The ASP Solution: Stop! Thief!
When you rely on an application service provider (ASP) to host your company's CRM solution, you turn over highly confidential data to strangers. Not only do you give ASP employees access to company secrets, but by using a hosted application, you potentially expose your sales leads, marketing information and customer profiles to millions of Internet-based eyes, as well.
While there is no such thing as perfect security in any Web-based technology, there are technologies and methodologies ASPs can utilize to secure your data better. Before turning over control of your company's lifeblood to someone else, you should understand the risks and understand if and how your ASP addresses those risks.
"Customers should not just expect adequate security from an ASP," says Mark Hangen, president and general manager of managed security services at Atlanta-based Internet Security Systems. "They have to know what to expect and ask for it."
Security, as it pertains to anything Web-related, is an issue that everybody and nobody wants to discuss: Everybody wants to discuss the potential risks and just how secure their site or service is; nobody wants to discuss actual breeches of security. For all the obvious reasons, real stories about hackers or moles infiltrating a company's defenses are few and far between. "When something goes bad, it's in everybody's best interest to keep it quiet," observes Frank Prince, senior analyst, e-business infrastructure, at Forrester Research.
Suffice it to say, however, technological security breeches do occur. Daily hacker attacks on the Pentagon, or publicized security problems with high-profile companies, like those with Microsoft, E*Trade or The New York Times that recently made headlines, evidence the growing need for security precautions in cyberspace.
For ASPs, which host software applications for their customers via the Web, security risks come in two forms: external, or threats from outside the company or its ASP; and internal, or threats from within. "Historically, the insider attack has been more prevalent and damaging," says Allen Vance,vice president of offer and product management at Internet Security Systems. "The insider knows where the good stuff is, and also may have the motivation to do something to hurt the company. But as people put more valuable resources up on the Internet, the outside attack becomes more expected."
Outside attackers, who hack their way into secure Web sites, usually get most of the press these days. According to Vance, attackers usually fall into a few standard categories:
• The Script Kitty: Juvenile delinquents who are just in it for the thrill of breaking into a Web site that is "secure." Typically, these hackers do very little damage.
• The Denier of Service: A competitor, a disgruntled employee, a terrorist or perhaps even a foreign government that wants to damage databases and deny
service to users.
• The Data Thief: Someone who wants to steal confidential or patented information.
According to Lew Hollerbach, senior analyst, ASPs at the Aberdeen Group, to date the threat to ASPs from hackers has been minimal. "There aren't too many actual incidents," he says. "More often than not, security breeches have to do with systems going down and applications not working, rather than someone ‘breaking in.'"
Hollerbach says that the greatest threat to ASP security comes not from a hacker, but from the ASP or its client. "The biggest security threat lies within the four walls of a company. Usually it is a complete lack of security policies and procedures. From an ASP point of view, you can have all the external safeguards in the world, but if you don't have internal provisions in place, it will be worthless."
Since their inception, ASPs have been plagued by questions of security. "With ASPs, you are giving up even more control of your data," says Eric Olden, co-founder and chief technology officer of Securant, a San Francisco-based maker of operational security software. "You've got less control in an even more threatened environment."
While many people have become more comfortable with putting confidential information on the Web, with ASPs, some apprehension remains. "There is absolutely this perception that security is one of the key inhibitors to ASP success," says Hangen.
Are ASPs Secure? Well…um…
Is this perception of ASP vulnerability well-founded or simply fear of the unknown? It's a bit of both, say experts. "If we look back, there were a lot of fears and concerns about the safety of commerce on the Internet," says Rick Bernard, vice president of ASP operations at Infinium, a Massachusetts-based ASP that hosts CRM applications. "As we have seen, those fears and concerns were unfounded. Many of these Internet-based security concerns were more perception than reality."
"There aren't a lot of actual incidents with ASPs," says Hollerbach.
Yet, security problems abound on the Internet. The Computer Security Institute, an organization of security professionals, reports that one-third of companies in the United states say outsiders penetrated their computer systems in 1999, costing upwards of $10 billion.
According to Forrester's Frank Prince, if there aren't a lot of these problems with ASPs, it's not because the ASP industry itself is proactive in the area of security. In fact, he says, the opposite is true. "In the rush to be in e-business in three years, ASPs are ignoring security and, by doing so, ensuring that they won't be in business in four years," he says. "The general approach from many ASPs has been to do as little as possible and still get customers."
This approach is all too easy in the absence of a clear industry security standard. While more and more Web-based operations are embracing British standard 7799 for security (see sidebar), no one standard dominates. "There are a few companies out there claiming to be keepers of the standard, but for the most part there isn't one," says Prince.
What's more, ASPs typically operate on paper-thin profit margins, often catering to those companies with small IT budgets. Consequently, few ASPs direct scarce budgetary resources to something that may or may not deliver increased customer satisfaction. "One of the main reasons ASP defenses are not typically robust is that it is cost-prohibitive," says Hangen. "To do security right, it has to be done on a 24/7/365 basis, and there should be different levels out of multiple centers to ensure a fail-safe operation. Most ASPs simply can't afford this."
Before you cancel your ASP service, there are actually a few security advantages to ASPs. First of all, in hacker world, cracking into an ASP that hosts CRM applications is about as glamorous as vacationing in north Texas. "If I'm a hacker attacking an ASP, I don't know who its customers are," says Hangen. "I know who General Motors is, though. The only real advantage for a hacker to break into an ASP would be the economies of scale by getting access to 50 customers instead of one."
Furthermore, some argue that turning over company data to an ASP actually reduces the threat of internal security breeches. "With ASPs, you have a minimal involvement by real people. The result is that there is very little opportunity for people to compromise data," says Prince.
Finally, as previously mentioned, security does not come cheap. If you hire an IT staff to run your CRM applications in-house, these staff members must also be up on the latest in security, everything from firewalls to encryption to daily virus attacks. If your very expensive system engineers decide to move on--and in today's competitive market, that will happen--they take with them an intimate knowledge of your system's defenses. If, however, you can find a truly secure ASP, this worry, along with the headache of actually hosting fairly complicated applications, goes away.
So how do you determine if your ASP is secure? The first step, say experts, is by accepting that for anything Web-related, "secure" is a very relative term. "With the Internet, you might as well consider security dead," says Securant's Olden. "There's nothing that is completely, 100 percent safe. It all becomes a question of risk management."
Risk management is a process of determining exactly how much security you actually need. For instance, financial institutions need enormous amounts of security because of the highly confidential nature of the data running through their systems. Smaller, less high-profile operations obviously don't need as much.
According to Prince, proper risk analysis involves business owners asking themselves a few fundamental questions about their companies and their security needs. These questions should include the following:
• What is a business process worth, and what if it stops?
• What exactly am I protecting, and is it at risk?
• What are the risks involved?
• What are the different ways of lowering risks?
When you answer these questions, you may determine that it is highly unlikely that anyone would want any information within your system. If so, then your security requirements and those you require of an ASP will be considerably lower, making the job of selecting an ASP easier.
However, if you determine that your business processes are very valuable, and that any interruption to those processes will shut down your operation, then any ASP you partner with should have advanced security systems in place. According to Prince, while all ASPs claim to have superior defenses, few actually do. "If an ASP says they are going to provide you with secure e-mail, one would assume that there are extra security measures taken. That isn't always the case," he says. "By and large, there are not a lot of secure ASPs."
But what technologies and processes define adequate ASP security? Firewalls? Encryption? Just how much is enough? Prince suggests that customers ask ASPs about specific infrastructure technologies, such as dedicated lines, smart cards, firewalls, virtual private networks (VPNs), intrusion detection and password policies.
Equally as important as the actual technological infrastructure are "must have" security procedures and methodologies that ASPs should have in place. According to Allen Vance of Internet Security Systems, effective security falls into the broad categories of people, process and technology. Before signing up with an ASP, you should ask the following questions about how it addresses these areas:
• Do you have a response plan for denial of service?
• Do you comply with British standard 7799?
• Do you have hacker insurance?
• Do you have technologies and a process in place to detect and respond to network attacks, and can you report on that to your customers on a regular basis?
• Do you do background checks on your employees?
• Do you have a strictly enforced Acceptable Use Policy (AUP) for employee use of network resources?
The final question on Vance's list falls under the all-important heading of operational security, an area that addresses many internal security concerns. Securant Technologies creates and sells software specifically designed to facilitate an AUP by controlling access to company resources. "We focus on confidentiality and control, making sure that the right people see the right data," says Olden. "The risk we help manage is someone getting access to information they are not supposed to see."
In terms of risk management, internal or operational security measures lower risk by simply raising additional barriers to resource theft. "We put enough defenses in place that it would be more expensive for hackers to get at the information," says Olden.
Finally, there are questions of physical security. While talk of remote locations and bomb-proof buildings may sound more like the stuff of a James Bond film than of a simple applications hosting operation, threats to the physical security of the ASP in possession of your data should be considered.
Infinium, for one, takes such threats very seriously. According to Bernard, the company has a "Fort Knox" facility in Marlborough, Mass., that is designed to keep Infinium's servers operational, no matter what. The facility that houses these servers is actually a building constructed within another building and has one-foot-thick concrete walls. It houses its own generators and enough fuel to run them for four weeks free of municipal power. Automobiles cannot get within 300 feet of the facility. Employees entering the Infinium site must pass through five levels of security, including palm-scan devices, before they can get anywhere near a server. "This facility not only met, but exceeded our requirements," says Bernard. "I don't know if many ASPs have data centers as secure as this."
Security: A Work in Progress
For any business, security is not a fixed expense. As the recent hacking incident with Microsoft shows, no matter how impenetrable your defenses may seem, hackers will always find a way. With this in mind, security-minded companies approach the entire matter as an ongoing responsibility. At Infinium, for instance, the company goes through a process of regular technology audits from third parties to maintain an accurate assessment of the company's defenses.
Others in the industry follow suit, sometimes as a requirement for financing. Increasingly, venture capitalists require ethical hacking tests, known in the industry as "red teaming," to expose weaknesses in a company's defenses.
In the future, questions of ASP security may become moot as accepted standards, such as BS7799, emerge. "standards will come to the fore, and legal standards will be in place," predicts Vance. "Not having security won't be an option."
According to Hangen, until then, the closest you can get to total security is to partner with someone who has the security know-how and can get you hacker insurance. "You never say never," he cautions. "This stuff is a lot like viruses in nature. Once you think you've got it figured out, they reinvent themselves and come at you from a different angle."
He adds, "It's the price we pay for having the freedom of the Internet."