Can You Trust Your ASP?

Given the high rate of IT infrastructure growth at most companies, it's a safe bet your company is already struggling to support all of its applications and customer services. At some point - if it hasn't already - your company is likely to outsource some applications and IT services to a hosting site or an ASP (application service provider). When that happens, a third-party provider will suddenly be standing behind your firewall. Or, you will be stepping out from behind your firewall. Or, both things will happen. In any case, you will be scrutinizing the integrity and security of your corporate data like never before.

Have you ever noticed how nervous most parents get when they consider hiring their child's first babysitter? Like choosing a babysitter, working with an ASP is a matter of extreme trust. Does that provider have the commitment to security and stewardship to make you feel at ease about opening the doors to your data center? Can you sleep at night after sending your data to someone else's center?

Those hosting providers that pass the "trust test" will undoubtedly emphasize two key factors: 1) the need for secure network transmissions; 2) the importance of authenticating users. Fortunately, encryption technologies and secure network protocols are stable enough to allow companies to use them as a baseline for determining the relative security of hosted sites.

For Secure Connections - VPN And SSL
Transmissions can be secured using VPNs (virtual private networks) or SSL (secure socket layer)-based pipelines, such as the TLS (transport layer security) protocol. In an SSL-based session, programs or systems identify and establish connections between end points, or sockets. The security of the transmission relies on exchanging encrypted keys that are used to authenticate users. Although SSL has been adapted for Web browsers, the Internet itself is not typically used as the primary conduit for customer-to-ASP connections, particularly those requiring high security. "Most companies set up dedicated lines and use SSL or a VPN to establish a link to another company," says Dick Mackey, principal at networking and security consultant SystemExperts Corp. (Sudbury, MA). "They typically use the Internet only as a backup."

According to Steve Jorgenson, director of the Managed Services Division for SJ Technologies (Phoenix), which specializes in e-mail management solutions based on software from Legato, the advantage of a VPN connection is its flexibility and lower cost. "If we connect to our customers via a VPN, it makes it easier to get them on our firewall technology," says Jorgenson. "In a sense, we're extending our network to them, almost like a WAN [wide area network]." SJ Technologies President and CEO Ian Singer adds, "A VPN gives us the flexibility to manage customers' data at their site or ours. If a customer wants to maintain some equipment and applications in-house, we can connect to the customer via the VPN and manage the applications and data remotely."

In setting up a VPN, companies can choose between two types: a firewall-to-firewall VPN and a software VPN (so named to indicate the application-based end points at which encryption/decryption technologies are placed). The choice depends on how deep into the enterprise the organization assumes that a security breach could occur. In a firewall-to-firewall connection, encrypted data reaches the edge of the organization and gets decrypted there. In a software VPN, the secure pipe is extended deeper into the enterprise, connected directly to specific internal systems and applications. "In a firewall-to-firewall VPN, the threat you're trying to counter is someone outside the organization - someone on the Internet - trying to attack," says Mackey. "When you have a software VPN, even if an attacker gets into your environment - or is already inside it - that person would have to locate and break into the exact place where the data becomes decrypted."

According to Mike Bridges, president of electronic document exchange specialist PaperClip Software, Inc. (Hasbrouck Heights, NJ), in certain hosting scenarios, VPNs have limitations. SSL-based pathways can overcome them. PaperClip discovered those VPN limitations when it moved beyond the traditional company-to-ASP transaction model and created an industry hub for insurance providers. Using the PaperClip-hosted and managed hub as a storing-and-forwarding service, participating organizations can exchange documents with each other. PaperClip originally deployed a VPN but found that the VPN did not scale well for the kind of collaboration the hub was designed to support. "VPNs are based on proprietary technologies and don't interoperate well among diverse corporate infrastructures," Bridges explains. "To deploy a VPN across a wide community of users, you have to get them all talking to a specific hardware or software vendor. So, we retooled into an SSL network." Now, when customers initiate communications with the central PaperClip hub, a secure SSL tunnel is opened. When the transaction is completed, the tunnel is dropped.

Intrusion Detection Watches Your Back
No matter what transmission mechanism a customer uses to communicate with an ASP, it must judiciously use authentication tools to control user access. Companies that refer customers to a third party ASP for some functionality - for example, financial services that send customers to stock trading sites - can authenticate their users before handing them off to the ASP. SystemExperts Corp. President, Jonathan Gossels, recommends making sure that the ASP establishes common standards for authenticating users. Otherwise, your customers may be interacting with customers from other companies that may not share your stringent procedures for authentication. "Shared sites can provide fertile ground for hackers who use documents to transport malicious code through viruses on attachments and through active, destructive programs," Gossels says. "Make sure there is mutual authentication among partners on any shared site you use."

Finally, Gossels recommends relying on smart intrusion detection technologies for added protection. "You can and should install intrusion detection at every layer - at the firewall, in the database where the ASP might come in to make queries, and at the level of your internal applications," he advises.