www.aspnews.com/trends/article.php/969551
By Paul Rubens February 6, 2002 Fingerprint and iris scanning devices that would make James Bond proud will soon become commonplace on desktops as ASPs beef up their authentication systems to keep customers' data secure. That's the view of Mike Arnavutian, head of security strategy at BT Ignite, the international broadband and solutions business of U.K.-based telco British Telecom.
Access authorization is key, both on the physical and electronic levels, and to do this effectively it's necessary to be sure exactly who you are letting in. "We have biometric systems such as fingerprint and iris scanning for physical data center access, and with the prices coming down it is practical for end users to have them too," Arnavutian says. "I think that very soon customers will demand them to help ensure that all their users' identities can be accurately authenticated."
A Matter of More Than Trust BT Ignite's Arnavutian says that security measures for an ASP hosting corporate data should start with physically secure premises with suitable access controls, and continue with secure firewalls, authentications systems, anti-virus software and other security architecture features. As well as constant review and updating, there are plenty of other procedures that should be run regularly to screw down security, including vulnerability assessment surveys and penetration testing. Vulnerability surveys involve scanning IP addresses and making sure that all known vulnerabilities have been appropriately patched: Many security breaches happen when hackers exploit known holes in systems because no one has got around to fixing them. Penetration testing — or ethical hacking — is more labor-intensive, and thus more expensive. This involves expert hackers, sometimes from an outside company, spending a set amount of time trying to break in to a system using original or creative techniques. A good ethical hacker who fails after an adequate period of time to penetrate a system gives a good indication that robust security measures are in place.
An Inside Job What should an ASP be doing about internal threats? "Awareness training and rigorous security policies are vital," says Arnavutian. A security policy clearly defines the measures that should be taken to protect the confidentiality, availability and integrity of information and assets. "Many organizations have security policies, but that alone is not enough. If you don't communicate them to all your staff and enforce them, they are useless." Security screening or vetting all staff, including part-time staff and contractors, is also vital, he says. An area that has always been important, but which since the events of September 11th has been put in the spotlight, is disaster recovery and business continuity. Put simply, what will happen to mission critical applications in the event of a disaster at or close to a data center? Although having a backup data center is now a "check list" item that all customers will require before handing their applications over to an ASP, it is up to customers to satisfy themselves that a viable and regularly tested disaster recovery plan is in place so that in the event of a disaster operations will be able to continue from the back up data center with the minimum of disruption. For the ASP, security spending can often seem like an impossible business problem: customers want their applications and data to be secure, but aren't necessarily willing to pay a premium to ensure that the necessary measures can be put in place. A possible solution to this is to put named security products in the service level agreement (SLA) to differentiate the service offering from competitors and to help customers understand what they are paying for, or to offer compensation terms that make potential customers realize that paying for security is worthwhile. But make sure the compensation terms are realistic — only one thing is 100 percent certain in the security industry, and that's that nothing is 100 percent secure. |