APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

© September 2004 Michael Desrosiers

ASP's and security

Web Site: https://m3ipinc.com

This month's topic is application service providers (ASP) and secure computing practices.

A growing number of companies are using software hosted by application service providers. That means that business information is running on systems managed by a third party and accessed over a virtual private network (VPN) or over the Internet using secure socket layer (SSL).

On the plus side it is generally a lower cost of ownership. Pay for what you need when you need it, and let the ASP worry about issues such as software upgrades and patch management. The downside is the potential security holes that this could pose. Are the servers and networks as secure as your own systems? If you are outsourcing an application that deals with credit card numbers or consumer credit reports or a patient's medical records, these are critical issues that must be addressed.

In order to consider an ASP, they must meet some basic security standards. Secure firewalls, authentication systems, antivirus software and securely built infrastructure architecture. Physical aspects of security, such as a robust and well-practiced disaster plan, are also important. But it is the policies and procedures that are the most important and most overlooked aspect of information security. If you don't have a security policy, you have no rules and procedures by which you can shape the behavior of people and control access to the network. And by not asking their ASP for enough details, many companies are in danger of flunking Infosec 101.

There are no single or simple answers. The point is that a few simple yes and no questions won't generally get you enough information to know whether the ASP offers an appropriate level of security for your particular application. Here are some general questions that you should ask the ASP to provide some insight into their information security practices.


Describe the physical security and disaster recovery procedures of the ASP's data center.

Who has physical access to the host servers?


Are current industry standard firewalls deployed and where?

How does the ASP keep the software for the firewalls current?

Is administrative access to firewalls and other perimeter devices allowed only through secure methods or direct access serial ports?

What protocols and services are allowed to traverse the network and firewall?

Does the ASP use intrusion detection systems (IDS)?

How long are IDS logs retained?

Are formal incident-response procedures in place, and are they regularly tested?

Does the ASP engage independent security services providers to perform ongoing audits and analysis of the environment?


How are the operating systems updated?

Are vulnerability assessments performed against the systems?

Are file permissions set on a "as needed" basis?

How does the ASP track software vulnerabilities?

What is the procedure for installing software updates?

Are audit logs implemented on all systems that store or process critical information?

Are root and administrative commands logged?

What change control procedures are in place?


What are the credentials of the systems administration staff?

Are hosting staff onsite or on-call 24/7?


Describe the user account and password policy.

Do sessions automatically time out?

Are screen saver password mechanisms deployed on all employee workstations?

Are user accounts for consultants and temporary personnel created with expiration dates?

How are user accounts closed after termination?

In closing, their are numerous concerns that must be addressed before you entrust an ASP with your most important electronic asset, your data. Please proceed with due diligence and caution.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> ASP's and security

Inexpensive and informative Apple related e-books:

Digital Sharing Crash Course

Take Control of OS X Server

Take Control of the Mac Command Line with Terminal, Second Edition

Photos for Mac: A Take Control Crash Course

Take Control of Apple Mail, Third Edition

More Articles by © Michael Desrosiers

---September 28, 2004

Not related to security, but: several times I have had clients consider ASP's only to discover that the promised savings were illusory - the monthly costs were much, much higher than doing it in house no matter how they did the numbers.

One of the things ASP providers overstate is support costs. I helped one client do a detailed analysis of this and pointed out that most of their support costs were for desktop and other local issues like printing issues that had nothing to do with the server app and wouldn't go away with the ASP. When we took all that out, the numbers tipped badly against the ASP.

They are also apt to accellerate upgrades to equipment and OS software. Maybe some people upgrade their server and OS every year, but most don't, and that shifts money out too.

ASP's fudge quite a bit :-)


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode

SCO Unix Sales, Support, & Service

Phone:  707-SCO-UNIX (707-726-8649Toll Free: 833-SCO-UNIX (833-726-8649)