InformationWeek

Except that increasingly, your data and middleware may reside with an application service provider. That means you're entrusting the security of your data to your ASP and your Internet connection--and it means you need to know it's safe from hackers, viruses, and other dangers lurking in the ether.

"Security is an issue that can erode public confidence in your organization if you screw it up," says Richard Bagby, VP of informatics and CIO for Pinnacle Health Systems, a $400 million health-care provider in Harrisburg, Pa.

Bagby uses a service from ASP Shared Medical Systems to store data about Pinnacle's patients, who made more than 1 million visits to Pinnacle health-care centers last year. "Obviously, it's critical we keep all their information confidential," Bagby says, citing the Health Insurance and Accountability Act, recent federal legislation that requires greater security of health-care data.

Pinnacle relied on the consulting services of PricewaterhouseCoopers and Ernst & Young to certify that Shared Medical provides adequate security, Bagby says. For Internet access, the ASP uses a token-based authentication system, which issues a six-digit token that changes every 60 seconds. A firewall helps keep unauthorized users from accessing the servers.

For apps demanding high security, customers of the Shared Medical service are typically assigned dedicated servers, so no customer shares a server with another customer, says John Kijewski, VP of data center systems and operations at Shared Medical. "Our customers all want to look at clinical information, so security is an absolute requirement," Kijewski says.

The ASP is also looking at smart cards as a way to boost the security threshold even higher. The smart card would contain a token, issued either by the customer's IT department or by Shared Medical, to identify the user.

Shared Medical has more experience than most ASPs in offering networked application services, because it offered mainframe-based applications via dedicated links for years. But other ASPs have rapidly realized that they must provide adequate security if they expect customers to outsource applications to them, particularly because ASPs have not yet gained the credibility of outsourcing stalwarts such as EDS or IBM, analysts say.

Clearly, the Internet has sensitized the IT world to security management like never before, says David Tapper, a senior research analyst with International Data Corp. "The corporate world is just waking up to the security issues and the openness of the network," he says. Most customers say security is essential and nonnegotiable, especially if the fledgling ASP industry is to grow as predicted. Dataquest predicts ASP service revenue will total $2.7 billion by the end of this year and climb to $22.7 billion by 2003.

"There's a level of confidence that the enterprise must have in the ASP before it will consider them," said Jilani Zeribi, a senior analyst with consulting firm Current Analysis. He says the business case for using ASPs makes a lot of sense: It lets users avoid the costs of buying application software, firewalls, and servers, and hiring the personnel to run it all. "But the market must now convince users to release their stranglehold and actually deploy these services," Zeribi says.

"You've got mission-critical documents or apps that you may not be able to afford to say, 'Let's give a shot to an outsourcer.'" To overcome that reluctance, ASPs typically roll security costs into the flat-rate price of their application service instead of charging for it separately. ASP customers typically pay $2.50 to $5 per month per seat, depending on volume and application types. ASPs can bundle these security features because it costs them relatively little to do so, says Glenn Ricart, chief technology officer at CenterBeam Inc., which specializes in information system outsourcing for midsize and small businesses. "There are huge economies of scale here. The cost of a triple firewall gets spread over several customers, and any additional hardware to support additional traffic is a relatively small cost," when amortized across multiple customers, he says.

Some users don't need much convincing to buy into the idea that ASPs can offer a secure service. Jeff DeGroot, human-resources manager for Agricultural Exchanges Online in Sacramento, Calif., says his previous experience soured him to the idea of in-house IT services. "Every system I've worked with has either had the database stored locally or on the company network. To tell you the truth, I'd rather have a professional dealing with it outside the building as well as doing the hosting and maintenance."

continued...page 2