Security Questions for Your Provider

Asking the right questions is key to choosing the right software-as-a-service provider.

The idea of delivering software as Web applications over the Internet isnt exactly new. In the 1990s, at the height of the dot-com boom, the application service provider model enjoyed moderate success. Today, with AJAX-based Web applications all the rage, the model has made a dramatic comeback, but with the same old security concerns.

"The same questions you had for your ASP in 1999 are the same questions you have to ask your software-as-a-service provider," said Marcus Sachs, deputy director of Washington-based SRI International, a nonprofit research institute that provides support for the U.S. governments Cyber Security Research and Development Center.

"You have to establish a minimum acceptable level of security and make that a key part of the decision to outsource your business applications. How are they protecting your data? When was the last time they had an intrusion? Are they going to allow you to do independent penetration testing? Can you do a physical site inspection? Those are the kinds of questions that should be high on your list," Sachs said in an interview with eWEEK.

/zimages/2/28571.gifClick here to read about security concerns surrounding software as a service.

Sachs, who doubles as volunteer director of The SANS Institutes Internet Storm Center, said a checklist of security standards that covers everything from infrastructure audits to physical, network and host security inspections should be mandatory for every business considering a move to software as a service.

But, as John Pescatore, an analyst at Gartner, in Stamford, Conn., pointed out, theres no such standard covering on-demand computing security. "Thats the big problem. Theres no way to judge if or Windows Live or even Google is meeting certain requirements because we dont have anything to stack them up against," Pescatore said.

Gartner has dusted off a list of questions from the ASP era and is modifying it for clients considering the Web application plunge.

The questions include:

• Does the ASP require the use of two-factor authentication for the administrative control of routers, switches and firewalls?

• Does it support 128-bit or stronger encryption and two-factor authentication for connecting from customer LANs to its production backbone?

• Does it provide redundancy and load balancing for firewalls and other critical security elements?

• Does it perform (or have an experienced consulting company perform) external penetration tests at least quarterly and internal network security audits at least annually?

/zimages/2/28571.gifPaul Roberts explains what IT managers need to do before going with software as a service. Click here to listen to the podcast.

Rick Fleming, chief technology officer at Digital Defense, echoed the Gartner advice and warned that the practice of placing security risks on the back burner is dangerous.

"You see all these Web applications being launched with a lot of hype, and you know its a security nightmare waiting to happen. The bigger problem, to my mind, is that businesses arent putting security into the buy," Fleming said. "Until it makes a significant impact on the bottom line, security wont be a driver for change. Thats just the way the industry works."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.