Here's a Catch-22 for you. In the wake of September's terrorist attacks, you've been told to beef up security around your key applications. On the other hand, you've been told to hold down costs by outsourcing key applications to an application service provider (ASP).
Virtually any ASP worth their salt will have firewalls and antivirus software protecting their data center from the Web, but that's only the first step. Once users are beyond the ASP's firewall, the ASP must ensure that those users cannot compromise the security of data within other applications -- perhaps being run by your competitors -- which are also hosted by the ASP. At the application level, "hardened" operating systems can provide highly granular access control, and authentication systems such as public key infrastructure can help ensure the identity of those seeking access to ASP-hosted applications. Will you run my applications on a dedicated server, and can you provide different levels of security for different application layers?
Analyst David Thompson with Meta Group Inc. recommends that ASPs run a customer's applications on a dedicated server, making it easier for the customer to ensure the proper access controls are in place. For Web-facing applications, Thompson recommends an ASP expose only the presentation (user interface) level to the Web, placing firewalls not only between the presentation layer and the Web, but also between the presentation layer and the business logic layers and a third firewall between the business logic and database layers. Interpath Communications Inc., an ASP in Research Triangle Park, N.C., takes such a "zoned" approach, says Chief Technology Officer Tony McGivern. The "public" zone might include Web servers, for example, where a "semi-private" zone would include application servers and a "private" zone would protect the database servers, he says. Interpath puts redundant firewalls between each of the zones, he says, and also uses different types of firewalls in the different zones to reduce the chance the same type of attack will penetrate multiple zones. What network level security do you provide?
At the network level, Analyst John Pescatore recommends 128-bit encryption and two-factor authentication between the customers' network and the ASP's backbone network, as well as redundancy and load balancing for crucial elements such as firewalls. How do you handle patches and software updates?
ASPs should have documented processes for evaluating security alerts from software vendors and for installing security patches and service packs on both applications and operating systems, says Pescatore. The ASP should also, he says, review the security of any scripts or integration code added to off-the-shelf applications it provides. Who audits and tests your security infrastructure, and how often?
Pescatore also recommends service providers conduct (or have an experienced consultant conduct) an internal security audit at least annually and external penetration tests at least quarterly. Audits that conform to SAS 70 (an audit standard developed by the American Institute of Certified Public Accountants) are best, he says, because they describe the ASP's security processes in a standard format accepted by all major auditing firms. How do you screen your employees, and how experienced are they?
Pescatore also recommends ASPs perform background checks on employees with administrative access to servers and applications, have documented procedures for authenticating the identities of customers asking to have their access controls reset, as well as two-factor authentication for anyone making changes to routers and firewalls. Finally, Pescatore recommends that the ASP's security staff have an average of more than three years of experience in information and network security and that more than three quarters of the ASP's security staff hold certifications such as the Certified Information Systems Security Professional or the System Network Assurance Program. How will you track and tell me about attacks?
Forensics -- the process of determining specifically what happened in a cyberattack -- is crucial for responding to attacks and closing security holes to prevent future attacks. It's not enough for the ASP to report "Oh, we found an attack today, and we defended against it," says Bakalov. The customer needs to know "exactly what type of evidence should be collected, who will collect it, how it will be stored, how it will be communicated (to the customer) and how the media should be contacted," he says. "It's a fairly complicated effort which gets short shrift in [service level agreements]." About the author
Robert L. Scheier writes regularly about security, and can be reached at firstname.lastname@example.org.