This month's topic is application service providers (ASP) and secure computing practices.
A growing number of companies are using software hosted by application service providers. That means that business information is running on systems managed by a third party and accessed over a virtual private network (VPN) or over the Internet using secure socket layer (SSL).
On the plus side it is generally a lower cost of ownership. Pay for what you need when you need it, and let the ASP worry about issues such as software upgrades and patch management. The downside is the potential security holes that this could pose. Are the servers and networks as secure as your own systems? If you are outsourcing an application that deals with credit card numbers or consumer credit reports or a patient's medical records, these are critical issues that must be addressed.
In order to consider an ASP, they must meet some basic security standards. Secure firewalls, authentication systems, antivirus software and securely built infrastructure architecture. Physical aspects of security, such as a robust and well-practiced disaster plan, are also important. But it is the policies and procedures that are the most important and most overlooked aspect of information security. If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to the network. And by not asking their ASP for enough details, many companies are in danger of flunking Infosec 101.
There are no single or simple answers. The point is that a few simple yes and no questions won't generally get you enough information to know whether the ASP offers an appropriate level of security for your particular application. Here are some general questions that you should ask the ASP to provide some insight into their information security practices.
Describe the physical security and disaster recovery procedures of the ASP's data center.
Who has physical access to the host servers?
Are current industry standard firewalls deployed and where?
How does the ASP keep the software for the firewalls current?
Is administrative access to firewalls and other perimeter devices allowed only through secure methods or direct access serial ports?
What protocols and services are allowed to traverse the network and firewall?
Does the ASP use intrusion detection systems (IDS)?
How long are IDS logs retained?
Are formal incident-response procedures in place, and are they regularly tested?
Does the ASP engage independent security services providers to perform ongoing audits and analysis of the environment?
How are the operating systems updated?
Are vulnerability assessments performed against the systems?
Are file permissions set on a "as needed" basis?
How does the ASP track software vulnerabilities?
What is the procedure for installing software updates?
Are audit logs implemented on all systems that store or process critical information?
Are root and administrative commands logged?
What change control procedures are in place?
What are the credentials of the systems administration staff?
Are hosting staff onsite or on-call 24/7?
Describe the user account and password policy.
Do sessions automatically time out?
Are screen saver password mechanisms deployed on all employee workstations?
Are user accounts for consultants and temporary personnel created with expiration dates?
How are user accounts closed after termination?
In closing, their are numerous concerns that must be addressed before you entrust an ASP with your most important electronic asset, your data. Please proceed with due diligence and caution.
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2011-05-01 Michael Desrosiers
Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)