ASPIC Issues Security Guidelines

With surveys showing security to be the top issue of concern among ASP end users, the ASP Industry Consortium has launched a security initiative within its Technology Committee and published a guide that highlights important security issues both vendors and customers need to be aware of.

The “Key Security Issues for ASPs and Their Customers” booklet was unveiled today (Nov 14) by ASP Industry Consortium officials at COMDEX Fall 2000 in Las Vegas. The booklet, available through the ASP Industry Consortium web site, is a product of the Security Subcommittee, which has been formed within the Consortium’s Technology Committee.

“The mission of this new subcommittee is to define and highlight the best security practices in the ASP marketplace through white papers and case studies,” noted Pavel Slavin, director of global systems for Argus Systems Group Inc., who chairs the Security Subcommittee. “Our vision is to ensure that ASP customers receive a secure, unique connection from desk-to-data, with equal security protection in place at all levels of access.”

The Security Subcommittee will focus its efforts through four specialized working groups, each responsible for developing guidelines for best security practices in its particular area of concentration, Slavin explained. The four working groups are:

— Network Security Working Group – Responsible for establishing best security practices guidelines for securing the network component of the ASP infrastructure.

— Platform Security Working Group – Responsible for evaluating technologies that extend network security to the platform level to create a single comprehensive security environment.

— Integration Security Working Group – Responsible for defining the practices necessary to develop and implement a security architecture and the associated operational security processes.

— Security for SLA Working Group – Responsible for developing security- relevant information for ASP service level agreements (SLAs).

While each of these working groups will concentrate on defining and highlighting best security practices, other groups within the subcommittee will explore real-world implementation of these practices through extensive security case studies, Slavin added.

“Although security risks in the ASP environment can never be eliminated entirely, an ASP can help minimize these risks by paying particular attention to three key aspects of overall security: network security, platform security and integration security,” Slavin said. “Only by taking steps to ensure all three types of security can an ASP establish a security environment that adequately protects both its customers’ interests and its own.”

The guide highlights those three key areas – network security, platform security and integration security – that require special attention from ASPs, and offers first steps toward understanding security options for those areas. It also advises on some initial steps customers can take to enhance the security of their applications and systems, such as creating an organizational security policy or requesting third party security audits.

“The ASP delivery model has not only inherited many security risks common to any information technology (IT) environment, but also introduced new concerns that arise from having a third party host and deliver business-critical applications and systems,” said Slavin in explaining the need for his committee’s work. “Our overall goal is to alleviate those concerns by helping ASPs better understand their customers’ security needs, while at the same time instilling customer confidence in the ASP computing model.”

News Around the Web