Author: Paul Gilster

Evaluating a potential ASP’s security takes time and expertise. The details of authentication, packet filtering, encryption, and other technologies call for investigation by specialists, either in-house IT analysts or outside security consultants. But here are some of the broad questions that management should be asking:

• How does the ASP control physical access to its site?

• Does the ASP have a disaster-control program that includes restoring data in the event of power loss or other emergency?

• How are access rights controlled to ensure that only authorized personnel are dealing with the client’s data?

• Does the ASP perform background checks on employees?

• Are corporate-training programs in place to keep employees aware of the need for constant security monitoring?

• How are passwords protected, and what kind of corporate policy governs their use?

• Are authentication procedures — digital certificates, tokens, and biometric methods such as iris scanners or fingerprint identifiers — used to back up password control?

• Who has the right to make changes to the servers used in handling the client’s data?

• Does the ASP use encryption to protect data moving between the client and its site?

• Is the ASP’s internal network protected by firewalls?

• Are change procedures in place to lock down any access points that may have been opened up through new equipment or software, or changes to the existing firewalls?

• What procedures ensure that the latest software patches are always installed to seal off vulnerabilities?

• What measures are being taken to prevent virus and other malicious code from damaging the ASP’s systems?

• Do the company’s audit logs demonstrate that the ASP is using its procedures in a correct and consistent way?

Workforce talked to consultants andproviders of benefits administration services about how they help clients rollout online systems. Here are some tips that can help you reach workers who areresistant to technology.

1. Examinecurrent practice to make sure you understand what you need. You want to giveemployees effective tools and not just technology for technology’s sake.

2. Makea survey of your workforce. Find out what employees think they need and why.Bringing them into the process creates greater commitment to change.

3. Implementone technology at a time. Allow employees to build a base of skills beforepressing on to still further changes.

4. Makethe advantages of new systems clear through letters, brochures, or e-mail.Good communication makes employees feel that their needs are being takeninto account.

5. Considera tiered training structure. Well-built software should require minimaltraining, but more advanced systems for managers may necessitate classes oradditional help.

6. Offerpaid time not just for training but also for employee play and practice onthe system. Remember: people learn from trying things out and makingmistakes. They must be allowed time for this.

7. Providea help desk for answering immediate questions and emphasize that you expectemployees to use it.

8. Double-checkyour system’s integration with back office software like payroll functionsbefore rolling it out. Nothing will turn off employees faster than initialglitches that could have been easily avoided.

9. Rememberthat many employees worry about security. Make sure you understand thesecurity functions built into your system and demonstrate them to employees.

10. Launchthe system with fanfare to build employee enthusiasm. That initial surgegets employees involved and moves them past early learning barriers.

Workforce, January 2001, Vol80, No 1, p. 56  SubscribeNow!

If you need skilled workers – and whodoesn’t? – be aware that HR recruiting is changing as fast as the technologythat now supports it. An economy-wide shortage of labor and an overwhelminginflux of electronic résumés are driving the growth of applicant trackingsystems (ATS) from companies like BrassRing Systems and Personic.                    

    The key driver:strong employment growth in service industries coupled with unemployment at a30-year low. In fact, the unemployment rate, according to the Bureau of LaborStatistics, declined to 4 percent in November. No wonder the InformationTechnology Association of America (ITAA) predicted last year that half the needed jobs in information technology – almost 850,000 – would go unfilled in2000, a shortage of one job in every dozen.

    Nor does thesituation look likely to change soon.

    The BLS’projections for the American work force between 1998 and 2008 call for anincrease in total employment of 14 percent, with service industries accountingfor almost all the job growth. During the same period, the supply of workers isprojected to increase by only 12 percent. 

    Statistics likethese have built a market for products that aid recruiters. “We’re seeinggrowth in this category simply because companies have a need to hire people andautomate broken processes,” said International Data Corporation researchmanager Andrew Goloboy. IDC sees the overall category of workforce managementtools –  including applications forhiring, employing and retaining workers – rising from $1 billion in 1999 to $4billion in 2003.

    One huge factor isthe number of résumés generated by online recruitment. Some 2.5 million ofthem are now online. Web sites like Monster.com, where recruiters create jobpostings that generate these résumés, have led to an explosion in theirnumbers. But so have career Web sites run by corporations. A recent Recruitsoft/iLogosResearch report finds 100 percent of Fortune 500 companies will have careerssections, post jobs, and accept applications on their corporate Web site by2002. And while while 76 percent of Fortune 500 companies currently post jobs ontheir corporate sites, fewer than 10 percent use hiring management systems tohandle the flow.

    And what a flow itis. The average life expectancy of a hot résumé, says Recruitsoft, is a mere72 hours. Nor is it just the speed of turnover that’s boosting the ATS market.Because they’re easy to post and disseminate, online résumés often wind upscattershot through hundreds of corporations. “They’re being broadcast allover the world,” says Michael Foster, CEO of AIRS, a firm specializing intools to help companies search for qualified people. “These firehose streamsof résumés demand systems to filter them out and manage the result.”

    With 48 percent ofcorporate recruiters posting their job opportunities on the Web last year,according to Watson Wyatt Worldwide, the trick is to solicit résumés frompeople with the right skills, to manage that electronic information and track itthrough the hiring process.

    For onlinerecruitment is here to stay. Forrester Research believes it will grow from a$1.2 billion industry to $7.1 billion by 2005. Recruiters will increase theironline spending 52 percent in the next three years, mainly at the expense ofprint advertising and search agency fees. With numbers like these, expect to seea continuing demand for résumé management and application tracking services.They’ll give companies a leg up on finding and managing job applicants whoseworth can only continue to climb.

Imagine it: A cost-efficient information system that handles your payroll, benefits, accounting, and other HR functions while you only pay for the software you need. A system that doesn’t require the hiring of extra IT staff to manage key functions.

A system that lets your business focus on what it does best while someone else worries about upgrading to the latest software. You can stop wishing. Such systems are here, in the form of Web-based outsourcing companies known as application service providers (ASPs). International Data Corporation sees Web-based outsourcing through ASPs as a $2 billion market within the next three years.

Both Microsoft and Oracle are reconfiguring key software to make it possible for you to work with ASPs over the Internet.

But ASPs have a downside: a nagging worry that priceless information could be compromised by entrusting it to a third party. It’s a rough world out there.

The Love Bug and related viruses can play tricks on your operating system. Credit card numbers pop up on illicit Web sites and computer break-ins make headline news. Security experts agree that these fears are well founded, though not for the reasons most people think.

Despite public perceptions, sending your information over the Web is perfectly safe. “The Internet is not a party line,” says Peter S. Tippett, chief technologist at ICSA.net, a global provider of computer security assurance and certification services.

“The risk of being intercepted is not even in the top 1,000 concerns for companies today. Web sites make a point of using encryption to guard against a problem we do not have.”

Issues like these are ICSA.net’s bread and butter. The company once worked with MCI to collect data (at the behest of the FBI) from a particular address as it moved over the Net. The project involved building a so-called “sniffer” to capture such data on disk.

At then-current Net backbone speeds, it proved impossible to collect anything more than the message headers for all that traffic.

Since then, the speed of the Net’s backbone has increased by a factor of 64.

“Getting data where it’s going,” adds Tippett, “is an entirely secure proposition.” A case in point: ICSA.net has verified with all major credit card companies, security firms, numerous banks, and law-enforcement agencies the number of cases in which credit card information was intercepted over the Internet.

The answer: none. Ever. The real security issue when dealing with an ASP is much closer to home. It involves locking down security inside your own company and ensuring that your ASP does the same. When problems occur, it’s at either end of the data transmission, and it’s clear that on that score, both companies and the ASPs they use have a lot to think about.

We’re no longer living in a world where security means keeping a mainframe computer in a protected room. The advent of PC networks has changed everything. “We started moving our information onto PCs as an afterthought,” says Randall Bennett, president of Secure Enterprise Computing, a security consulting and implementation firm based in Cary, North Carolina.

“All of a sudden we network these together and they’re on the backbone with our mainframes and the Internet at large. The technology has moved too quickly ahead of the security model, and now companies have to play catch-up.”

And as Frank Prince notes, the Net keeps changing the equation. A senior analyst in e-business infrastructure at Forrester Research, Prince says that extending company operations to an ASP should make management more security conscious than ever.

“The Internet has lowered the threshold for doing things people might have done anyway,” he says. “Twenty years ago, if you wanted to steal the design for a new truck, you’d have to roll up the blueprints, put them under your arm, and carry them out. Ten years ago, you’d copy them onto a floppy and stick them in your pocket. Today, you can simply attach them to an e-mail message.”

It’s here that we leave the realm of the theoretical and roll up our sleeves. When you choose to outsource, it’s up to you to evaluate security at your ASP’s site, Secure Enterprise’s Bennett says. That usually means a visit to the ASP home base and a thoroughgoing examination of its policies, physical security, and network procedures.

“When you use an ASP, they have become your partner,” says Bennett. “That’s what connectivity is all about. You’ve got to treat an ASP the same way, and with the same diligence, as you treat your own internal IT department.”

Start with physical security. You should ask questions about where the company keeps its servers. Are they in a properly secured area, or in a place accessible to anyone clever enough to crack a password and gain access to a machine? Disaster recovery is likewise critical. A firm isn’t secure if it loses its files because its ASP doesn’t have sufficient backups to survive a disaster.

The better ASPs know that security is critical and take active measures to protect their information. One such company is Spectrum Human Resource Systems Corporation, a Denver-based ASP with a set of Web-based tools developed in-house for the HR market.

The firm provides software for HR management, benefits administration and training and development, along with related services in data conversion, data transfer, system planning, and implementation and support services.

According to president and CEO Jim Spoor, the Spectrum facility is protected against power loss, tightly secured against intrusion, and located near a major Internet backbone network.

“We have an extremely secure facility,” Spoor says, “one that is secured with not just passwords but also biometric systems that can read your handprint. We also require photo ID onsite, and people dealing with your account must use ‘smart cards’ or key fobs — forms of authentication that guarantee you are who you say you are.”

Authentication is a system that recognizes and verifies the identity of a user. A smart card has an embedded computer chip that can verify a user’s identity. A “token,” often in the form of a key fob with displayable digits, provides a constantly updated set of numbers that the user enters to complete his log-on to the network. Because the numbers change so quickly, even a person with a password can’t gain access without the token itself.

But not all problems come from inside a company. In an Internet-connected world, ASPs can be vulnerable to attacks from the outside, as can the corporations they serve. A hacker breaking into a company database can uncover a rich harvest of passwords and other sensitive information. In fact, more than half of stolen credit card numbers are now being swiped by hackers attacking corporate databases, says ICSA.net’s Tippett. That puts a premium on securing all possible points of entry and making sure they stay shut.

One answer is to install firewalls — hardware or software that restricts internal traffic to the private network — but computer-savvy thieves sometimes get through anyway. “When you put in a firewall, everything is closed,” says Secure Enterprise’s Bennett. “You have to start opening ports to let things happen if you want to do e-mail or browse the Web. So I may have created a choke point at the firewall, but as I open more doors to the outside, I may be creating a channel for intruders to use.”

For that matter, external attacks can shut down a company’s mail servers, as was demonstrated by recent attacks on some of the Internet’s biggest sites — Yahoo!, eBay, CNN.com, and Amazon.com — using a technique called distributed denial of service, or DDoS.

In this scenario, hackers use software to bombard computers with requests for service, which can quickly bring big systems to a crawl. These attacks depend on vulnerabilities in the sites they’re attacking and the servers that unwitting owners have left insecure enough to participate in the assault.

EmployeeService.com is a San Francisco-based ASP that has worked with crack teams of intruders (“the same spooks who crack systems for the CIA,” says CEO Jay Whitehead) to locate holes in its system and plug them. And so far, so good. Even the Love Bug, the widespread virus that shut down mail servers at many companies and caused billions of dollars of lost productivity worldwide, only created a problem in one server. That problem was quickly fixed, according to Whitehead.

Companies also should check ASP internal policies to make sure that they’re not selling clients’ private data, Whitehead says.

When Internet advertising firm DoubleClick was discovered linking anonymous user information to actual names and addresses, the resulting controversy alarmed privacy-minded computer users and showed the potential for the abuse of information assumed to be private. Whitehead recommends asking ASPs about both data selling and the creation of “cookies” that track a user’s progress through Web sites.

In a world where technology changes by the month and sometimes by the day, constant vigilance is critical. Potential clients should check security audits at the ASP they’re evaluating, says Carl Bennett, director of e-business for Application Outfitters, a consulting and implementation firm based in Linthicum, Maryland.

“Visit the ASP site and examine how they do business. Make sure they are up to speed with all current patches for their software. Many companies have really been too trusting in their dealings with ASPs, and it will pay to demand thorough and conscientious security.”

Software patches can fix potential security holes, and because they’re issued regularly, companies need to have procedures in place for seeing that they’re used. Hardware changes must also be tracked. Every time an administrator adds a node to the network or an employee installs a modem to access an outside line to the Internet, a potential vulnerability has been created. Security specialists agree that companies need checklists to control how devices are configured and added across the network.

And make no assumptions about the time it takes to evaluate an ASP. As Cendant Corp. has found, even a simple transaction with an outside provider can raise more issues than anyone had expected.

When the company, a global provider of real estate, travel, and direct marketing- related consumer and business services, chose to work with an ASP to provide an employee-discount Web portal, the risk seemed low. After all, the only information required for entry to the site for Cendant employees was a user identification, a password, and the employee’s name.

But how to set up the passwords? Freddye Silverman, vice president of human-resource management systems for the company, says the rules used to create them quickly became an issue inside Cendant. Its information-protection team wanted completely random passwords, rather than passwords created by plugging in employee-specific identifiers like initials or the last digits of a social security number. The HR team, meanwhile, argued that setting such passwords for all 30,000 employees was unnecessary.

The ensuing debate about passwords for an ASP-based benefits and enrollment package finally ended in the vendor accepting the responsibility for generating the necessary passwords. But the point was made. Adapting internal processes to third-party providers takes a lot of planning. “We’re just writing policy and rules as we go along,” says Silverman, “and that’s where a lot of companies are as they begin to explore this ASP picture. This is happening everywhere.”

In the frantic world of Internet time, getting to market fast has proven to be a successful strategy, but it leaves ASP clients vulnerable as outsourcing companies rush to bring their security up to speed. In that environment, demanding and verifying tight security from potential ASPs is not just common sense — it’s a necessary survival tactic.