Getting Great Results with ASPs

Solid service level agreements and security requirements can ease the way It's been said that no two application service providers (ASPs) look or act alike, but they do share the need to address the security concerns of clients and guarantee a certain baseline performance level to stay in business. Given that, clients need to be direct about what's required, and what isn't acceptable, as they go through due diligence. ASPs may be using the internet or wide area network to deliver the application on a one-to-many basis instead of the usual data processing arrangement, but, like traditional outsourcers, they'll do their best if you stay in charge. In our February issue (ABABJ, Feb. p.54), we looked at the evolving ASP market and described the various types of ASP providers. With this article, we'll examine what security and contractual issues bankers should consider before signing on the bottom line. Like most businesses, ASPs rely upon contracts and service level agreements (SLAs) to establish performance parameters and manage relationships. Make sure you're managing your suppliers right back. In the rush to get a technology problem solved, contract terms may be glossed over and an operational review of an ASP to check for security can get short shrift. This is a real mistake, say the experts who spoke with ABA BJ, because having grappled successfully with various security and contractual matters is what separates the viable ASPs from their flimsier counterparts. "Since there isn't a 'typical' ASP it's hard to generalize, but I do think there are best practices emerging regarding equipping and running data centers, networks, and applications," says Jeff Brewer, vice-president and chief information officer with Agilera, headquartered in Englewood, Cob., an ASP that delivers enterprise relationship management systems. Hardware vendors, among them Microsoft, Sun, and Compaq, also offer either certifications or best-practice tips, says Brewer, so there is guidance and ample resources in the market for building an ASP like a fortress. True, there are many methods of linking client to ASP, including the internet, as opposed to a WAN connection. "Where the internet is involved, you'll never be 100% secure, but you can really improve your overall security level if you create procedures with security in mind," Brewer says. Mike Massey, vice-president e-service operations for Xerox, Rochester, N.Y., says that the first wave of "pure play" ASPs may have fallen short of the mark in matters of security, but he admits that next-generation survivors have learned hard lessons, particularly business service providers (BSPs) that come with their own programmers, consultants, and a general breadth of skills, knowledge, and equipment. From the biggest part of the picture to the smallest detail, the professionally run ASP will be as meticulous as any bank in addressing these issues. Many good ASPs The general consensus seems to be that the market is well enough past its inception to have left behind solid providers. What to look for? "The good ASPs have every facet of security in play. You see 24-hour guards on the premises and use of schemes to limit access to servers, says Counse Broders, senior internet services analyst, Current Analysis, Sterling, Va. Well-run ASPs will also have adequate system backup and redundancies built into their data facility design and will operate with detailed disaster recovery plans. "These ASPs also have solid investments in firewalls," says Broders. He notes that it pays to ask a lot of questions about what protections are offered for each piece of equipment in use, because, as he puts it, "there is still room for improvement, such as use of technology to monitor network traffic." While you're putting together your checklist, consider too that personnel should be screened for suitability. …