January 09, 2009, 5:18 PM — Concern about security is cited as one of the greatest hurdles to implementing SaaS. I had the opportunity to talk to a few SaaS providers regarding security concerns and would like to share what I learned from these providers.
Security is a broad term that can be broken down into three areas: data center, application and user. Each of these areas has its own security best practices schema and ignoring any one area presents a security vulnerability to the firm and its data. The best SaaS providers in the market discuss each of these areas with their customers, demonstrating how their SaaS solution is as secure, and frequently more secure, than what an internal IT department can provide. A bold statement, I know, but read on and you will learn whyÂ SaaS implementations are more secure than on-premise solutions.
Data Center Security
There are only two points of entry into a SaaS environment: The front-end, which the users utilize; and the back-end, used by the SaaS provider for maintenance and management. Limited entry eliminates all the ways in which data is lost or stolen. Front-end entry is always through a secure, encrypted VPN leveraging identity and role-based access.
All of the firms I talked with for this piece referenced Symantec's research about rogue employees and lost laptops as the primary sources of data loss and theft. Working in the cloud removes the laptop issue and even the smartphone issue. Reducing broad access by limiting employees to the groups and teams they work in reduces the potential for intellectual property theft.
Application security is directly associated with identity and role based access permissions. Application security includes, but goes beyond the standard password access. By utilizing SaaS, application security also includes encryption of the password, logs the number of attempts to logon, and can encrypt field/text/attachments. Application security also disables Java Scripts, one of the leading causes of malware and malicious activities.
User security is rooted in role-based access and identity management. Identity management is maintained in the firm's LDAP directories. Permissions and denials are controlled by the firm's administrator. The directories can be either inside the firm's firewall, at the SaaS provider's site, or in a DMZ. Having the firm control the identity management directories enables the administrator to move quickly to enable or disable users as needed.
If you want to ease your mind regarding security in the SaaS environment, ask if the provider is SAS 70 Type II certified. This certification is highly comprehensive, includes regular audits to retain certification and covers just about everything you can think of regarding operating a business in the cloud.
The SAS 70 Type II certification ensures comprehensive change management documentation (including at the application level), backup and recovery requirements, disaster recovery requirements, physical level security requirements of the data center including access and mirrored data centers. A SaaS provider that has taken the time to obtain SAS 70 Type II certification is serious about its business.
There are other certifications to consider inquiring into, which I will address at another time.
I would like to publicly thank the gentlemen who took time to share their firm's best practices for security in the SaaS environment: OpSource's Treb Ryan; Serena Software's Rene Bonvanie and Atul Kumar; Service-Now's Rhett Glouser and Matt French; and Zoho's Raju Vegesna. Thank you for giving me your time, best practices and SaaS insights. Each has contributed substantially to this body of knowledge.
We will continually come back to the topic of security in the SaaS environment throughout the year. I will address another topic in the next post: What is the difference between an ASP and a SaaS provider? There are wolves in lamb's clothes out there. Don't get fooled. The check list should help you clearly see the differences.