Choose or Lose
Believe it or not, the term "ASP" (application service provider) wasn't even coined until last year. Six months ago, typing it into an Internet search engine returned references to "active server pages." These days, you can't turn around without another ASP sprouting up or another business beginning to offer ASP services.
It's little wonder businesses have been perking up their collective ears at the mention of anything ASP. True to its definition, an ASP is a service that hosts applications on the Web. Businesses can access the applications by "renting" them for a monthly subscription-based fee.
Compared to hiring and managing a full-time IT staff, using ASPs is an easier and more cost-effective way to go. But pinpointing pricing isn't a simple chore; how much you pay depends on the application, the quantity of users and the additional services you receive from the ASP. Some ASPs charge as little as $5 per month; others fetch as much as $500,000 per month. But the savings add up in what you don't have to do: buy, maintain or troubleshoot hardware or software, or pay real people to do the work.
ASPs now offer all the software you might need. And although the field is escalating, the customer base is not. Because of the newness of the industry, much is still in flux, and enlisting the services of an ASP isn't exactly simple.
Business owners are also wary about security. Outsourcing applications isn't like outsourcing your public relations; trusting critical operations to outsiders can strike fear in the heart of any CEO.
Arnold Kraft, founder, president and CEO of e-Wood.com in Wellesley, Massachusetts, wanted to start an auction-based Web site for the wood products industry-an eBay of lumber. His main concerns were marketing and executing his business model, so he decided to outsource just about every other aspect of his business: human resources, public relations, recruiting and most of his software needs, including an e-commerce application to support the transactions his site would generate.
"Security was a primary concern when deciding to outsource to an ASP," Kraft says. "I talked with the personnel at each ASP about how my data would be protected and who would have access to it. But I also approached ASPs with the understanding that things can go wrong. So I was just as concerned about how the ASP would handle a problem if one occurred."
Sound like a gutsy move? Sure, but Kraft admits that security issues had him apprehensive. And he handled it the right way-by asking questions. He grilled his prospective ASPs: How and where would his data be stored? How would it be protected? What if the ASP did not deliver as promised?
Kraft handled the situation correctly, and it worked for him. To make it work for your business, you'd do well to follow his example. Always go with your gut instinct-any question you've got, ask it. A good service provider will be willing to take the time to answer your questions and even anticipate them. Here are specific topics you should cover:
Data storage: The ASP you outsource to is most likely storing your data on servers in a remote location called a data center. You should know how the center is protected; if possible, try to visit the facility personally. Data centers should have security measures no less stringent than those of a prison. There should be physical bodies guarding the center. Usually, only authorized employees of the ASP are allowed to be in rooms where the actual servers are.
Data transfer: As soon as you're confident the data center is protected, you'll want to make sure the actual data is equally secure. How does the information make it from your desktop to the data center? This is where you'll want to probe into the technical details of security-ask about encryption levels and firewalls, both of which protect data. You'll most likely be sharing the server with another company, and such protection will keep your information from being left vulnerable to prying eyes. The most secure ASPs will monitor logs for any suspicious activity.
Data access: Another level of security relates to when users are sitting at their desks. How will employee authorization work? For example, with self-access, a popular feature of human resource applications, both employers and employees can make changes to benefits, payroll and other HR-related areas via the Internet. But say you log on to give your star employee a raise. In turn, that star employee will probably want to log on to increase his or her 401(k) contribution. But what's to keep that employee from accessing the payroll section of the site to adjust the raise a little more?
The ASP should provide a matrix of security, including password-protected logins with unique user names to verify identity. Access should be protected using digital certificates, software-based versions of ATM cards that use codes to tie individual users to particular computers. Using them ensures that a password stolen from the HR administrator isn't going to end up in the hands of a vengeful (or creative) employee.
Data backup: What happens in the event of a disaster? Ensure the ASP backs up the data daily, and find out where it's stored. Next, find out about response time to problems. For example, if the application fails for any reason, you should know how long the ASP will take to get it back up and running. (This is part of your service level agreement, which is discussed on the next page.)
Perhaps most important, make sure the company doesn't guarantee that nothing will go wrong. This may sound strange, but you want an ASP that not only acknowledges something can go wrong, but also has a plan to handle it.
Mie-Yun Lee is the founder and editorial director of BuyerZone.com, a premier online marketplace for growing businesses. Diane O'Brien contributed to this article.
At Your Service
The hope is that everything will run smoothly. For your protection, sign a service level agreement (SLA) with your ASP, outlining the services you'll receive. The ASP Industry Consortium, an organization formed by leading technology companies to promote a greater understanding of the growing ASP industry, suggests that you make sure the provisions include response time in case of a problem, amount of customer service you'll receive, availability of the application (it should be 24/7), and what the repercussions will be if the ASP doesn't meet the provisions in the SLA. Plus, make sure to sign a legal security agreement (or nondisclosure agreement, if available) that will bind the ASP to keeping your information private.
If your ASP can address these questions in depth, you may not have as many reservations. You may even come to the conclusion that Pradeep Khurana, founder and chair of Surebridge, an all-purpose ASP located in Lexington, Massachusetts, hopes you will-that ASPs can give your business the security you may not be able to provide yourself.
"One of the reasons businesses should look to an ASP is for the security levels we offer," says Khurana. "Your information is going to be more secure in a data center than in your company server tucked away in your office."
ASPs are not just a third party you're outsourcing to; you're forming a partnership with the company. When you ask what they'll do for you, ask what you can do to make the relationship work smoothly. Working with your ASP will increase your confidence in them and make the relationship-and your job of focusing on the needs of your business-that much easier.
Check out www.buyerzone.com/Internet/web_based_software for help finding an ASP for your business.
Learning the lingo
If you think security issues can be tough to figure out, try tangling with the number of acronyms that fall under the ASP umbrella. We've put together a glossary to help you sort out this industry-specific jargon.
ASP (application service provider): Hosts and maintains applications, offering them to subscribers through the Web.
CRM (customer relationship management): Commonly offered application that manages customer relationships by automating crucial customer-related services-order processing, sales, marketing efforts and customer data tracking.
CSP (commercial service provider): The actual data centers where ASPs store companies' data.
ERP (enterprise resource planning): Commonly offered application that integrates all business functions, from human resources to accounting, into one application.
FSP (full-service provider): More common these days, this term refers to ASPs that offer a soup-to-nuts approach, allowing you to outsource multiple functions. They also usually run their own data centers.
IBS (Internet business service): IBSs are ASPs that have built their business from the ground up, so the applications were actually developed to be hosted on the Web. They offer the same services traditional ASPs do.
ISV (independent software vendor): A company that produces and distributes software. ISVs are beginning to partner with ASPs and offer software through them. This arrangement benefits both sides: The ASP hosts and maintains the application, while the ISV is able to reach a broader audience (smaller businesses that otherwise wouldn't be able to afford it).
SLA (service level agreement): A binding contract between an end user and an ASP. It details the specifics of your partnership, including customer service, data security and the repercussions if the ASP doesn't meet the provisions in the agreement.
TSP (total solutions provider/total service provider): This term has evolved with the ASP market and is closely related to the meaning of full-service provider. Companies that call themselves TSPs, whether they mean solutions or service, focus on the service end just as much as the application hosting. The term also refers to ASPs that integrate with other service providers so you can get all your needs met at one source.
WSV (Web software vendor): Software companies that have begun to offer ASP capabilities, viewing the ASP model as a way to build their revenues. Unlike ISVs, they do not necessarily partner with ASPs, but host the application themselves.
XSP ("X" service provider): Because of the confusion surrounding all the fledgling terms-ASP, FSP, TSP-this new term using the letter "X" has emerged to represent the entire industry.