Protection Profile for Application Service Provider
Jonathan S. Shapiro
Johns Hopkins University
Common Criteria Version: 2.1
Draft Notice: This protection profile is a
work in progress. If it is broken, you get to
keep all of the pieces you can locate.
Fill me in some day.
2. TOE Description
2.1. General Description
An Application Service Provider (ASP) is an operator of computational facilities for contract
customers, possibly provided on a rented or leased basis. ASPs are distinguished from
conventional outsourcing operations by the fact that the software running on the
rented/leased resources is at least partially dictated by the customer. That is, the operating
basis for such systems is that the customer has paid for a standard arrangement of tools
provided by the operator and may optionally augment those tools with software provided by
the customer, a third party, or some combination thereof.
The operational requirements for an ASP include as subset cases:
1. Small-business servers, in which the operator is an agent of the user,
2. Large-business servers, in which the operator is an agent of the company that owns the
equipment, but may not be entitled to access the content of any particular user,
3. Premises equipment in which the operator is a provider of some data-oriented service.
This scenario has two further subcases:
A)Content delivery devices (including set top boxes) (such as multimedia content) in
which the user is not generally offered the option to install software, or in which the
enablement of available user options is accomplished through the intervention of the
B) Enhanced premises devices (such as connected gaming devices), in which either the
user may cause the installation of new applications and/or services that the user can
subsequently cause to run.
4. Handheld devices, in which the user is the operator, not all software is equally trusted,
and the users wishe to pro