You get what you pay for, they say. But when you entrust your data to an online host, what are you paying for? "One of the first issues a small business should be concerned about is determining how safe their data is," says Jerry Harold, co-founder of Herndon, Va.-based NetSec, an information security services provider that works with businesses and ASPs.
A business's data is one of the most important resources they can have -- or lose. Despite the documented benefits of using an ASP, companies are still reticent, concerned about security even though their own internal security often leaves a lot to be desired. Companies should be worried about security, no matter where their data resides.
"It's essential for us to give our customers a high level of confidence," says Howard E. Taylor, resident and chief executive officer of Irvine, Calif.-based FutureLink. The company uses high-end equipment including EMC storage servers and an uninterruptible power supply that gives its customers seven days of power backup. In addition, all of the company's servers sit behind a firewall and are mirrored so that if one does go down, a backup comes right back up.
But it's not enough to simply believe an ASP's company line. As with any infrastructure investment, you should understand what steps ASPs can take to protect your data and make sure you get in writing what, exactly, they do. Your written service agreement can be used to make sure they back up their promises. Here's the absolute minimum you need to know before signing a service agreement.
1Who hosts their data? One of the most important questions for a prospective customer to ask is whether or not an ASP is hosting data on its own premises. Many ASPs actually store the data at a co-location provider such as Exodus Communications or Loudcloud. Here's how it works: An ASP builds its own infrastructure but stores the servers and hardware in a cage at a co-location provider. By going with such a provider, ASPs get instant access to a broadband pipe that leads directly to an Internet backbone. They also get assurances that their software as well as your data will be powered and protected from dangers such as fires, extreme heat, and mischievous employees.
The more advanced the applications are, the more critical it is for ASPs to secure them in a high-end hosting facility, says Tony Kong, chief information officer for Captura Inc., a Kirkland, Wash.-based ASP. "High-end hosting facilities have been through security audits and have established processes in place," says Kong. "Customers shouldn't have to worry about uptime or security, and a hosting facility is going to take some of that responsibility off the ASP and the customer." Audits are often done by outside security companies to ensure compliance with a specific level of service. They can include processes such as simulated hacker attacks and evaluations of firewalls and password protections.
The alternative -- hosting servers in-house -- should be left to ASPs that either provide hosting services themselves or offer service level agreements that protect customers from outages and hacker attacks, Kong says. For example, Mike Campagna, temporary staffing firm Labor Ready's director of accounts payable, says one of the reasons he felt more secure using Captura's travel and entertainment software solution was because he knew the Exodus name. "We were very interested in Captura because we know Exodus is a world-class hosting facility so we knew we wouldn't have to worry about our data," Campagna says.
2 How do they protect the data? Even if an ASP does host its servers elsewhere, there are still things that they can do to make data more secure. Firewalls, which offer important ammunition in the war against hackers, should be part of any ASP's security plan.
Software- and hardware-based firewalls prevent unauthorized access to a network. They work by acting as a gateway for all incoming and outgoing traffic. They also filter out specific types of Internet Protocol (IP) traffic to prevent denial-of-service attacks. Usually, they sit in front of a Web server, passing traffic through. Some firewalls actually examine IP packets and allow or deny access based on their originating IP address.
Protection at this level is something that even a firewall designed for home use can do, and high-end ones can do much more. It isn't difficult to fake or spoof IP addresses, so firewalls are only a piece of the overall security puzzle. Once data gets past a firewall, there are plenty of pitfalls inside the server environment, says NetSec's Harold. Another basic feature ASP should offer is active monitoring.
Simply put, an ASP or anyone running a server and using monitoring software can keep track of everyone who accesses the server and exactly what they are doing once they get there. While this won't prevent an attack on the server or unauthorized access, it can help identify whether or not one has occurred and pinpoint how to avoid future problems. As with other security technology, ASPs don't like to disclose exactly what kinds of software and security measures they are running; they should be willing, however, to tell a customer whether or not they are using monitoring software and what parts of the network are under scrutiny.
3 How do they protect information on shared servers? One of the main reasons ASPs are a cheaper alternative is that companies can share one server, including the cost, but this also presents a security risk, says Liza Henderson, vice president of the Denver-based consulting firm TeleChoice Inc. "Customers need to ask if they are going to be on a shared server and if so, how the ASP is going to ensure that the data is safe," she says. "The ASP should have separate firewalls for separate customers."
Even if a server is protected by a firewall and all company data is encrypted before it's sent over the public Internet, data sitting on the Web or database server is in the open. Companies whose data reside on the same server could use their access into that server to access other people's data. Nupremis, a Boulder, Col. ASP, handles this problem by datagraming, in assigning specific labels to each customer's data.
This is a common practice among ASPs which host multiple applications and customers on the same server. Only data that matches a customer's label can get in or out of a specific server partition. Servers can also be partitioned so each customer, in effect, gets their own server or database. Partitioning ensures that a crash of one company's application won't spill over and take out an entire server full of customers.
4 What happens if something goes wrong? Companies should talk to their ASPs about what happens once there is a breach or system outage, says Pavel Slavin, director of global systems engineering for Argus Systems Group Inc., who also serves as chairman of the Wakefield, Mass.-based ASP Industry Consortium's subcommittee on security. "This is something that we're working on at the ASP Consortium. ASPs should have best practices in place from desk to data," says Slavin. These practices should include security analysis, early-response procedures, an emergency chain of command, and method of contact for customers. The best tactic for customers is to request an SLA and find out what type of response chain the ASP has when a problem occurs.
5 What will the service cost, and what is the state of the service provider's finances? Some ASPs still offer free services, but Allan McLennan, former senior vice president of Strategic Development for Media Station Inc., an Ann Arbor, Mich. ASP, says companies can expect far better security from companies that charge for their services. After all, security costs money.
"I know how much my service costs me, and I couldn't do it for free," says FutureLink's Howard. "It's very difficult to get enough advertising support that will pay for an ASP's infrastructure. How many banner ads would you have to sell to pay for a 7,000-square-foot data center?"
In the current economic climate, you may also want to inquire into the financial solvency of the service provider. By the end of 2001, more than two-thirds of ASPs that existed at the beginning of 2000 will have disappeared, according to Michael Speyer, director of the Yankee Group, a Boston-based research firm. To make sure you're not left with a worthless SLA, ask about the ASP's cash flow.
Tim Morin, chairman of Eden Prairie, Minn.-based ASP Wizmo, says this is one of the first things prospective clients ask. "If I'm a small business, I'm going to be handing over some pretty important stuff -- the jewels of the business -- to my ASP," Morin says. "I can't afford to do that with someone running on fumes. An ASP that doesn't have 12 months of operating cash in the bank is in trouble."
Today, most ASPs have tiered levels of service that range from standard and gold to a multi-tiered offering that includes security not only on the ASP side but also on a customer's own network and server. The level of security can be ramped up, and this lets you choose the level that's right.
MJI Broadcasting, a New York-based radio content syndication company, uses site management tools developed by Interpath, an ASP based in Research Triangle Park, N.C. Although Interpath offers high-end security, MJI was more concerned with finding a reliable partner. "We weren't acquiring sensitive customer data," says Holley Atkinson, vice president and general manager of MJI. "Still, it was nice to know that everything was protected."
In other words, you're paying for peace of mind.