dcsimg
RealTime IT News

IDC Says ASP Security Not a Given

At this point in the development of the ASP market, you might assume service providers had the security thing down cold. Not so, according to a survey by IDC.

In its report, "Delivering Software as a Service, Delivering a Sense of Security," the Framingham, Mass.-based research company says that of 50 ASPs surveyed about 25 percent had substandard security.

Levels of Security
Security Service Percentage of ASPs offering
User Authentication Service 78 percent
Firewall 76 precent
Network Security 76 percent
Virus Protection 76 percent
Disaster Recovery 74 percent
Redundant Service 74 percent
Detection of Illegal Action 68 percent
Institution Security 68 percent
24 X 365 surveillance system 60 percent
Institution Security 68 percent
Escalation 58 percent
Report on Security Conditioning 52 percent
Data Cyptography 50 percent
Security Consulting 34 percent
Bio-Metric 24 percent
Other 10 percent
"IDC contends that at a minimum ASPs should provide user authentication, firewalls, virus protection and network security. As the chart indicates, roughly 25 percent did not provide these fundamentals," IDC's Jessica Goepfert told ASPnews.

No, we aren't talking Department of Defense levels of security that were missing. The IDC study says some ASP were lacking fundamentals such as user authentication, virus protection, network security and firewall services.

Jessica Goepfert, program manger with IDC's ASP and Application Management Services research program, told ASPnews that IDC selected the 50 ASPs at random from two lists to ensure that the survey reflected "where the ASP market really is today in terms of security." Respondents were initially targeted based on IDC's understanding that they offered ASP services.

Goepfert added that IDC "took great measures to properly identify which companies were truly providing ASP services compared with other types of services (e.g., Web hosting, IS outsourcing, application management and systems integration)."

The good news is that the majority of respondents do seem to have the basics down. However, IDC reports, there are still ASPs offering customers access to applications in an unprotected environment. "The truth is that enhanced security is often a benefit of signing with an ASP," Goepfert told ASPnews. "Chances are that the ASP offers more security than its customers and prospects could afford to deploy on their own. However, there are indications that some ASPs have entered the market with substandard protection."

The ASP industry hasn't yet reached full maturity and IDC reports that ASPs are at different points in their life cycle and may each take different approaches to attack the market. However, new or old, ASPs must all understand that security is essential to winning customers and promoting adoption of software as a service.

To accelerate adoption of hosted applications, according to IDC, ASPs must continue to educate the market about their security precautions and convince prospects that they can better protect the application environment than an internally deployed system.

"High-end ASPs that are rolling out enhanced security services are setting a strong example and new entrants would be well-served to observe," said Goepfert. "In fact, in recent months IDC has witnessed announcements from leading ASPs that demonstrate this trend and commitment to providing state-of- the-art security services."

Related Article
ASPnews consulting analyst Phil Wainewright writes,
"It's time companies realized that, if they want to take advantage of all the commercial benefits the Internet represents, then they have to accept responsibility for security. The technology is there to ensure security to the nth degree. It's time to start using it. And ASPs should be setting an example, not cutting corners."
Full Story

Interestingly, though, while many ASPs are beginning to guarantee the availability of security services, Goepfert notes that ASPs are not guaranteeing the effectiveness of security measures.

"The ASPs surveyed rarely, if ever, had any guarantees or metrics wrapped around the effectiveness of their security services. Who can blame them? Attacks are a reality of the computing environment; hackers are constantly getting wiser and actively seeking out the vulnerabilities of the cyber world," Goepfert told ASPnews.

"Security guarantees may bring end users more peace of mind, but if they can't be upheld they will be as worthless as the paper they are written on and will only serve to build false expectations with their customers."

Whether or not security measures are clearly outlined in an SLA, ASPs can't afford to ignore security, because they can be sure that their customers are paying attention. "Businesses understand that a breach in security could result in severe financial losses, never mind the damage to the company's reputation," said Goepfert. "It's up to the ASP to stay on top of these security systems in order to simply stay in the game."


Do you have a comment or question about this article or the ASP industry in general? Speak out in the ASP Discussion Forum.