When FMC Corp. recently sold 40 boxcars of soda ash, one customer used a browser to enter confidential order information directly into the company's SAP AG system - or so he thought. What the customer really used was a sophisticated secure proxy server from service provider Aventail Corp.
"Aventail was a bridge behind our firewall that directed Web users to a proxy server. It looked just like they were in the back end. But that's not the case," said Craig Watson, CIO at Chicago-based FMC.
Application service providers (ASP) are now delivering increasingly sophisticated security products that corporations can adopt for their e-business initiatives without having to develop anything themselves. And it's happening just in time, as more IT organizations like FMC outsource Internet infrastructure, Web services and other operations.
"Our business model depends heavily on per-use managed services," Watson said. "We do everything by the drink."
Beyond the VPN
When Suzanne Pawlisz, FMC's IT program manager, was investigating managed services early last year, they weren't as sophisticated as those she now gets from Seattle-based Aventail. With Aventail's service, Web users are authenticated and then given rights and privileges for application and data access. Previously, only users of FMC's virtual private network (VPN) were able to breach the firewall to get work done.
Pawlisz said Aventail's extranet technology, Aventail.Net, uses a "noninvasive agent" that leaves the client system's IP stack data alone, unlike a VPN, which uses a client's IP stack data.
The Aventail agent handles the initial setup between the server, which is housed at Beltsville, Md.-based Digex Inc.'s data center and, say, a user's remote PC. The Aventail.Net product authenticates a user and then permits him to use only the applications he's authorized to access.
But it takes one more step. Unlike a VPN, which normally passes a user onto the server system where the application resides, all of the user's applications and services are packaged and sent to the remote Aventail server, so the external user never actually contacts FMC's own server. Data moving between the Aventail proxy host and the real server is automatically checked for viruses and other security problems.
According to Colleen Niven, an analyst at AMR Research Inc. in Boston, ASPs are currently using advanced security that "reminds you of [military] stuff." In fact, earlier this month, Nupremis Inc. in Boulder, Colo., introduced what it calls "military-grade network security."
This advanced security is being touted by ASPs as a differentiator, Niven said, but in the future, "high-level security will be considered the norm."
Pawlisz said she's not expecting her ASP to sit still. Aventail is currently working on synchronizing its authentication processes with Microsoft Corp.'s Active Directory feature in Windows 2000, which FMC will be rolling out this year.
George McNulty, director of technology at Wizmo Inc., an Eden Prairie, Minn.-based ASP, already has data synchronization worked out for his customers. He uses Novell Inc.'s iChain security application with Novell Directory Services (NDS). NDS is ideal for handling ASPs' directory management synchronization hassles, he said.
Authenticated users are sent to an available server in Wizmo's data center along with their access privileges, said McNulty. As users switch from application to application during the course of the day, they often change servers, and when they do so, all of the rights and privileges they were granted initially go with them. Data resides in a storage-area network and is doled out only according to need, McNulty said. NDS manages all of the synchronization, even if a user's rights change in the middle of a session.
ASPs have to work hard at establishing security, said McNulty, because most of their applications haven't been designed from the ground up for Web use.
But Niven said that's beginning to change. She pointed to improved security in Oracle9i's Virtual Private Database feature, which was specifically improved for ASP use.