March 12, 2009, 2:17 PM — Security issues have to be clearly examined before diving into software as a service (SaaS), warns Burton Group analyst Eric Maiwald, who shed some light on the subject at this week's Infosec conference.
SaaS, offered via a cloud computing platform, can offer cost savings and speed in platform deployment in many instances, compared to a business trying to acquire and install software internally. Businesses eager to race into the cloud typically say "they can measure the cost savings the first couple of years," said Maiwald. "But I think they're leaving something out."
What's often missing is inclusion of the costs to conduct a suitable level of verification on the vendor, including security and legal reviews, data-center site visits and other practices necessary to ensure compliance obligations are met.
Beyond the hard cost considerations, there are myriad security questions any business should be asking, Maiwald said. These include:
- Which of the SaaS employees has root and database access, and will anything prevent them from getting access to your corporate data? What controls are in place?
- Is data held encrypted? How?
- Is the held data separated between clients or is it all stored on one huge database out there? How is data separated? How will the legal question of e-discovery be addressed should it arise as a business concern?
- Is the data flowing between the business and the vendor's cloud-computing infrastructure secured in some way?
- What controls would prevent vendor insiders from downloading your data onto a USB stick and walking out the door?
- In terms of service availability, can you get your vendor to sign a service-level agreement?
- Is their data center in a location prone to hurricanes or earthquakes? What are their back-up plans?
- What information is captured in audit logs?
- Are there ways to limit where SaaS vendors go within the corporate network?
Despite his critical remarks, Maiwald acknowledged in some instances SaaS and cloud computing vendors may offer better availability than their business clientele could achieve due to the investments vendors can make to scale up their services.
"Google, Microsoft, Amazon are doing amazing stuff with what they're putting into their data centers," he said.
He noted that a few years ago SaaS-styled vendors would be vague in discussing their security controls, but just recently at a forum with Salesforce.com, Qualys, IBM and others, he found vendors much more forthcoming than previously.
One aspect of SaaS to be mindful about is that vendors prefer to provide a common set of services in order to take advantage of scale, Maiwald pointed out. So that means "vendors may not be willing to change internal policies as their economies of scale will suffer," he said.
Maiwald added that technical controls, such as for content or rights management, typically don't work as well in an outsourced environment. When you entrust your data to SaaS, "audit replaces your day-to-day management controls and technical controls," he asserts, adding contracts have to carefully crafted, something IT people will need a lot of help in from legal staff.
Many businesses may want to ask if the SaaS vendor they're considering has passed a so-called "SAS 70" audit, Maiwald said. There are two types of SAS-70 audits, he points out, and Type 2 is much more stringent.
The larger question of how SaaS may impact the business in general can't be ignored since companies may be sacrificing IT skills and competence when they choose SaaS. Maiwald said his basic recommendation would be to limit the number of SaaS vendors to a few strategic partners.