Message-ID: <28774338.1075857051737.JavaMail.evans@thyme> Date: Wed, 13 Dec 2000 13:10:00 -0800 (PST) From: applicationservice@bdcimail.com To: vkamins@enron.com Subject: The security double standard Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: "NW on Application Service Providers" X-To: X-cc: X-bcc: X-Folder: \Vincent_Kaminski_Jun2001_9\Notes Folders\Notes inbox X-Origin: Kaminski-V X-FileName: vkamins.nsf NETWORK WORLD FUSION FOCUS: JEB BOLDING on APPLICATION SERVICE PROVIDERS 12/13/00 - Today's focus: The security double standard Dear Wincenty Kaminski, In this issue: * Security resources to consider * Experts Exchange * Links related to ASPs * IT Job Spot(tm): Can UNIX save lives? Oakland, CA ~~~~~~~~~~ This newsletter sponsored by Manage.com ~~~~~~~~~~~~~~ Delivering highly available eBusiness operations is anything but business as usual. In the race to scale in Internet time, maintaining the highest levels of control and visibility are not just desirable, they're mandatory. Offer FrontLine e.M to your customers -The breakthrough solution that helps Web- centric businesses gauge their success. Don't be left out. Get more information today on FrontLine e.M from Manage.Com. http://nww1.com/go/2217628a.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CHECK THESE OUT! Network World is now offering EIGHT NEW FREE newsletters. Get the latest on available IT jobs, management strategies and how to best optimize your web site. Sign up today at: http://nww1.com/go/foc69.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Today's focus: The security double standard --------------------------------------------- By Jeb Bolding Security is a top concern for everyone in the application service provider space. With so many options on the market, it can be difficult for customers and ASPs to pick the right kinds of security for storage and transmission of sensitive corporate information. Perhaps the ideal security product for ASPs is one that gives customers the most comfort, is reasonably cost-effective, and can be managed by a staff that may not be expert in security. The toughest part for ASPs is that their customers hold them to a security double standard. These customers often expect better security for their remotely hosted systems and data than they provide for their local systems. I find this ironic, considering most security infractions occur from inside an organization, not outside. Conventional wisdom places the percentage of breaches at 80% internal, and 20% external (though I haven't independently verified these statistics). Based on that information, I would think customers considering an ASP model for applications and data would be stumbling over one another to locate their systems at an ASP, thus reducing their exposure to system compromises. Instead, prospective customers typically hit the ASP with security questions that may not be outside the expertise of the ASP in question and may be only marginally understood by the customers themselves. ASP business development staff have to become versed in the technology workings of VPNs for data transfer and public-key infrastructure for authentication and encryption, for example, just so they can get in the door with a potential customer. Unfortunately, comprehensive security procedures and technologies are typically very expensive to implement and require a level of security expertise that most ASPs cannot hope to implement and maintain. And I'm not so sure these technology answers are really solving the problem of security for ASPs and their customers. Again, 80% of security breaches come from the inside. In a lot of cases, that means that the true threat is from people who are already inside the security demilitarized zones. It seems to me that security technology is really only part of the answer to the overall security question. In my opinion, ASPs and large enterprises should look beyond the latest security technology and hire security experts from the Department of Defense, NSA or the CIA who can help implement security policies and procedures that will be effective in eliminating the 80% internal breaches. There are several documented systems, publicly available from the government, that outline the policies and procedures necessary to meet certain levels of security. For example, there is a series of trusted systems books available from INFOSEC, each named after a color: the Teal Book, the Orange Book, and the Bright Blue Book, all of which are great resources for a variety of security topics. No doubt, there are some commercial enterprises that also adhere to recognized security standards and can provide the procedures and technology necessary to ensure the integrity of critical business information inside and outside corporate networks. Partnerships between ASPs and these emerging companies would make a lot of sense. I don't mean to exclude technology solutions from this discussion. I believe that there are significant strides being made to make security technology more usable and affordable. But I fear that ASPs are setting up service-level agreements with their customers that guarantee certain levels of security and intrusion detection, but are really only covering the most visible problem. To contact Jeb Bolding: -------------------------------------------- Jeb Bolding is senior consultant with Enterprise Management Associates in Boulder, Colo., an analyst and market research firm focusing exclusively on enterprise management. Bolding has 10 years of experience in the network systems industry, most recently with eCollege.com, an ASP for higher education, where he was director of product development. He can be reached at mailto:jbolding@enterprisemanagement.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FOR RELATED LINKS -- Click here for Network World's home page: http://www.nwfusion.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Got a technical question related to new technology on your corporate network? Post it at Experts Exchange on Fusion at http://nwfusion.experts-exchange.com/. Another network professional may have the solution to your problem. What defense will an ASP have if one of its customer's databases is compromised as a result of internal mischief? http://www.radium.ncsc.mil/tpep/library/hard-dist.html National Security Agency Rainbow Series on CD-ROM: Excite@Home with ASPs Network World, 12/04/00 http://www.nwfusion.com/news/2000/1204asp.html ~~~~~~~~~~ This newsletter sponsored by VeriSign ~~~~~~~~~~~~~~ The Internet Trust Company Upgrade your server security to 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions for serious online security. Click here! http://nww1.com/go/2217671a.html *************************************************************** IT Job Spot(tm) presented by http://www.ITcareers.com With LeadersOnline, your eCommerce career advancement is in the hands of recruiting professionals...not monsters. We bring exclusive opportunities to you through our convenient web-based search process. LeadersOnline finds high-quality, $75K-$200K eCommerce positions meeting your specific requirements. Developed by Heidrick & Struggles, the world's leading executive search firm, LeadersOnline matches top IT professionals with clients needing emerging leaders in mission- critical positions. Invest 10 minutes to register with LeadersOnline today. It's free and confidential. We'll do the rest. http://ad.doubleclick.net/clk;2192248;4831248;j *************************************************************** Breaking ASP news from Network World, updated daily: http://www.nwfusion.com/topics/asp.html Archive of the ASP newsletter: http://www.nwfusion.com/newsletters/asp/index.html May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl ********************************************************* Subscription Services To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To change your email address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Other Questions/Comments Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Account Executive, at: mailto:jkalbach@nww.com Network World Fusion is part of IDG.net, the IDG Online Network. IT All Starts Here: http://www.idg.com Copyright Network World, Inc., 2000