the truth about asps
DESCRIPTION
The Truth About ASPs. Trusting Strangers with Your Business Data. Introductions. Ian Poynter, Jerboa Inc. [email protected] Diana Kelley, LockStar, Inc. [email protected]. What is an ASP?. Application Service Provider Outsourcing Taken to the Extreme Hosted Applications - PowerPoint PPT PresentationTRANSCRIPT
The Truth About ASPs
Trusting Strangers with Your Business Data
Ian Poynter & Diana Kelley 2
Introductions
Ian Poynter, Jerboa Inc. [email protected]
Diana Kelley, LockStar, [email protected]
Ian Poynter & Diana Kelley 3
What is an ASP?
Application Service Provider
Outsourcing Taken to the Extreme
Hosted ApplicationsHosted Business Data
Ian Poynter & Diana Kelley 4
Examples
Contact ManagementAgillion
BackupsRecovery Solutions
Ian Poynter & Diana Kelley 5
Examples
CalendaringeCal
Storage iDrive
Ian Poynter & Diana Kelley 6
Questions
For CustomersQuestions to Ask
For ASPsQuestions to Answer
Ian Poynter & Diana Kelley 7
Longevity
How Long Has the ASP Been in Business?Who Are Their Other Customers?
What Do Their References Say?
Ian Poynter & Diana Kelley 8
Security Policy
Is There a Security Policy?
How Do the ASP’s Procedures Reflect Their Policies?
How Are the Policies Upheld?Customer Policies Should Be Willingly
Accepted
Customer Suggestions Should Be Accepted
Ian Poynter & Diana Kelley 9
Security Policy
How Does the ASP Ensure Their Policies Are Enforced?Do They Conduct Audits?
Third-party “seals of approval”
Do They Keep Secure Logs?
Are There “Checks and Balances”?
Ian Poynter & Diana Kelley 10
Application Hosting Design
What is the ASP’s Security Approach?Philosophy and Strategy
Design and Implementation
Ian Poynter & Diana Kelley 11
Application Hosting Design
Problems with Shared ServersData Confusion
Physical and Network Security Is The Facility Secured?
Is The ASP Production Network Secure?Consider Also Their Corporate Network
Ian Poynter & Diana Kelley 12
Application Hosting Design
Home-grown vs. Custom Application Is This Custom Software or SAP?
Ian Poynter & Diana Kelley 13
COTS Applications
Can the ASP Get Security Problems Fixed?
Is the Software Vendor Responsive?What Control Does the ASP Have?
How Reliable Is the Vendor?
Ian Poynter & Diana Kelley 14
Home-Grown Applications
Are Applications Built With Security in Mind?Not “Tacked On”
How Often Are Applications Modified?Daily? Weekly?
Is There A Formal Quality Assurance Process?
Opportunities for Error Abound
Ian Poynter & Diana Kelley 15
Code Reviews
Who Has Reviewed the ASP’s Code?Probably No One
Problems with COTS Software
Was the Review Independent?Or Was It Internal?
How Often Are Reviews Repeated?
Ian Poynter & Diana Kelley 16
Contingency Planning
Disaster RecoveryDo They Do It?
BackupsSent Off-site?
What Is the Off-site Backup Storage Policy?
Ian Poynter & Diana Kelley 17
Contingency Planning
Incident ResponseWhat Are the Policies and Procedures?
What Is the Escalation Path?How Quickly Do I Find Out My Data Was
Compromised?
Ian Poynter & Diana Kelley 18
Availability
What Kind of Redundancy Is Built Into the Asp’s Systems?
What Guarantees of Availability Are There?Uptimes?
MTBF
Ian Poynter & Diana Kelley 19
Separation Safeguards
Data Separation Is Customer Data Kept Separate?
Is Data Safe From Internal Threats?Employees and Contractors
Who Has Access to Your Data?
Ian Poynter & Diana Kelley 20
Employee Screening
How Experienced Are The Asp’s Employees?
Does the ASP Screen Their Employees?Reference Checks?
Background Checks?
Ian Poynter & Diana Kelley 21
What Should ASPs Do?
Cover ThemselvesGet Insurance
Take Security SeriouslyAnd Do It Well
Prepare to be Sued
Ian Poynter & Diana Kelley 22
What Should ASPs Do?
Security As MarketingDo All the Things We Describe
Take Security Seriously
Ian Poynter & Diana Kelley 23
What Should Customers Do?
Ask the Hard Questions
Get Everything in Writing
Get Assurance from the ASP ofAvailability
Coverage for Losses
Get Insurance