ASPs and the Denial of Service Attack

International Data Corp.'s (IDC's) recent study about the application service provider (ASP) market (IDC #B21129) examined the market in general and also identified some factors that can hinder an ASP's success. A summary of IDC's general findings doesn't reveal anything very surprising to anyone familiar with the ASP market: Most ASPs target specific industries; most ASPs partner with other companies to host and serve the applications, rather than relying on a completely internal solution to handle everything from hosting a datacenter to providing network apparatus to application customization; and, although being first to market is helpful, it's not a guarantee of success.

IDC found that one of the biggest barriers to success, however, is fear—not fear on the ASP's part, but customer fear. Anytime that the subject of ASPs comes up, someone always asks, "But will my applications and my data always be available?" It's a good question, even though the vagaries of electrical power and occasional Internet downtime mean that you can never guarantee that your applications and data will always be available, even if they're inhouse. However, because,, Yahoo! and fell under a Denial of Service (DoS) attack a couple of weeks ago, customer anxiety is likely to increase. The attack isn't the first time that hackers have broken into major sites—and it won't be the last. The difference is that this incident was public (unlike the Melissa virus, which only caused problems inhouse) and stopped people from working (unlike the New York Times hack, which just put an online newspaper on the sick list).

It's still unclear whether the person or people who executed this attack were experienced hackers or just plain lucky. One engineer at Yahoo! expressed the opinion that staging such an attack and not being caught was a sign that experts did the job. However, an article at (a hacker site) argues that the attackers staged the assault using preexisting tools and haven't been caught yet, so concluding that hackers staged the attack is a trifle premature. Frankly, I'm not sure it matters. Whether an experienced cracker staged the attack or a wannabe downloaded the tool from a Bulletin Board System (BBS) or Web site, the end result is the same: Users who've read the stories will say, "You're going to put my data on the Internet? Are you nuts?" And, frankly, they have a point. The idea of losing access to your data is frightening, whether it's due to a DoS attack on your server or to the feds shutting down your ASP's server because it was a staging site for such an attack.

ASPs can respond to these threats in different ways. First, ASPs can offer you financial guarantees against downtime, which is basically what a service level agreement (SLA) is. Typically, if the amount of downtime exceeds that stated in your SLA, then you receive a refund for that amount of time. Second, ASPs can offer insurance through a partner, such as Lloyd's, against losses incurred by Web server being the source of an attack, a program that Hewlett-Packard (HP) announced at the ASP Summit in San Jose on February 14.

An alternative is to keep your data nearby, using a local datacenter model such as the one that Push is building in California. The idea is if you can't get your data from the network, you can drive across town and get it. (Of course, that approach still leaves you without access to your applications. But driving across town to get your data is an act of desperation anyway, not something you'd do if you had any other alternative.)

The bottom line is this: Rebates are nice, but you must trust your ASP to protect data and applications from being shut down either directly or indirectly as launching pads for attacks on other servers. Any Internet-dependent company makes a nice, fat, well-publicized target that will generate a lot of media attention if it's shut down. If you keep your computing capabilities inhouse, you can prevent people from finding out that a virus attack hit you. You might have lost data due to the Melissa virus, but if you had backups, you were able to restore that data without your customers—or the morning news—noticing. A highly publicized attack on ASPs will be harder to keep quiet. Not only do you need your applications and data available, but you can't have your customers thinking that you're not reliable because your computing infrastructure, wherever it resides, is vulnerable to attack.

Finding a market to exploit and establishing partnerships to deliver applications and data effectively are crucial to any individual ASP's success. Persuading customers that you'll financially guarantee that they won't have excessive downtime and that you have a security system that will keep them—and you—from becoming the target of a bored teenager will be crucial to the success of the ASP market as a whole.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.