ASP + no security = "sitting duck"

ASPs require that they provide twenty-four-by-seven access to their partners and clients. That makes them the Internet equivalent of "sitting ducks".

ASPs tend to cater to small-to-medium enterprises (SMEs), who find that it makes sense to outsource their business application to cut expenditure, and allow them to concentrate on their core competency (business) rather than on technology.

For an ASP to host and manage an SME application requires a good degree of trust from the client, and the majority of SMEs are concerned with the confidentiality of their data, as well as the performance of their application.

ASPs potentially also run into problems that tend to complicate the picture, issues like preventing competing clients from accessing each others data, which may reside on the same ASP.

Hee Keen Keong is the consulting director for Computer Associates' (CA) branch in Malaysia, and currently spearheads the CA eBusiness Security arm for Asia.

Keen has extensive experience working with ASPs on behalf of CA, and has had the chance to understand the ASP-end of business better.

"An ASP is like a bank," says Keen, who acts in an advisory role in Internet banking projects for several banks. "You're not only hosting the application, but also the data."

"You don't want competing customers to be able to access each others' data," he pointed out.

What is particular in ASPs are the concepts for authorization and encryption, says Keen, citing that many SME customers need to know that their data access must be secure.

Keen recommends that access to data be defined on a user-basis, either by name or company.

CA uses the term "Virtual Zones", and defines specific rules to various zones, going down to define access to the different customers on different levels.

"It's a logical grouping of [the] company," says Keen. "Give them a more granular aspect of what they can or can not access."

Differing technologies are available to enable different permissions.

CA's own eTrust administration system is based on directories (LDAP) and grants permissions on a user-access basis, and not machine-access.

Oracle's virtual private database is another tool that allows different users to edit data on the same table (for example), but not be able to see each other's data.

Keen also recommends that ASPs spell out to the clients which approach they are taking in terms of security and why. This helps to build the ASP's credibility.

Further assurances can be detailed in service-level agreements (SLAs), which must discuss different eventualities, and should have exit clauses built into them, advised Keen.

A number of cultural issues arise once you bring up an exit clause, says Keen, observing that within the Asian culture there is a great reluctance to talk about going backwards.

"It's the 'bad omen' syndrome," he says wryly.

But he pointed out that there's really no choice: As a client, your data is being held by someone else.

Security can be a strong selling point, suggested Keen, nominating SOLAR Inc as an example.

The joint venture between CA and Cable & Wireless HKT is an ASP and SME consulting services company that uses security as reason why they should be engaged.

But most ASP clients don't typically look at security as a major factor when they choose ASPs. Instead, performance tends to be more popular, since the robustness of an application is the more tangible aspect witnessed by users.

"Security is really on the same level of importance as performance," insists Keen. "It should be implemented in equal terms."

Keen drove his point home by noting that a compromised SME that missed a few orders would likely go out of business soon.

There is a tendency for security to be emphasized at either the entry point or the back-end system.

But Keen recommends that encyption is needed both online as well as on the data.

There is an equal importance for data to be encrypted on the network as well as on the ASP, says Keen.

Practical solutions include the use of secure sockets layer (SSL) and virtual private networks (VPNs).

The reasoning comes clear when one notes that not all the applications hosted and managed will be web-based ones. Some, like those that run on Windows, will require an SSL connection to ensure a secure link.

According to Keen, there is some movement towards pushing applications to be PKI-enabled. This helps with easier integration in the long run, though there is likely to be some slow-down in the roll-out.

The complications with encryption arise when one client uses more than one ASPs - and runs into encryption incompatibility.

"Most ASPs are very flexible, and willing to suit the customer," says Keen. "But clients need to choose standards that are [presently] being adopted."