Here's a Catch-22 for you. In the wake of September's terrorist attacks, you've been told to beef up security around your key applications. On the other hand, you've been told to hold down costs by outsourcing key applications to an application service provider (ASP). Can you maintain security while you outsource applications? You can, but it requires a different kind of oversight than when your servers and network are in your own environment, a setting where you have at least some control over the infrastructure, the staff and the security processes. When outsourcing, analysts recommend asking highly detailed questions about how the ASP has designed its security infrastructure and the processes by which it maintains security. The first step, of course, is evaluating which of your applications and data are most critical and how they must be protected. If, for example, an insurance company must meet strict regulatory guidelines protecting the confidentiality of patient data, so must the ASP, says Rudy Bakalov, a manager with PriceWaterhouseCoopers global risk management solutions in New York. "By outsourcing the application," he says, "the vendor becomes a party involved in the regulatory requirements." Once you understand your security needs, ask the ASP the following key security questions, and don't sign on the dotted line unless you get satisfactory answers. How do you secure applications inside your firewall?
Analyst David Thompson with Meta Group Inc. recommends that ASPs run a customer's applications on a dedicated server, making it easier for the customer to ensure the proper access controls are in place. For Web-facing applications, Thompson recommends an ASP expose only the presentation (user interface) level to the Web, placing firewalls not only between the presentation layer and the Web, but also between the presentation layer and the business logic layers and a third firewall between the business logic and database layers. Interpath Communications Inc., an ASP in Research Triangle Park, N.C., takes such a "zoned" approach, says Chief Technology Officer Tony McGivern. The "public" zone might include Web servers, for example, where a "semi-private" zone would include application servers and a "private" zone would protect the database servers, he says. Interpath puts redundant firewalls between each of the zones, he says, and also uses different types of firewalls in the different zones to reduce the chance the same type of attack will penetrate multiple zones. What network level security do you provide?
At the network level, Analyst John Pescatore recommends 128-bit encryption and two-factor authentication between the customers' network and the ASP's backbone network, as well as redundancy and load balancing for crucial elements such as firewalls. How do you handle patches and software updates?
ASPs should have documented processes for evaluating security alerts from software vendors and for installing security patches and service packs on both applications and operating systems, says Pescatore. The ASP should also, he says, review the security of any scripts or integration code added to off-the-shelf applications it provides. Who audits and tests your security infrastructure, and how often?
Pescatore also recommends service providers conduct (or have an experienced consultant conduct) an internal security audit at least annually and external penetration tests at least quarterly. Audits that conform to SAS 70 (an audit standard developed by the American Institute of Certified Public Accountants) are best, he says, because they describe the ASP's security processes in a standard format accepted by all major auditing firms. How do you screen your employees, and how experienced are they?
Pescatore also recommends ASPs perform background checks on employees with administrative access to servers and applications, have documented procedures for authenticating the identities of customers asking to have their access controls reset, as well as two-factor authentication for anyone making changes to routers and firewalls. Finally, Pescatore recommends that the ASP's security staff have an average of more than three years of experience in information and network security and that more than three quarters of the ASP's security staff hold certifications such as the Certified Information Systems Security Professional or the System Network Assurance Program. How will you track and tell me about attacks?
Forensics -- the process of determining specifically what happened in a cyberattack -- is crucial for responding to attacks and closing security holes to prevent future attacks. It's not enough for the ASP to report "Oh, we found an attack today, and we defended against it," says Bakalov. The customer needs to know "exactly what type of evidence should be collected, who will collect it, how it will be stored, how it will be communicated (to the customer) and how the media should be contacted," he says. "It's a fairly complicated effort which gets short shrift in [service level agreements]." About the author
Robert L. Scheier writes regularly about security, and can be reached at email@example.com.
This was first published in October 2001