NETWORK WORLD FUSION FOCUS: JEB BOLDING
on APPLICATION SERVICE PROVIDERS
12/13/00 - Today's focus: The security double standard

Dear Wincenty 
Kaminski,

In this issue:

* Security resources to consider
* Experts Exchange
* Links related to ASPs
* IT Job Spot(tm): Can UNIX save lives?  Oakland, CA


~~~~~~~~~~ This newsletter sponsored by Manage.com ~~~~~~~~~~~~~~

Delivering highly available eBusiness operations is anything
but business as usual. In the race to scale in Internet time,
maintaining the highest levels of control and visibility are
not just desirable, they're mandatory. Offer FrontLine e.M to
your customers -The breakthrough solution that helps Web-
centric businesses gauge their success. Don't be left out. Get
more information today on FrontLine e.M from Manage.Com.
http://nww1.com/go/2217628a.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CHECK THESE OUT! Network World is now offering EIGHT NEW FREE
newsletters.  Get the latest on available IT jobs, management
strategies and how to best optimize your web site.  Sign up
today at: http://nww1.com/go/foc69.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Today's focus: The security double standard
---------------------------------------------
By Jeb Bolding

Security is a top concern for everyone in the application
service provider space. With so many options on the market, it
can be difficult for customers and ASPs to pick the right kinds
of security for storage and transmission of sensitive corporate
information.

Perhaps the ideal security product for ASPs is one that gives
customers the most comfort, is reasonably cost-effective, and
can be managed by a staff that may not be expert in security.

The toughest part for ASPs is that their customers hold them to
a security double standard. These customers often expect better
security for their remotely hosted systems and data than they
provide for their local systems.

I find this ironic, considering most security infractions occur
from inside an organization, not outside. Conventional wisdom
places the percentage of breaches at 80% internal, and 20%
external (though I haven't independently verified these
statistics).

Based on that information, I would think customers considering
an ASP model for applications and data would be stumbling over
one another to locate their systems at an ASP, thus reducing
their exposure to system compromises.

Instead, prospective customers typically hit the ASP with
security questions that may not be outside the expertise of the
ASP in question and may be only marginally understood by the
customers themselves. ASP business development staff have to
become versed in the technology workings of VPNs for data
transfer and public-key infrastructure for authentication and
encryption, for example, just so they can get in the door with
a potential customer.

Unfortunately, comprehensive security procedures and
technologies are typically very expensive to implement and
require a level of security expertise that most ASPs cannot
hope to implement and maintain. And I'm not so sure these
technology answers are really solving the problem of security
for ASPs and their customers. Again, 80% of security breaches
come from the inside. In a lot of cases, that means that the
true threat is from people who are already inside the security
demilitarized zones. It seems to me that security technology is
really only part of the answer to the overall security
question.

In my opinion, ASPs and large enterprises should look beyond
the latest security technology and hire security experts from
the Department of Defense, NSA or the CIA who can help
implement security policies and procedures that will be
effective in eliminating the 80% internal breaches.

There are several documented systems, publicly available from
the government, that outline the policies and procedures
necessary to meet certain levels of security. For example,
there is a series of trusted systems books available from
INFOSEC, each named after a color: the Teal Book, the Orange
Book, and the Bright Blue Book, all of which are great
resources for a variety of security topics.

No doubt, there are some commercial enterprises that also
adhere to recognized security standards and can provide the
procedures and technology necessary to ensure the integrity of
critical business information inside and outside corporate
networks. Partnerships between ASPs and these emerging
companies would make a lot of sense.

I don't mean to exclude technology solutions from this
discussion. I believe that there are significant strides being
made to make security technology more usable and affordable.
But I fear that ASPs are setting up service-level agreements
with their customers that guarantee certain levels of security
and intrusion detection, but are really only covering the most
visible problem.


To contact Jeb Bolding:
--------------------------------------------
Jeb Bolding is senior consultant with Enterprise Management
Associates in Boulder, Colo., an analyst and market research
firm focusing exclusively on enterprise management. Bolding has
10 years of experience in the network systems industry, most
recently with eCollege.com, an ASP for higher education, where
he was director of product development. He can be reached at
mailto:jbolding@enterprisemanagement.com.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FOR RELATED LINKS -- Click here for Network World's home page:
http://www.nwfusion.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Got a technical question related to new technology on your
corporate network? Post it at Experts Exchange on Fusion at
http://nwfusion.experts-exchange.com/. Another network
professional may have the solution to your problem.

What defense will an ASP have if one of its customer's
databases is compromised as a result of internal mischief?
http://www.radium.ncsc.mil/tpep/library/hard-dist.html

National Security Agency Rainbow Series on CD-ROM:
Excite@Home with ASPs
Network World, 12/04/00
http://www.nwfusion.com/news/2000/1204asp.html

~~~~~~~~~~ This newsletter sponsored by VeriSign ~~~~~~~~~~~~~~

The Internet Trust Company

Upgrade your server security to 128-bit SSL encryption! Get
VeriSign's FREE guide, "Securing Your Web Site for Business."
You will learn everything you need to know about using 128-bit
SSL to encrypt your e-commerce transactions for serious online
security. Click here!
http://nww1.com/go/2217671a.html

***************************************************************
IT Job Spot(tm) presented by http://www.ITcareers.com

With LeadersOnline, your eCommerce career advancement is in the
hands of recruiting professionals...not monsters. We bring
exclusive opportunities to you through our convenient web-based
search process. LeadersOnline finds high-quality, $75K-$200K
eCommerce positions meeting your specific requirements.
Developed by Heidrick & Struggles, the world's leading
executive search firm, LeadersOnline matches top IT
professionals with clients needing emerging leaders in mission-
critical positions. Invest 10 minutes to register with
LeadersOnline today. It's free and confidential. We'll do the
rest. http://ad.doubleclick.net/clk;2192248;4831248;j

***************************************************************

Breaking ASP news from Network World, updated daily:
http://www.nwfusion.com/topics/asp.html

Archive of the ASP newsletter:
http://www.nwfusion.com/newsletters/asp/index.html

May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.nwwsubscribe.com/nl

*********************************************************
Subscription Services

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To change your email address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to
this message.

Other Questions/Comments

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Account
Executive, at: mailto:jkalbach@nww.com

Network World Fusion is part of IDG.net, the IDG Online
Network. IT All Starts Here:
http://www.idg.com

Copyright Network World, Inc., 2000