May 2, 2002 -- (WEB HOST INDUSTRY REVIEW) -- As small businesses place more of their operations on the Internet, they are turning more often to Application Service Providers to provide the expertise and infrastructure they require. You may be considering outsourcing certain operations to an ASP, which can be a wise and cost-effective decision. But your choice not to handle matters in-house is no reason for you to remain unaware of the details of the operation. With your critical information at stake, you should feel comfortable asking service providers about their security practices. And any responsible ASP will be prepared to provide satisfying answers to a curious customer.
With the expectations of organizations evaluating ASPs in mind, TruSecure Corporation, a developer of security certifications, publisher and security services provider, recently issued a report listing 10 important questions that consumers ought to ask potential ASPs when considering their services.
“Now, more than ever,” says Paul Robertson, director of risk assessment at TruSecure, and author of the report, “organizations evaluating ASPs need to address a number of key security issues in order to confidently rely on an ASP.”
How does your ASP prove information security due diligence?
Any ASP can claim to have implemented adequate security policies, and many of them have. But you may require more proof than just the claim. One way for ASPs to prove the effectiveness of their security practices is through achieving an objective third party certification of their systems.
What is the historical performance of your ASP in terms of incidents relating to infrastructure and/or customer activity?
Reacting to infrastructure threats, says Robertson, is the core job of any ASP. The ability to react to customer-driven security events may be what separates the cream of the crop. Measurement and tracking functions may indicate an ASP that doesn’t improvise its security measures.
How does your ASP proactively address the flood of new vulnerabilities and patches?
Serious infrastructure operators are at the receiving end of an overwhelming stream of security patches and updates, some more critical than others. ASPs should have practices in place for prioritizing potential threats and addressing them in a timely manner.
Does your ASP have an ongoing information security program?
Security is an ongoing concern, says Robertson, and ASPs that evaluate security programs continuously rather than through semi-annual or annual audits have a significantly better track record for preventing security events.
What internal policies does your ASP have in place to ensure policy compliance of human resources, Internet security, remote access, help desk, administration, etc.?
“Insider threat is one of the more difficult security processes to get right,” says Robertson. The best way to minimize these risks is through organized and documented security policies and procedures.
How would your ASP handle availability issues if access to its facility weren't possible?
A number of disaster situations can place data facilities off-limits even to personnel for days at a time. Responsible ASPs should have the ability to recover quickly and completely fom such an event. They should also have the built-in redundancy to ensure availability while the facility is inaccessible.
How does your ASP handle Denial of Service (DoS) attacks?
Any site on the Internet, including yours, is a possible target for DoS attacks. Responsible ASPs, says Robertson, should have standard methods for dealing with such situations, including notifying customers and working with ISPs to block attacks.
How does your ASP handle authentication of customer-driven changes?
Service providers should have policies in place to handle the authentication of customer changes, ensuring that former employees or enterprising attackers can not talk their way into making changes to your applications or data.
What has your ASP done in terms of the physical security of its data/security operation center, and is that security validated by an independent third-party expert?
“Physical security is often overlooked in the Internet space,” says Robertson. And, although less common, physical attacks can be far more destructive than electronic attacks. Make sure your ASP has taken the physical security precautions to protect your critical data.
Does your ASP pre-notify their customers about changes to its infrastructure, and is there a way to reach them after hours?
Your ASP, says Robertson, should keep its customers notified of maintenance cycles and infrastructure changes. And it is critical that you be able to reach your service provider by phone in the event of an outage.
Of course, you may have other matters of particular concern to your business. But the questions suggested by Robertson and TruSecure can go a long way toward helping you select diligent ASP, and one that will take a responsible approach to securing your critical information.
