How Do You Address Security Issues?
September 27, 2000 9:03 AM ET

By Evan Schuman

Information technology managers see themselves as the ultimate guardians of their company's data. As such, the idea of using an application service provider, which would take their precious information and have it overseen by outsiders, can be a bit of a problem. On the other hand, a properly run security-oriented ASP could potentially offer far superior security, because it could cost-justify a much larger security team and more elaborate safety measures. But how is an IT manager supposed to figure out which ASPs will actually provide better security, and which ones have merely learned how to talk the talk?

That evaluation is made more difficult due to the paranoid nature of security management itself. IT managers find themselves in a frustrating catch-22 situation, as they insist on substantive details of an ASP's security procedures and processes - potentially through third-party security audits and site inspections - and yet they disqualify those ASPs that give away too many security particulars.

Most security experts counsel that an ASP security evaluation should begin with the basics: how the ASP says it handles security. "Ask some open-ended questions, such as 'Tell me about your security methodologies,'" says Allen Vance, a director of product management at Internet Security Systems. "They may say, 'We have a firewall' or 'We use SSL [Secure Sockets Layer] encryption.' Stop them and say, 'No, I want to know about your methodologies.' You want to hear the details of how they secure."

A lot of that information would fall under the heading of the ASP's security policy, which should be in writing for you to examine. "What processes and practices are used to enforce the policy? People always want to tell you about the brand of firewall they are using, but these are irrelevant if the policy doesn't provide sufficient granularity for security staff to properly configure and operate them," says David Piscitello, a principal consultant at Core Competence, an Internet security consulting company. "You should look for an ASP with well-defined processes, a robust set of proactive monitoring, logging and auditing procedures and one that has an appreciation of what constitutes evidence in a court of law."

Granted, at this stage, it's all just words, but words can reveal a lot. "Examine their proposals. Are they in grammatical English?" Vance says. "What that tells me is that quality control and professionalism is not a priority. Security is all quality control."

Does the ASP outsource its security to another company? If so, the IT manager needs to be questioning that other company. In case anything goes wrong, what kind of liability insurance is in place?

After the ASPs make the quick first cut, it's time to look at how they say they protect all elements of the operation.

The trickiest element is the wire. One popular approach is a virtual private network. A VPN is quite effective in environments where the IT staff has some control over equipment, such as at headquarters, regional offices and employee home offices. But when employees are connecting to the ASP from a client's offices or from a hotel or airport, control of the wire becomes much more complicated.

Chris Aronis at management consulting firm Network Strategy Partners estimates that 40 percent of the ASPs he has talked with haven't bothered protecting the connection. "They're just passing data along the Internet with only a firewall as protection. When they're just passing data across the wires, it's naked," he says.

Many consultants want ASPs to offer industrial-strength encryption, to protect data from being sniffed on its way to or from the ASP. Chuck Phillips, an engineer at firewall software firm CyberGuard, wants ASPs to focus more on authentication - the stronger, the better. Unfortunately, he says, that often meets with resistance from employees who need to go through more effort to access data. Phillips likes the higher-end biometric options - using anything from fingerprints, signatures and voiceprints to retina scans, hand shape or the design of a user's face - but considers them too expensive today, some costing thousands of dollars. His compromise is to have the ASP offer strong certificates on its server, backed up with a one-time password generator, such as SecureID. He pegs the SecureID cost closer to $50.

A fairly controversial aspect of assessing an ASP's security methods is firsthand evaluations, such as doing on-site inspections, testing the security of existing customers and hiring a third-party firm to conduct a security audit.

Some argue that a third-party security audit is an essential tool and that an ASP's reluctance to agree to one would be a reason to knock it off the list. Others counter that an ASP that constantly allowed third-party security firms to nose around its operation would be doing a disservice to its existing customers. One compromise is to have the ASP periodically retain its own third-party firm to do a full security audit, but it must then make those full audits available to prospective customers.

Like most compromises, it doesn't make everyone happy. "I'm not really high on security audits," says Elad Baron, the chief executive of security product vendor Whale Communications and a former software developer at the Israeli Ministry of Defense. "This third-party independent audit is very vague. One will use Ernst & Young and the other will use his friend John. You have to audit the auditors."

If a prospective client company wants to have its own audit performed, does it ask permission? Many consultants say yes, because it's courteous and avoids the ASP thinking it has a true attack on its hands. Baron, however, questions the validity of a pre-announced security audit. "Unannounced security audits are obviously better. The real hackers do not ask for permission," he says.

For users who do pursue independent audits, consultants stress that the audit is only a snapshot of that day's situation. "A security audit is only good until the ASP adds one more piece of data," says Cary Nachenberg, a chief architect at Symantec. "The moment the ASP adds a new firewall rule, all of the results of the previous audit go out the door."

"The audit will tell you if the company gets it," Phillips says. "You're just looking for methodology, process."

On-site inspections raise similar concerns. Some encourage their use, with IT managers looking for locked doors and other standard security protocols. "There are realities about physical access control," Vance says. "Is it a proper data center, or is it the back of an office?"

Others fear that the act of an ASP allowing a full site inspection is, in and of itself, a security violation. "Recently, I was given a tour of a hosting facility and I told them, 'You have an awesome facility. The only problem is that you give tours,' " says Kelly Phillips, the CEO of Center 7, an ASP started by Novell founder Ray Noorda. "That would be a mark against them, if they showed you everything." Phillips encourages inspections, but very limited inspections.

Testing current customers of the candidate ASP is another controversial approach. CyberGuard's Phillips is a strong advocate of this method. He suggests that IT managers ask the ASP for a list of customer references, but when he does so, his intent is not to interview the customers as much as it is to try and break into their hosted applications. "I'll run a port scan against that customer, and I'll go to every possible doorway," he says. "If they fail to close the telnet port, for example, then I'm not sure how they'll close ports on my system."

Phillips says that he would always seek that customer's permission first. Still, SilverBack Technologies' CEO John Igoe says that e-mail or phone permission isn't necessarily adequate protection, and he considers such port scans too dangerous. "If something goes wrong, you really expose yourself" legally. Did the customer understand what he was authorizing?

Another security concern is how well the ASP protects customers from each other. "You need to be separate, with full perimeter security surrounding your data. If there is one firewall for all customers," Baron says, "after you've passed the firewall, one customer can touch the information of the others."

At the heart of any ASP's security efforts are its core employees. Even though today's shortage of technology workers makes it foolhardy to count on a good employee still being there in two months, an ASP that can assemble a strong team once can likely do it again.

Beyond asking for criminal background checks, users should ask whether any of the employees serve on security councils and - most critically - are certified to support the potential customer's main applications.

When trusting so much critical data to an outside firm, IT managers must look for safeguards against a rogue employee within that ASP. Shared employee responsibilities are helpful, as are deep background checks, reference checks and audit trails as part of a service-level agreement, Vance says.

Core Competence's Piscitello wants IT managers to look closely at how a candidate ASP performs those audits. "A good security operation will keystroke audit every configuration change. With proper authentication, account control and access controls, your ASP should be able to attribute any change to a specific account."

Given that data backup, storage and disaster recovery should be key benefits of any good ASP, Piscitello advises getting full details about business resumption plans. "Who is responsible for archiving and restoring your information? What is the anticipated mean time to resume business?" he asks. "Do they run documented business resumption drills? Show me."

Indeed, IT managers do see themselves as the ultimate guardians of corporate data. If companies are going to take advantage of ASPs, IT managers wil have to bone up on their interrogation skills and pretend they are from the "Show Me" state.