Security prime fear of ASP customers

Security continues to remain the primary concern of existing and future application service provider (ASP) customers, according to a recent survey done in the United States on behalf of an ASP advocacy group.

More than 60 per cent of those surveyed by Zona Research, Inc. of Redwood City, Calif. responded that their greatest fear about ASPs was that “security of (their) data may be compromised.”

The sampling was done of 137 managers or IT professionals who have purchasing authority for or involvement with general office productivity or software, and who have indicated that they are currently using ASP services or plan to in the next 12 months.

The ASP Industry Consortium commissioned the survey as part of a quarterly series. The AIC is an international advocacy group of more than 675 companies formed to promote the application service provider industry.

Although the survey was confined to customers in the United States, ASP analyst Lise Dellazizzo of IDC Canada in Toronto said the same issues exist in Canada.

“With the ASP model, what a company is asked to do essentially is let another company manage its applications. And if those applications happen to be mission critical applications, then the whole issue of security is extremely important,” she explained.

According to the AIC survey, security fears are not without merit. Although the vast majority of respondents indicated that anti-virus software and software firewalls are currently being supported and provided by their ASPs, only 36 per cent indicated user-based access control/authentication was available. And only 22 per cent said their ASPs supported and provided intrusion detection.

According to David Fung, the president of FutureLink Canada in Toronto, a subsidiary of AIC founding member FutureLink Corp., the problem is many current ASPs are “mom-and-pop” operations trying to take advantage of a burgeoning business model.

“Anybody can be an ASP,” Fung said. “You put a few servers in your home and say, ‘I’m an ASP. You can connect to me and I can rent you software.’

“The key is the customers have to decide what service level agreement they want, and who can deliver it and execute it,” he said.

Fung also said that, despite his company spending $10 million on a secure data centre in Calgary and spending much of its time doing intrusion detection in an effort to fend off potential hackers, some customers are always going to be afraid of security breaches.

“I think it’s the general fear of the Internet,” he suggested. “People in general just don’t feel the Internet is as secure as it should be, because you hear about people hacking into sites like Microsoft.”

While ASPs can perhaps counter security fears with facts, Delazizzo said they should also be prepared to encounter reticence of a different sort when dealing with Canadian customers.

“Dealing with a Canadian CEO is different than an American CEO,” she said. “(They) don’t typically take risks quite as quickly or as deeply as (their) U.S. counterparts.”

Delazizzo said the ASP market will generate about $23 million in revenue this year. She said IDC expects that figure to jump to $445 million by 2004, but that will still be a small portion of the $7.2 billion worldwide market.

Fung is optimistic one of the technological drivers of the ASP model is the decreasing cost of bandwidth in Canada. Communications prices in this country are some of the lowest in the world.

“As the price of bandwidth is coming down, then it’s so much more economical for everybody to connect to a server farm to run applications,” Fung said.

Unfortunately for Fung, the AIC survey also revealed that customers are demanding that their applications be available on a near-constant basis. More than 50 per cent of respondents indicated the acceptable level of downtime must not be more than .01 per cent, or only 53 minutes a year.

Unlike voice services, however, which operate at “five nines” reliability or 99.999 per cent, Fung said some telecommunications providers can only guarantee data transfer rates of 99.7 per cent. FutureLink tries to get around this problem by subscribing to redundant links, in case one service provider experiences an outage. Their own server farms operate at 99.99 per cent.

To Delazizzo, this is not enough.

“The ASPs will have to strive to even improve that to try to reduce the amount of downtime because the ASP model is being sold on the premise that it can provide absolute security, both physical as well as data transmission, and also provide total support so that the company can focus on its core competency,” she said.