

On the plus side it is generally a lower cost of ownership. Pay for what you need when you need it, and let the ASP worry about issues such as software upgrades and patch management. The downside is the potential security holes that this could pose. Are the servers and networks as secure as your own systems? If you are outsourcing an application that deals with credit card numbers or consumer credit reports or a patient's medical records, these are critical issues that must be addressed.

In order to consider an ASP, they must meet some basic security standards. Secure firewalls, authentication systems, antivirus software and securely built infrastructure architecture. Physical aspects of security, such as a robust and well-practiced disaster plan, are also important. But it is the policies and procedures that are the most important and most overlooked aspect of information security. If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to the network. And by not asking their ASP for enough details, many companies are in danger of flunking Infosec 101.

There are no single or simple answers. The point is that a few simple yes and no questions won't generally get you enough information to know whether the ASP offers an appropriate level of security for your particular application. Here are some general questions that you should ask the ASP to provide some insight into their information security practices.

PHYSICAL SECURITY

Describe the physical security and disaster recovery procedures of the ASP's data center.

Who has physical access to the host servers?






NETWORK SECURITY

Are current industry standard firewalls deployed and where?

How does the ASP keep the software for the firewalls current?

Is administrative access to firewalls and other perimeter devices allowed only through secure methods or direct access serial ports?

What protocols and services are allowed to traverse the network and firewall?

Does the ASP use intrusion detection systems (IDS)?

How long are IDS logs retained?

Are formal incident-response procedures in place, and are they regularly tested?

Does the ASP engage independent security services providers to perform ongoing audits and analysis of the environment?

SYSTEMS SECURITY

How are the operating systems updated?

Are vulnerability assessments performed against the systems?

Are file permissions set on a "as needed" basis?

How does the ASP track software vulnerabilities?

What is the procedure for installing software updates?

Are audit logs implemented on all systems that store or process critical information?

Are root and administrative commands logged?

What change control procedures are in place?

STAFF SECURITY

What are the credentials of the systems administration staff?

Are hosting staff onsite or on-call 24/7?

SECURITY POLICY

Describe the user account and password policy.

Do sessions automatically time out?

Are screen saver password mechanisms deployed on all employee workstations?

Are user accounts for consultants and temporary personnel created with expiration dates?

How are user accounts closed after termination?

In closing, their are numerous concerns that must be addressed before you entrust an ASP with your most important electronic asset, your data. Please proceed with due diligence and caution.



Comments /MDesrosiers/mdaspsecurity.html
MdAspSecurity :

---September 28, 2004

Not related to security, but: several times I have had clients consider ASP's only to discover that the promised savings were illusory - the monthly costs were much, much higher than doing it in house no matter how they did the numbers.

One of the things ASP providers overstate is support costs. I helped one client do a detailed analysis of this and pointed out that most of their support costs were for desktop and other local issues like printing issues that had nothing to do with the server app and wouldn't go away with the ASP. When we took all that out, the numbers tipped badly against the ASP.

They are also apt to accellerate upgrades to equipment and OS software. Maybe some people upgrade their server and OS every year, but most don't, and that shifts money out too.

ASP's fudge quite a bit :-)

--TonyLawrence

Maybe my eyes aren't what they used to be but I don't recall seeing anything mentioned about data backup. I know a "disaster policy" was mentioned, but the question would be are my files (assuming I'm an ASP subscriber) being backed up to removable media on a daily basis and where are the backups being stored? Also, how much trouble would I have to go through to get one or more files restored and how long would it take for a restoration request to be processed?

I tend to agree with Tony that the cost issue is often obfuscated by ASP providers. However, for me the biggest issue would the loss of control. I don't think I'd ever want data that is important to the operation of my business to be controlled by some third party that may or may not be as concerned about security and reliability as me.

Lastly, if ASP is so great, don't you think that everyone would be using it? I personally view ASP as I do IEEE 1394 and SATA: technology "solutions" searching for a problem.

--BigDumbDinosaur

Add your comments

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Or use any RSS reader

Delivered by FeedBurner


Views for this page
Today This Week This Month This Year  Overall
31793649 2,547

/MDesrosiers/mdaspsecurity.html copyright September 2004 Michael Desrosiers All Rights Reserved

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

More:
       - Security
       - MDesrosiers




Unix/Linux Consultants

Your ad here - $24.00 yearly!

http://echo3.net/ Unix/Linux Custom Applications, Web Hosting, C/C++ Programming Courses


http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.


http://thatitguy.com Business networking servers, Linux and Unix experts. In business since 1997! Windows and Exchange to Samba and Scalix migration experts.




card_image








Change Congress


Related Posts

Publish your articles, comments, book reviews or opinions here!