Believe it or not, the term "ASP" (application service provider) wasn't even coined until last year. Six months ago, typing it into an Internet search engine returned references to "active server pages." These days, you can't turn around without another ASP sprouting up or another business beginning to offer ASP services.
It's little wonder businesses have been perking up their collective ears at the mention of anything ASP. True to its definition, an ASP is a service that hosts applications on the Web. Businesses can access the applications by "renting" them for a monthly subscription-based fee.
Compared to hiring and managing a full-time IT staff, using ASPs is an easier and more cost-effective way to go. But pinpointing pricing isn't a simple chore; how much you pay depends on the application, the quantity of users and the additional services you receive from the ASP. Some ASPs charge as little as $5 per month; others fetch as much as $500,000 per month. But the savings add up in what you don't have to do: buy, maintain or troubleshoot hardware or software, or pay real people to do the work.
ASPs now offer all the software you might need. And although the field is escalating, the customer base is not. Because of the newness of the industry, much is still in flux, and enlisting the services of an ASP isn't exactly simple.
Business owners are also wary about security. Outsourcing applications isn't like outsourcing your public relations; trusting critical operations to outsiders can strike fear in the heart of any CEO.
Arnold Kraft, founder, president and CEO of e-Wood.com in Wellesley, Massachusetts, wanted to start an auction-based Web site for the wood products industry-an eBay of lumber. His main concerns were marketing and executing his business model, so he decided to outsource just about every other aspect of his business: human resources, public relations, recruiting and most of his software needs, including an e-commerce application to support the transactions his site would generate.
"Security was a primary concern when deciding to outsource to an ASP," Kraft says. "I talked with the personnel at each ASP about how my data would be protected and who would have access to it. But I also approached ASPs with the understanding that things can go wrong. So I was just as concerned about how the ASP would handle a problem if one occurred."
Sound like a gutsy move? Sure, but Kraft admits that security issues had him apprehensive. And he handled it the right way-by asking questions. He grilled his prospective ASPs: How and where would his data be stored? How would it be protected? What if the ASP did not deliver as promised?
Kraft handled the situation correctly, and it worked for him. To make it work for your business, you'd do well to follow his example. Always go with your gut instinct-any question you've got, ask it. A good service provider will be willing to take the time to answer your questions and even anticipate them. Here are specific topics you should cover:
Data storage: The ASP you outsource to is most likely storing your data on servers in a remote location called a data center. You should know how the center is protected; if possible, try to visit the facility personally. Data centers should have security measures no less stringent than those of a prison. There should be physical bodies guarding the center. Usually, only authorized employees of the ASP are allowed to be in rooms where the actual servers are.
Data transfer: As soon as you're confident the data center is protected, you'll want to make sure the actual data is equally secure. How does the information make it from your desktop to the data center? This is where you'll want to probe into the technical details of security-ask about encryption levels and firewalls, both of which protect data. You'll most likely be sharing the server with another company, and such protection will keep your information from being left vulnerable to prying eyes. The most secure ASPs will monitor logs for any suspicious activity.
Data access: Another level of security relates to when users are sitting at their desks. How will employee authorization work? For example, with self-access, a popular feature of human resource applications, both employers and employees can make changes to benefits, payroll and other HR-related areas via the Internet. But say you log on to give your star employee a raise. In turn, that star employee will probably want to log on to increase his or her 401(k) contribution. But what's to keep that employee from accessing the payroll section of the site to adjust the raise a little more?
The ASP should provide a matrix of security, including password-protected logins with unique user names to verify identity. Access should be protected using digital certificates, software-based versions of ATM cards that use codes to tie individual users to particular computers. Using them ensures that a password stolen from the HR administrator isn't going to end up in the hands of a vengeful (or creative) employee.
Data backup: What happens in the event of a disaster? Ensure the ASP backs up the data daily, and find out where it's stored. Next, find out about response time to problems. For example, if the application fails for any reason, you should know how long the ASP will take to get it back up and running. (This is part of your service level agreement, which is discussed on the next page.)
Perhaps most important, make sure the company doesn't guarantee that nothing will go wrong. This may sound strange, but you want an ASP that not only acknowledges something can go wrong, but also has a plan to handle it.
Mie-Yun Lee is the founder and editorial director of BuyerZone.com, a premier online marketplace for growing businesses. Diane O'Brien contributed to this article.