I am attending the Gartner Symposium ITExpo this week in San Francisco. One thing that I've noticed is that there is a ton of talk about Software as a Service (SaaS). I'm sure that everyone is pretty familiar with this concept -- think Gmail, Google Apps, SalesForce.com, and so on. These are hosted solutions that are intended to provide a great deal of "bang for the buck" because the companies using them don't need to create the necessary infrastructure. Because the SaaS solution is utilized by many companies, each can benefit from the economy of scale. Such services are inherently attractive to small and medium businesses, or for companies wishing to streamline their the cost and time involved in implementing solutions.
I tend to worry about SaaS from a security perspective for a couple reasons. Assuming that we get past the issues related to having a third-party process and house the company's business data, I am still worried about the fact that there are network dependencies on the application. So, if a company is to use SaaS for a 'mission critical' application, the company needs to do a risk assessment related to the potential impacts related to issues ranging from network outages (on either party's side) to the possibility of the hosting company going out of business or deciding to hold one's data hostage.
To a certain extent, issues related to "managed services gone wild" can be thought of in a similar fashion to Business Continuity and Disaster Recovery. A timely example of a SaaS having issues is the recent BlackBerry outage. Companies need to do a business impact analysis around the potential pitfalls related to managed services. They need to create contractual protections related to failures to meet service level expectations. And they need to have a migration strategy which includes solid methods for retrieving and archiving their data.
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
WEBCAST
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Companies like Qualys were built on the SaaS model and have solved the issue. The network issues were talked about in the early days of the dotcoms. The network, whether internal or external is always a consideration. Short sighted views will easily be overcome (and in most cases have been) already. ASPs and other hosting companies have solved many of the issues and since they were built anew, most do not have the legacy issues with securing data that most brick and mortar companies have. Can you name any brick and mortar company who fully encrypts their data (databases); segregates their development; and does not use 'live' data for test and development?
There are of course some new companies trying to jump on the bandwagon who do not secure customer information.
The SaaS model will be adopted and the Bill Joy vision of the network as the computer is taking hold. It is only a matter of time before CIO's realize the value of not having to deploy, build, manage, update, configure, add and train staff and worry about how all the customization they have done will impact the next upgrade. Thos cost factors will reign supreme.
Post new comment