Can Data Security Be Outsourced?

Many IT managers are familiar with the benefits ASPs (application service providers) offer. Faster deployment times, minimal IT support required, and overall lower TCO (total cost of ownership) - as much as 60% lower in some cases. So, why isn't everyone jumping on the ASP bandwagon? It usually comes down to trust. There's the perception that by outsourcing an enterprise application you're throwing all caution to the wind and inviting business competitors, hackers, or natural disasters to have their way with your corporate knowledge. Think about the way you protect your data and compare it to how ASPs handle data. You may be surprised to find that others can protect your data as well as or better than you can, and at a cheaper cost.

Data Transmission Security
To properly look at data security, we need to look at four specific areas of data protection: data transmissions, uptime, data backup, and disaster recovery. The first area, data transmission, can be accomplished either through a dedicated line or a public connection such as a VPN (virtual private network). A VPN is a private data network that uses a public network such as the Internet. VPNs add security features to the public network known as a tunneling protocol in order to safely connect remote sites or users. ASPs use special encryption techniques like SSL (secure sockets layer) to protect data that is accessed or transferred across VPNs. "ASPs can offer variable levels of encryption based on customers' needs," says Ed Holt, owner and president of Innovative System Solutions (Columbia Falls, MT), a provider of document imaging solutions and hosted insurance applications. "With this kind of encryption in place, the end user's data is as safe as it would be if it were locked up in a filing cabinet." There are three basic levels of encryption: 40-bit, 128-bit, and 256-bit. The number of bits affects the complexity of the algorithm that is used to protect the data. For instance, most banks use 128-bit encryption to protect their data. This means that without knowing the correct encryption code, someone would have to guess at 2 to the 128th power of possible combinations. That is the equivalent of trying to find one grain of sand in the entire Sahara Desert. With SSL in place end users and ASPs can have confidence that data will not be intercepted between the sending and receiving points across the VPN.

To add further security on the sending end, ASPs can password-protect the user's workstation. As long as end users don't share their passwords with others, this is a reliable security step. Beyond password protection and encrypting data, ASPs can provide two other levels of data transmission security: user profiling and packet profiling. "With user profiling, the ASP can monitor where users are logging into the system, audit bizarre behavior such as accessing applications users have never accessed before, and trace each step of a user's session," says Steve Gentner, CTO of CrownPeak Technology (Los Angeles), a provider of Web content management services. "A second type of profiling that ASPs can provide is packet profiling. With packet profiling, an ASP can monitor individual applications and make sure no one is trying to hack their way into the application."

Data Uptime: Chose Your Nines
Another common concern related to ASPs and data security is data availability. Companies fear that if they outsource their data to an ASP they may not have access to it as often as they would like. But, with a little better understanding of data architecture and SLAs (service level agreements), these concerns can be alleviated as well. "ASPs typically utilize a data continuity strategy within their IT architecture to ensure data availability," says Gerard Kane, director of the ASP industry community at CompTIA (Chicago), an industry trade association. "In fact, in an effort to comply with strict government mandates such as HIPAA (Health Insurance Portability and Accountability Act of 1996), many hospitals turn to ASPs as a way to protect their data and make sure they have access to electronic records at all times." Using a solid data continuity strategy, ASPs combine the best of breed in hardware, software, and services to ensure data availability even if a single element or server should go down. The level of uptime needed by an end user is described as a percentage, beginning with 99 and ending with a decimal point and more nines that follow. Each 9 that is added after the decimal point indicates a higher level of uptime promised by the ASP. For instance, if the SLA states data uptime of 99.9%, this means that the ASP guarantees no more than 500 downtime minutes per year. On the other end of the spectrum, 99.999% uptime indicates a guarantee of no more than five minutes of downtime per year. "This is where the importance of the SLA comes in," says Kane. "End users need to have all their data security issues spelled out in the SLA so that if the ASP doesn't live up to its promises there is a built-in remediation." For more information on data security issues to include in your SLA, check out the ASP Consortium's guide at www.allaboutasp.org.

Data Backup And Disaster Recovery Can Be Outsourced, Too
Besides the various levels of data mirroring, ASPs can provide several choices of data backup as well. For instance, data can be backed up to tape on a weekly basis or it can be backed up to disk on a more frequent basis. "Some customers need their data backed up every night and then sent to them every day," says Bob Fitzgerald, VP of sales and marketing for Radcliffe Datahorse (Markham, Ontario), a provider of hosted CRM (customer relationship management), SCM (supply chain management), and wireless services. "Whatever level of security the customer needs and is willing to pay for is what we provide." Within the SLA, the exact details of the backup can be described, which may even include steps taken to make sure the storage media is removed from the drive after the backup is complete and then placed in a fireproof safe.

For enterprises that need to take measures beyond the aforementioned scenario, a disaster recovery plan can be built into the ASP contract, which may entail making multiple backup copies of data. "We have one customer that has us mirror its data to two different data centers in two remote cities," says Fitzgerald. "If one city is hit by a tornado, flood, or some other disaster, then the customer's data is still intact and ready to go without interruption."

Get Expertise On A Rental Basis
Some companies try to protect their data by keeping it all in-house and hiring the best IT people they can to secure their data. Others, realizing the sheer cost of hiring IT specialists to cover all their data security needs, are finding that outsourcing these functions to an ASP is a viable alternative. And despite the newness of the term ASP, the concept has been around for many years and is a proven model in other areas such as banking and travel. We've come to believe, for instance, that entrusting our money to a bank is better than handling all the details ourselves. And, when it comes to flying, most of us find it more practical renting the services of major airlines than purchasing our own planes and flying ourselves. As time goes on and the ASP industry matures, outsourcing our data to these service providers may become just as natural as these other hosted services have become.