InformationWeek

Simpata's software fills that void pretty well, DeGroot says, and he thinks it's good value. AgEx's monthly ASP bill runs between $300 and $400. To purchase a competing personnel software package from Human Resource MicroSystems would have cost $30,000 to $40,000, depending on the maintenance contract, he says. Those numbers made outsourcing the app an easy decision.

ASPs are anything but homogenous in the way they offer services. ASPs formed to outsource applications of all sorts, such as USinternetworking Inc. and Verio Inc., are likely to handle their own secure Web hosting, authentication, and encryption services.

Smaller ASPs that specialize in a single application--typically vendors with expertise in a vertical market such as purchasing, law, or inventory management--are more likely to outsource their hosting and authentication servers to companies such as AT&T or Exodus Communications Inc., which call themselves infrastructure service providers.

For the highest security requirements, customers may demand public key encryption, a technology that uses digital certificates to guarantee the identities of those who download and upload to the ASP network. ASPs often contract with a third party such as VeriSign Inc. or Entrust Technologies Inc. to issue the certificates in those cases since there are so few options in the emerging and highly specialized digital certificate management arena.

Simpata specializes in insurance and employee benefits packages and services and has outsourced its server and firewall administration to Pilot Network Services Inc., a secure hosting company. Simpata retains control of the password structure and access to the applications. "At a minimum, it would have cost us $500,000 to $1 million to replicate what Pilot has," says Jeff Simon, president of Simpata.

For most users, an ASP's behind-the-scenes partnerships with suppliers of hosting or specialized security services is transparent and not an issue. "Corporate users look at this as how many places do they have to go to buy or procure services," says Eric Hemmendinger, an analyst with Aberdeen Group. If it's possible to get additional services, such as security, through the partners of an existing supplier, they'll consider it, he says.

And Simpata's Simon argues that an ASP's security is still a big step up from where most companies are now. "You've got to figure that data is far more secure in this environment than it is in any other environment," he says. Whether the user runs an application in-house or resorts to faxing the payroll information every two weeks, it's still much less secure than what most ASPs deliver, Simon says. Some ASPs say that surprisingly few customers implement their own security measures, such as video surveillance of vulnerable doors, and stress that customers can't offload all security concerns to the ASP; they need to look after security within the enterprise as well.

Some IT execs agree. Pinnacle's Bagby says he recently implemented an application from Shared Medical that provides dial-in access for doctors, using logon and password protection and 128-bit encryption. He says some of his users gripe about the time it takes to input the information needed for security verification. "I've held the line and told them it's necessary for us to have confidentiality," Bagby says.

Such incidents underscore the need for thinking carefully about security policies, Bagby says. "You have to have a balance. One hundred percent security means not giving anyone any information," he says. "The minute you open it up, it's a compromise. How easy are you willing to make it to access the information?"

The biggest risks come not from intruders, but from careless or inappropriate use of information from within the enterprise, Bagby says. "You can have all the policies and procedures you want, but if people don't obey them you're going to have problems," he says. "Any organization's biggest security risk is the misuse of information by those who already have access to information."

return to page 1