Why? Users accessing an ASP site need valid user names and passwords to get through the firewall and authentication servers. Plus, as ASPs manage their applications, they can detect and shut out users who try to log on to the system repeatedly with invalid passwords. By contrast, it's easy to access consumer sites because the goal of those sites is to encourage traffic.

Still, such scares reinforce the need for ASPs to build a secure infrastructure. "ASPs know that maintaining a robust, secure environment is a critical part of their business," says Meta Group analyst Daniel Scholer. ASPs such as Corio, Intacct, and Oracle Business OnLine have established partnerships with network providers such as Concentric Network Corp. and Verio Inc., or built their own data centers equipped with several firewall layers, load-balancing technology, authentication and authorization software, and tools that let them monitor and detect potential intrusions. "ASPs have put together a strong security presence to prevent a breach of data," says Greg Runyan, senior analyst for Yankee Group.

These days, most business customers use services such as frame relay or leased lines to access their apps to avoid security and performance problems inherent with the Internet. In the future, ASPs expect that an increasing number of customers will use the Web to access applications.

Corio says it plans to implement security precautions to reassure customers who want to use the Web to access their applications. The company recently put a few customers on a virtual private network, where a secure "tunnel" is created over the Internet to transmit data, says Hasan Rizvi, VP of engineering at Corio.

For Web-enabled applications, Corio will set up password and authentication policies similar to those found on its VPN customer sites. "An administration manager at the user site will be the only person able to add new users to the system," says Rizvi, who uses site-management tools from BMC Software Inc. to monitor the systems and Netegrity software for user authentication and authorization.

Corio also has developed proprietary technology to ensure that each user has only one session running at a time. This will prevent an outsider from using a user's password and ID to break into an online application. "The only way someone will be able to bombard the app with illegal data will be if that person finds out the administration manager's password and ID," Rizvi says.

But some users aren't convinced that using a public network to access business applications will ever be secure enough. "As far as financial information is concerned for our company, I wouldn't want to trust any public network, including the Internet, for those systems," says Jim Barry, director of business engineering and application development for General Cinemas Corp. in Boston. "We would always require a private connection." He says he would be concerned about gaining access to his applications, as well as others breaking into his data. Barry, who recently left Hoyts Cinemas Corp. in Boston, where he outsourced PeopleSoft applications to Corio, is in talks to outsource similar applications to Corio for General Cinemas.

Niall Kelleher, accounting manager for U PickUp, a small retail E-commerce company, plans to begin using Intacct online financial applications in the next few months. Kelleher says that while there's an inherent risk when accessing applications over the Net, he believes the benefits outweigh the risks. "Performance and security are always a concern, but Intacct has several layers of firewalls, so I'm confident my data will be secure," he says. "If the Internet as a whole slows down, there's really nothing we can do about that, but we're small enough where we'd be able to handle it." U PickUp processes about 50 to 60 transactions per day. Kelleher says larger companies with heavier transaction volumes may be adversely affected by a slowdown.