A decade ago, application service providers (ASP)\u2013at least according to the hype\u2014were going to pull the rug out from under packaged, locally installed software. Everything from office productivity suites to image editors to system tune-up utilities were appearing every day. After a while, though, people discovered that having to visit a Web site in order to edit a word processing document probably wasn\u2019t such a fantastic idea. And the relative lack of broadband at the time hurt even the most promising ASPs. But things have changed. Broadband is widely available, allowing for richer application delivery over the Internet. And consumer faith in the reliability and convenience of online-delivered tools has made a number of them at least modestly successful. For CIOs, however, this success is a two-edged sword. Implemented properly, ASP-provided tools can give users the applications they need at reduced support and development cost for the IT department. But ASPs also have a dark side\u2014users, even individual end users\u2014can often use them without IT being aware, opening yet another potential hole through your careful crafted security systems. Some of these services are also hard if not impossible to detect. The best defense is probably awareness--your awareness--followed by a clearly stated company policy on the use of such services. Let users know you keep track of such services, that you\u2019re always willing to listen to requests for usage privileges, but that you can\u2019t condone unauthorized usage because of security concerns.To give you an idea of the scope of available ASP products, we\u2019ve rounded up\u00a0eight-plus that could be an end-user\u2019s dream\u2014and a CIO\u2019s nightmare. It all depends on your point of view.1. BeInSync\n\nThe Dream:Quickly and easily syncronize local and network folders with any other Windows 2000 or XP machine on the planet. The basic service is free, so there\u2019s zero financial barrier to entry. A few bucks a month gets users a Pro subscription that \u00a0removes file limits and adds Web access to accounts. BeInSync is advertising a free iPod to its millionth customer, too, so you know a few people are taking advantage of what the company has to offer. \n\nThe Nightmare:It can perform the syncronization through standard ports, so to your firewall, all that corporate data streaming to some unsecured PC in who-knows-where just looks like Internet traffic. And the optional Web access feature means that users can retrieve corporate data through any Web browser using just a username and password\u2013which could easily be snagged by keylogging software or similar malware. You can also share syncronized folders with anyone, anywhere, anytime.The Security Story: BeInSync highlights the fact that it uses heavy-duty encryption and creates a true peer-to-peer connection between syncronized machines\u2013user data never resides on any third-party servers. But the company also seems to realize that some employers might not like users taking advantage of such tools and could block outgoing traffic on nonstandard ports. No problem, though. A page in the FAQ tells you how to get around that little problem.\u201cNOTE: If one of your computers is behind a corporate firewall which blocks outgoing traffic on non-standard ports such as 5584 and 5585, configure your other computer to listen to communication on one of ports that are permitted: 21 (FTP), 23 (Telnet), 80 (HTTP) or 443 (HTTPS).\u201d2. GoToMyPC\n\nThe Dream:GoToMyPC is the grandaddy of remote access-over-the-Web tools. Users create an account and pay $19.95 a month to be able to access their machines from any Web browser anywhere. A small downloadable app turns user PCs into remote-access servers that display a complete desktop in a remote Web browser. Users log in using just a username and password.\n\nThe Nightmare:Like we said, that\u2019s a complete desktop, including those shared network drive icons containing all those juicy bits of proprietary data. Like BeInSync, GoToMyPC touts its encryption and other security features. But also like BeInSync, traffic over GoToMyPC can be impossible to discern from regular Web traffic. \n\nThe Security Story:GoToMyPC is owned by Citrix and is obviously aware that some companies probably wish such services simply didn\u2019t exist. In fact, it dedicates a page of its site to helping users convince their IT departments to support GoToMyPC officially. But if users decide to not bother telling IT, it\u2019s unlikely that those network admins will ever know the difference. 3. Xdrive\n\nThe Dream:Xdrive (owned by America Online) is far from the only provider in the Web-based backup space. Even Yahoo offers a similar option through the Yahoo Briefcase. And online backup is nothing new\u2013it was one of the earliest entry points for ASPs. Pre-broadband connection speeds kept most people from taking advantage of the services early on. But DSL and cable modems now make backing up even relatively large files perfectly feasible. And such services provide a convenient way for on-the-road users to access the data they need from wherever they are.\n\nThe Nightmare:It\u2019s the same old refrain. Users can sign up for such services and dump gigabytes of your data \u201csomewhere else\u201d in minutes\u2013and you don\u2019t even know they\u2019re doing it. What makes these backup services a little more scary than the likes of BeInSync and GoToMyPC, however, is that your data very likely could be living on someone else\u2019s servers\u2013and you have no idea what kind of security protections they have in place. \n\nThe Security Story:These guys all know they\u2019re going to have serious trouble if they let someone steal customer data. Xdrive\u2019s overview page says that they protect data so completely, it might as well be in Fort Knox. So if your users go with a reputable provider, odds are that the data is pretty safe. The question is, do you want it getting out there at all? And if not, what can you do about it? Answer: Not much.4. Advicebox and Mailinator\n\nThe Dream:Tired of spam? Wish you had an email address you could hand out to people you don\u2019t really know and aren\u2019t sure you can trust? Wish you had an address you could send mail from, safe in the knowledge it couldn\u2019t be tracked back to you? Enter Advicebox and Mailinator. Advicebox is all about anonymous email. Mail you send from AdviceBox has no unique identifiers attached to it\u2013all mail appears to come from firstname.lastname@example.org. Mailinator is different. It allows you to create an email account on the spot. You simply make up a user name, append mailinator.com (or one of a handful of alternate domains) to it, and when mail arrives, the Mailinator service automatically creates a new account. To view your mail, you simply log in using the email address you invented. All messages disappear after a few hours. \n\nThe Nightmare:Anonymity gives people a sense of power. How many raging email messages have gone out over the years filled with language the same person would never have used face-to-face? The ability to send and receive email without fear of having it linked to you could inspire some decidedly anti-employer activities\u2013such as dispensing rumors designed to hurt stock prices or airing dirty laundry on public forums. \n\nThe Security Story:Should anyone use either of these services for anything illegal, however, both companies readily state that they will comply with all laws and work with authorities whenever necessary. In fact, Mailinator\u2019s FAQ states things a bit more bluntly:\u201cSo if the government issued a subpeona to Mailinator to divulge emails or logs, you\u2019d rat me out?Holy crap, yes. I\u2019m not going to jail for you, I have a boyish face and very, very supple skin.Privacy is a serious issue, and we want to be clear. We think Mailinator provides pretty decent privacy, and we want to keep providing that and even improve it, but we can\u2019t promise it. A promise would require lawyers, money, and probably guns - and we don\u2019t have any of those.\u201d5. ipEliminator et al\n\nThe Dream:Anonymous Web surfing! Invisible peer-to-peer client use! Completely cloaked email! What more do you want?\n\nThe Nightmare:Anonymous Web surfing! Invisible peer-to-peer client use! Completely cloaked email! What more do you want?\n\nThe Security Story:Services such as IPEliminator, FindNot, Proxify and others cater to a more-security-conscious-than-average crowd of customers. Essentially, what these services promise is anonymity on the Internet by masking a user\u2019s IP address and optionally encrypting all traffic so even your ISP can\u2019t see what you\u2019re doing. They also don\u2019t keep logs from which your original IP could be gleaned. IPEliminator even goes so far as to assure customers that they run servers in countries that are \u201cprivacy oriented\u201d\u2013which seems to imply that it would take more than a US court order to get any information about your usage. IPEliminator and FindNot also provide tips on how to pay anonymously\u2013thereby eliminating any trail back to the user. And you guessed it: These services claim to run just fine behind corporate firewalls. 6. Blogger\n\nThe Dream:Thank Google once again. They didn\u2019t create Blogger, but they own it and promote it now. And like other Google services, it\u2019s free and super easy to use. Simply sign up and you\u2019ve got your very own blog where only your imagination limits what you can say.\n\nThe Nightmare:Of course, sometimes what people choose to say is nasty things about their employers. Widely reported tales of bloggers being fired for being a bit too candid about their workplace seemingly have would-be office tattle-tales a bit more on-guard these days (at least, we haven\u2019t read about any recent sackings.) But that doesn\u2019t mean that there isn\u2019t a blog out there somewhere with your company\u2019s name on it. \n\nThe Security Story:Blogger is just a Web site. You can block it with a content filter if you want. But you still can\u2019t keep people from using it at home. Like all of these services, the best defense is probably having a clear policy about use of such tools from work or about work\u2013and making sure people know that the policy exists. 7. Flickr\n\nThe Dream:Quickly drag and drop photos from your PC to public and private viewing areas on the Flickr Web site. Share them with friends. Drop them into your blog. It\u2019s all fast, easy, and costs nothing to get started. \n\nThe Nightmare:Just used your cell phone to take a snapshot of the latest product prototype in the engineering department? Pop it into an email on your phone and instantly upload it to Flickr for safekeeping\u2013or public display. And desktop tools could let users drag an entire network\u00a0folder\u2019s worth of images onto Flickr in an instant. \n\nThe Security Story:Users can create password-protected \u201cprivate\u201d viewing areas, but you\u2019re depending on your users\u2019 willingness to keep things out of sight. And with the phone-to-email-to-Flickr connection, there\u2019s not a thing IT can do to block the process\u2013it operates outside of your control. Nice, huh?8. Skype\n\nThe Dream:Unlimited local and long-distance calls between Skype users via voice over IP. For free. For a few cents more you can call outside phone numbers. Add a few dollars, and you can have a Skype phone number reachable from regular old phones. It sure appeals to someone, as Skype reports nearly 175 million downloads of its software. \n\nThe Nightmare:Do you really have the network bandwidth to support herds of employees making long-distance calls through their PCs? (Though at least it\u2019s cheaper than when Bob in accounting used to use his office phone to call his uncle in Berlin every other Friday afternoon, right?) And its telecommunications without accountability--IT or your telecom department\u00a0have no knowledge of who\u2019s making what calls when.\n\nThe Security Story:Like most of the tools we\u2019ve discussed, Skype traffic simply pours through most firewalls like they weren\u2019t even there. But Skype is used by some enterprises as a cheap alternative to traditional telephony. As a result, Skype has a dedicated Security Center on its site where you can download a network administrator\u2019s guide as well as view security alerts.