Securing ASP customers

With shrinking IT budgets favoring renewed optimism in outsourcing noncore functions, enterprise CTOs want vendors to make assurances that their offerings will not leave them open to security risks. ASPs are under pressure to convince skeptical customers that they are trustworthy hosting partners.

Potential and current customers want ASPs to display proven security expertise and business continuity planning to ensure predetermined levels of infrastructure protection are being met, analysts say. Despite these inquiries to ASPs by CTOs, security issues do not get top billing during services and contract negotiations.

“Security is a battle. I don’t have a CSO [chief security officer], and I do lean on outside talent to fill in,” says Dan Lubin, CTO of Northboro, Mass.-based The Folio Group, a manufacturer and designer of trade show supplies and exhibits. “You have to depend on subject matter experts; you don’t have a choice. You can’t know it all.”

Lubin outsources The Folio Group’s financial systems and Great Plains ERP software to ManagedOps.com, an ASP in Bedford, N.H. Lubin says that running an encrypted environment in its seven U.S.-based facilities bore the need for hosted central management. The relationship between the customer and the ASP has to be one of give and take, for both parties work together to ensure that datacenter security is audited and password protocols are followed.

“I give ManagedOps.com responsibility for the datacenter in terms of only allowing trusted traffic and [for] advising me. I leave it up to them to provide technical expertise to say we should be taking these measures and countermeasures to keep [corporate data] safe,” Lubin says. Despite a partnership feel, Lubin says he would not hesitate to lay or share blame on ManagedOps.com if a significant security breach were to occur.

Jeff Gurrier, CTO of ManagedOps.com, says that in hosting mission-critical business systems including Great Plains, ERP, and CRM solutions from PeopleSoft and Siebel, he is ready to answer customers’ security questions.

The questions he is getting reflect the increasing sophistication and sheer onslaught of computer threats and attacks. “[CTOs] are more confused and understand less about security. There’s simply so much going on and things are changing quickly,” Gurrier says.

Negotiating security

Yet most customers do not address security matters in contract negotiations until the deal’s later stages, ManagedOps’ Gurrier says. Instead customers opt to first focus on the application, module, and implementation concerns of the ASP arrangement.

When security does enter the ASP documentation maze, it’s up to the customer representative negotiating the deal to determine how much pressure will be put on the service provider to prove the solution is bulletproof, says Laurie McCabe, an analyst at Boston-based Summit Strategies.

“Not only should [security measures] be in writing when you sign that contract — including how things will be monitored and measured — you want documentation before that on how [an ASP] creates and executes [its security] procedures — what goes into a secure environment both virtually and physically,” McCabe says.

McCabe argues that the onus is completely on the ASP to guarantee a variety of attacks will not affect performance and availability. A trick proposition notes Gurrier, since managing risk and external verification must be balanced with customers’ ardent application functionality requirements.

ManagedOps.com takes care to learn clients’ roles and how they will use the application to build security context rules around that to avoid potential pitfalls. “The customer definitely feels like security is your problem as the ASP. They want the functionality they typically get in a very insecure environment, but from you in a very secure environment. That means you have a lot more work to do,” Gurrier says.

Applying patches for vulnerabilities at the application and protocol layer can be especially troublesome, Gurrier says. All activity must be screened at every OSI stack layer and a response plan must exist if a third-party patch has difficulty solving the threat or if it breaks the application.

For protection, ManagedOps.com uses IPsec, SSL (Secure Sockets Layer), SecureICA, encryption, firewalls, IDS (Intrusion Detection System), anti-virus, monitoring, and credential verification systems.

Sharing security information

Dave Moellenhoff, CTO of Salesforce.com, a San Francisco-based CRM ASP, says security questions arise from the IT-related side of the negotiating table rather than business executives. Queries involve physical security such as data location, data backup procedures, and redundancy issues, as well as external security including how data is built into network infrastructure and how applications are monitored.

Internal security, such as access control within an organization, identity management, and territory-based accounts, do not produce best-practices data to put before customers, Moellenhoff says. Even data that is more readily available, including internal architecture designs, specific security product type and placement, and an application’s design, is only made available through an NDA.

Moellenhoff says an ASP should attempt to build its entire network and hosting system from the ground up and not rely on third-party products to ensure success. If a failure or problem were to occur, having a clear understanding of one’s own network and the components it contains is crucial to quick resolution for the customer, he adds.

“When you’re running a system that’s doing millions of pages a day, you need to understand every aspect in your system,” Moellenhoff says. “[Customers] will tolerate being offline but they will not tolerate data being lost. You need to make sure that’s safe.”

Summit Strategies’ McCabe says customers must enter a deal with an ASP pinpointing any specific security concerns they may have to the nature of their business. “We’ve all been through this binge-and-sobering experience in the [ASP] industry. Nobody is taking anything a technology vendor says on surface value,” she remarks.

Redefining premiums

Putting his money where his mouth is, Yamil Hernandez, IS manager at Gaithersburg, Md.-based Sigma-Tau Pharmaceuticals, seller and distributor of pharmaceuticals, wanted details about how databases worked. Hernandez decided to contractually outline that his company’s revenue information would not reside within the Salesforce.com hosted application. Instead it sits behind Sigma-Tau’s firewall protection.

Admitting that security details were his third or fourth priority in contract details, Hernandez says his legal department was crucial in ironing out liability and shared-risk stipulations.

“You can be shown and sold on all the wonderful things [an ASP] can do, but at the end of the day it’s what is in the contract between the two entities that matters,” Hernandez says. “You have to be realistic about uptime and availability. If you’re going to put it stringently in the contract, you will pay a premium.”

But premiums may be redefined. Following the massive amounts of data and infrastructure destruction caused by the events of Sept. 11, ASPs are starting to incorporate greater business continuity and disaster recovery methodologies.

Customers are also beginning to insist that ASPs open their doors and share information about how both parties would and should react during a crisis to promote a stable, trusting relationship.

“I think the days of, ‘Here’s our menu, here’s what we’re selling, decide what you’re buying’ are over [for ASPs]. Providers that will survive are truly committed from top to bottom to adding value,” Lubin says.