Problem solve Get help with specific problems with your technologies, process and projects.

ASP legal and security issues

Here are the highlights from a searchServiceProvider chat on ASP security issues.

This tip is excerpted from an online event held on our sister site, searchServiceProvider, with Morris Smith, VP of Technology at ThinKnowledge Networks. Here, Smith discusses some security issues and many of the legal issues that crop up with application service providers (ASPs), stressing the importance of service-level agreements (SLAs).

Q: Is business continuity a big issue in ASP business? Would an ASP's customers be concerned with the ASP's recoverability?
A: Redundancy and disaster recovery should be an intrinsic part of the ASP's system design and they should be able to explain their recovery plans and procedures.

Q: What do I do to ensure the ASP's staff is protecting my data? What security measures should they be taking?
A: This should be spelled out in the SLA. There are quite a few things that they should or could be doing, however, at a minimum they should be addressing the areas of backup and recovery, physical security of the data center and electronic security (i.e. hackers).

Q: What is the standard contract length between a user and an ASP?
A: We are more often than not seeing 36 month contracts and occasionally 24 months but at a slight premium.

Q: Should I have legal counsel involved when preparing my SLA?
A: Normally you would not prepare the SLA. A competent ASP will have a comprehensive SLA already designed and ready for the customer's signature. You may have your legal team review it or offer changes, however the primary document should already be in place.

Q: Regarding SLAs: Do customers pay more for more detailed SLAs, i.e.: security, data storage, network performance, etc.? Have you seen ASPs itemize how they would charge for their SLAs?
A: Data should always be treated the same regardless of the SLA. Everyone's data should have the maximum safety. The SLA covers not safety of the data but uptime and availabilities of the applications. My COO likens it to first class and coach on an airline. Everyone is just as safe; it's a matter of who gets the extras and amenities.

Q: SLAs, I've been told should cover three areas: performance, procedures, and reporting, and that there should be penalties for non performance... What penalties does ThinKnowledge commit to? Or would you expect ASPs to commit to?
A: Most ASPs offer no financial compensation at all or they expect you to come and ask for it; which means you have to identify, track and record it. ThinKnowledge offers up to a 50 percent credit and will proactively notify its customers of any issues that require such a credit.

Q: Many ASPs outsource their data center and network facilities to hosting providers. What do you consider their responsibility regarding: network layer, platform, apps, operations, end services? How would you write that into the ASP's SLAs?
A: The customer has a contract with the ASP not the hosting center, that is the ASP's problem and they should take full ownership of any and all links between their servers and the customers' desktop devices.

Q: One of the great obstacles facing ASP models is moving beyond the perception of "If the data is not housed locally, how can I be sure my data is safe?" This is especially true in providing collaboration tools where the perception is "our knowledge is our competitive advantage." How can ASPs provide that assurance and a level of comfort to the customers beyond the SLAs?
A: Seeing is believing. Talk to their management team and visit their data center. If you are talking to the right ASP, 80 percent of your concerns will disappear after seeing the infrastructure that you are using.

Visit to read more of this online event.

Related book

ASP - Application Service Providing : The Ultimate Guide to Hiring Rather Than Buying Applications
Author : Scn Education Bv
Publisher : Morgan Kaufmann
ISBN/CODE : 3528031484
Cover Type : Hard Cover
Published : July 2000
How can you use ASPs for your business? The application service provider-market is on the verge of becoming a multibillion-dollar business, from its position as a niche market. Hiring an application instead of buying one means that the network (i.e. the Internet) becomes crucial. E-mail and Web site hosting were the first two killer applications for ASPs. What kind of applications will follow? Word-processing? Or even Enterprise Resource Planning software?

This was last published in May 2001

Dig Deeper on Secure SaaS: Cloud application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.