The SaaS Security Conundrum

As SaaS and Cloud Computing mature, a lot of the discussions on cost have turned to concerns oversecurity.  Many people believe that implementing SaaS can save money and free up IT staff for more business critical tasks.  Now security is the biggest concern about moving to SaaS.   
  
1. Is my data is safe? 

2. Will a hacker get to my information? 

3. What if my service provider goes down?
  
These are all legitimate questions and ones that organizations need to ask of their on-premise systems too.


Data Safety

Most businesses believe they have adequate controls on their information when it’s inside the firewall.  They use Microsoft Active Directory, local security or other LDAP systems to control file and system access.  Yet there are daily news stories of insiders stealing documents even with these controls in place.


Hacker Access
Companies are working diligently to keep the bad guys out.  IT implements firewalls, intrusion detection systems, antivirus, anti-malware, DMZs, SSL and countless other measures to ensure that hackers can’t get inside.  Yet we keep hearing about data breaches that get right through all these defenses.  


Service Provider Reliability 
I have had numerous times when the internal email or ERP system went down.  Sometimes it was faulty hardware.  Sometimes the WAN went down.  We even had a situation when someone accidentally unplugged a server rack.  All these things can and will happen in data centers and server rooms.


SaaS Alternative
The advantage of SaaS providers is that they have to create and maintain bullet-proof facilities, since they service so many customers.  As an example, Iron Mountain has an underground data center for their Digital Record Center for Images.  This facility has a Level 4 security rating (the highest), armed guards, maintains redundant power, cooling and computer systems, and can run on backup power for 7 days.  It maintains a mirror site and has 128 bit encrypted communications.  Other SaaS providers, such as Salesforce.com, maintain sophisticated and secure facilities to run their applications.  These providers maintain systems that are more secure and provide greater reliability than most on-premise environments.

All the stories I hear about data breaches and stealing documents are from on-premise environments.  IDC reported that many business don’t even deploy the basic security measures for their internal systems.  A SaaS provider could never get away with that.  I would say the SaaS providers maintain systems that are at least as secure if not more secure than most internal environments.  
  
What is your experience?

  
Photo credit Michael Hilton

Comments 3

  1. One thing to be keep remember also when having a server system aside from having a good and secure server racks is to select only legitimate people who can enter the room wherein the server racks are placed so that there will be no problems will happen in the server system.

  2. That's very true. Part of successful data governance is ensuring that only authorized people have access to your data. Letting anyone into your server room surely violates that.

  3. That's very true. Part of successful data governance is ensuring that only authorized people have access to your data. Letting anyone into your server room surely violates that.

Leave a Reply