Application Service Providers: Are They Sitting Ducks?

Two years ago, when someone used the acronym ASP, they were probably referring to Microsoft's Active Server Pages technology. Today, a new group of entities that call themselves application service providers (ASPs) has appropriated the acronym. ASPs offer businesses and other end users centralized network-based access to a set of everyday applications for a fee. Using a high-speed network connection, users connect to an ASP to run the applications they need.

Microsoft CEO Steve Balmer once said that shrink-wrapped software will one day become a thing of the past. I think that ASPs are the inevitable replacement to shrink-wrapped software, so what are the pros and cons of this form of computing?

With the use of ASPs, the cost of operation for a network will replace cost of ownership. In the future, instead of owning your network, you might lease it. Large ASPs might eventually offer your business a total network solution, including all software, hardware, cabling, maintenance, support, Internet connectivity, and upgrades. With that basic network service plan, ASPs will probably guarantee uptime, network response time, and information security.

If anything will stymie ASPs' acceptance in the marketplace, it will be security. The reasons are manifold but are mainly found in the potential for Denial of Service (DoS) attacks and data interception. Are today's OSs and network hardware robust enough to fend off Distributed Denial of Service (DDoS) attacks? Has VPN technology been tested thoroughly enough that a business can trust its ability to continually protect data? I think you'll find that the answer is no to both questions.

For example, Microsoft's VPN solution is PPTP. Security organizations Counterpane and L0pht proved that Microsoft's first rendition of PPTP was seriously flawed. Microsoft corrected those shortcomings with the release of PPTPv2, but what other problems remain undetected or unreported? An even bigger concern might be why Microsoft didn't detect these problems before releasing the technology. Numerous vendors release less-than-secure products, so Microsoft is not alone in that category.

Perhaps I'm wrong, but it seems as though vendors prefer to release software, then wait for independent hackers to find problems with it, which the vendor then fixes at its leisure. This routine of waiting for third parties to find bugs in already-released software shifts the cost of debugging from the vendor to the consumers. Is it fair to put consumers at risk like that? And more importantly, will that cost-shifting methodology work with ASP-based solutions? I seriously doubt it.

The public doesn't accept claims of product security at face value. If a vendor makes a claim about security, hackers will test that claim and report their findings. If vendors don't change the way they test code and do a more thorough job of looking for security risks, hackers will have a field day on ASPs. Hackers will quickly prove how easily they can disrupt ASP service or compromise information security. And if hackers do those things, isn't that beneficial to everyone who relies on the ASP and its applications? I think so. Perhaps insecure applications are no different than any other defective product, where it’s the manufacturer's ultimate responsibility to keep the product safe to use.

The bottom line is that for ASP technology to become acceptable across the board, it must first be certified as a secure computing method. But who will make that certification? You certainly can't accept a vendor's claims at face value—they've proved time and again that they are fallible when it comes to the development of risk-free applications.

And even if the applications are deemed secure, which ASP will boldly certify that it's DDoS-proof or crack proof? If an ASP becomes the target of DDoS attacks or a serious breach of security, how will that ASP compensate its clients for any subsequent loss of business revenue? Will businesses have to wave the right to revenue recovery when they contract with an ASP? Will governments have to eventually intervene on behalf of any businesses affected by ASP security issues? Will ASPs become regulated like other communication services?

ASP technology raises many questions, most of which have no clear answer yet. But one thing seems clear: ASPs are not ready for prime time. The security risks alone are too great for most businesses to accept. Nonetheless, Microsoft and other vendors intend to realize their envisioned future of a society without shrink-wrapped software. Several aspects of computing will need to change before that happens: Vendors must enhance the way they test their code for security problems, and networks must become more resistant to all types of DoS attacks. Until that happens, I think ASPs will remain sitting ducks.

On a related note, you can stay current on the latest ASP happenings by subscribing to our biweekly ASP Review UPDATE electronic newsletter featuring News Editor Christa Anderson. Stop by our Web site to subscribe.

Also, I'd like to point out that you can now find my weekly editorial posted on our NTSecurity.net Web site each Wednesday afternoon, complete with functionality that let's you post your own comments. Be sure to stop by and discuss ASPs with me. I'm anxious to learn your ideas, concerns, and opinions. Until next time, have a great week.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish