MISTAKE 2: Not offering a rollback to the last prior versionThe problem with the first mistake is that customers are now faced with compatibility issues in their environment that can cause a freeze-up of essential IT functions, including those related to security. The natural course for the IT security practitioner is to uninstall the new but incompatible version, dust off the CD with the last version of the product, and re-install the version that has proven itself stable in that environment. But in the cloud it's not always so simple, especially in this case, where the vendor offered no rollback option. "You get forced into a mixed environment and have no way to react," Puhlmann said.
MISTAKE 3: Not offering customers a choice to select timing of an upgradeFor IT security practitioners, dealing with new versions of a software or service that prove incompatible is nothing new. It happens just about every month when Microsoft releases its security updates. But in most cases, IT shops have control over when an update is pushed out in their environments. In the case of Microsoft's monthly Patch Tuesday updates, most IT admins run the updates through a roughly week-long gauntlet of testing and tweaking before deploying company-wide. But in this case, customers had no control over the timing of upgrades in their environments, Puhlmann said.
MISTAKE 4: New versions ignore prior configurations or settings, which creates instability in the customer environmentThe third mistake was particularly problematic because the new version of the SaaS product proved buggy. For example, it disregarded whitelist and firewall settings programmed into the previous version, causing computers to suddenly bog down with pop-up warnings for a variety of commonly-used applications, including those built and maintained in-house. "The client now doesn't trust itself and blocks everything," he said. "Integrity between a cloud and an endpoint is essential, and this sort of disconnect could be exploited for denial-of-service attacks and the like. Vendors need to be thinking about this."
MISTAKE 5: Not offering a safety valveHad the vendor offered some sort of safety mechanism in its cloud configuration, customers could have at least limited the damage upon realizing a bug was mucking up the works, Puhlmann said. But as far as he could tell, there was no such mechanism.
What customers can learn from thisPuhlmann does credit the vendor for its response to the mistakes he warned them about. They are now working to improve the process. For customers delving into the cloud who may have concerns about these things happening to them, his advice is simple: Ask a lot of questions before signing on the dotted line.