ASPs look to bolster security offerings

Security already was a stumbling block for application service providers intent on convincing companies to rely on remotely hosted applications. Now with security issues getting more attention because of proliferating viruses and increased feelings of vulnerability after Sept. 11, ASPs are renewing efforts to provide the best security services available.

Because it is an emerging market, there are not standards that dictate base security levels. Analysts suspect these standards will emerge, but meanwhile customers can expect ASPs to highlight security offerings.

Qwest Cyber Solutions (QCS) unveiled enhanced security services last week. This release follows Corio's announcement in December 2001 that it was rolling out a new security framework for enterprise customers. Other ASPs say they intend to closely monitor security advances and make sure they provide the latest in services.

"Security is one of those living, breathing animals that changes every day, so we're always looking for ways to make our clients more secure and keep their data more secure," says John Kerr, director of information assurance at USinternetworking.

Across the board, ASPs serving large companies and delivering complex applications provide a standard fare of managed firewalls, intrusion detection, network security, user authentication and VPN services. Some, such as Corio, partner with managed service providers; others, such as USi, provide much of the security on their own.

Nevertheless, security remains one of the largest hurdles to organizations buying into ASPs. Many companies perceive that as a vulnerability even though analysts and customers agree ASPs often provide better security than a company could deploy on its own. Part of the reason for the apprehension is the complicated ASP model, which involves not only remotely hosting data, but also transferring that data across a network to end users. Many ASP-hosted applications are integrated into enterprise systems, another doorway for possible network breaches.

Still, hundreds of companies are using ASPs and fueling a fast-growing market. Large companies with sensitive data, such as healthcare organizations and financial institutions, are finding the security they need with ASPs.

"On the security side, the general philosophy is that ASPs have more specialized resources for looking after security than I could afford to have internally," says Rodric O'Connor, vice president of technology at Putnam Lovell Securities in San Francisco.

But enterprise users should be careful to query ASPs about the security services they offer. ASPs that cater to large companies and deliver complex applications undoubtedly will provide baseline security services, such as managed firewalls, virus protection, intrusion detection and user authentication. But smaller, emerging players may not. A study by IDC last fall found that nearly a quarter of 50 ASPs surveyed failed to offer basic network security.

"They didn't offer virus protection. They didn't offer user-authentication securities," says Jessica Goepfert, an analyst at IDC. "These are things I consider vital and fundamental to any ASP offering. It's like renting a building that doesn't have locks on the doors."

Mark Clayman, director of hosting at Surebridge, says security is becoming increasingly important - second only to performance concerns - to customers, and the ASP is responding by providing more security services on a customer-by-customer basis.

"Everything from physical security, to the operating system, to antivirus, to application layer security, to network security and intrusion detection. That's what we offer on a standard basis, but it's always evolving," he says. "You never know when a customer is going to come in and want some additional security layer or some added functionality. We're always tweaking our service."

QCS says flexibility is a key to its enhanced security services. QCS partnered with managed security service provider Veritect to offer services that range from intrusion detection to vulnerability scans to professional services.

What's interesting about the services, analysts say, is that they are offered in a tiered manner so companies can choose what level of service they need. Each service is integrated with the application delivery but is priced in addition to the monthly application subscription.

"The idea of doing it in terms of an add-on makes sense because obviously for some applications and some customers it's not going to be worth spending additional money," says Laurie McCabe, vice president and service director at technology research firm Summit Strategies.

However, she predicts that over time the enhanced services will be rolled into standard offerings as the security bar is raised in response to customer demands. ASPs say customers already are pushing them to be clear about what type of security is provided.

"Customers are becoming more educated about security because so many people are doing business over the Internet," says Chip Gums, vice president of ASP Agilera's eastern region operations. "It's more of a topic during the sales cycle today than it was a year ago, and we are continuing to improve our security daily."

The bottom line, analysts say, is companies should consider what applications they want delivered from an ASP and then determine the level of security required. A calendar application won't need the same level of security that payroll software would, McCabe says.

"You want the best security that you can afford," she says. "Like everything else, it's going to boil down to trade-offs."