ASP Security Primer

If security isn't among your top criteria for evaluating potential ASPs, write it in now. But then again, most ASPs probably do security better than you.

"When people think of ASPs, they think about accessing their data over the Internet, and that immediately brings up the topic of security," says Amy Mizoras, senior research analyst for ASPs at IDC, an it industry analysis group.

In fact, 85 percent of it executives say that security is their top priority when evaluating ASPs, according to IDC.

"But the truth is," says Mizoras, "that many ASPs deliver security better than the company can."

And because ASPs know effective security is essential to their business, they spend more on it than most companies could possibly afford.

ASP customers need to feel confident that their data is safe not only over the networks but also from the prying eyes of ASP employees. Information theft is a huge risk for companies. If an ASP employee stole financial data that outlined a business's new project, for instance, and sold it to the company's competitor, the results could be disastrous. While no one can predict employee information theft, ASPs must earn a customer's trust to be successful.

Before you evaluate an ASP's security model, take steps to understand what you are protecting.

Develop a risk assessment plan: Think about who might want to steal your data. Also analyze critical spots in your information exchange network - and network configurations - including hardware (servers, firewalls) and software (passwords, authentication). Ask how the provider can implement a security solution that will protect every shred of your data and every access point to it.

But don't be too concerned about viruses and denial-of-service attacks. Almost every ASP has a similar network infrastructure to handle these. What separates the top ASPs, according to security experts, is their contingency plans. What if your ASP is compromised and data is lost? How will your ASP recover the data? Does it have redundant backup servers? Are the servers located in one location or in different cities? Will you be alerted if something goes wrong?

Most ASPs have undergone third-party enterprise-level security audits; when you're evaluating an ASP, ask to see its report card. Some ASPs will also let you tour their data centers, but be prepared to undergo a background check (which is a good thing). Before signing on with an ASP, make sure the company is willing to sign an NDA (non-disclosure agreement) regarding your business model and information, and ask about its security guarantee. This should call for harsh financial penalties if your data is lost, hacked, or stolen.

Finally, an ASP's security is only as good as the habits of your employees. Your employees need to be trained to practice good security habits: Remind them not to give out passwords or talk about more sophisticated info, like your network infrastructure. What is common sense to you may be new to your employees, and security is often forgotten in practice.