While the “Future of SaaS” Survey had only been open for a few days, the trend of the responses to the question: Are There Any Concerns or Reluctance to Using Cloud-based Services? were clear. Even though the remaining options are getting votes, the top four answers are as we expected.
- Security – Does anyone have unauthorized access to my data in the “cloud”? (57% of respondents)
- Uptime - Can I get to my data when I need to? (62%)
- Data Ownership - Who owns our data? (52%)
- Retrieve-ability – Can we retrieve our data if we want to take it back on-premise? (48%)
Respondents are permitted to select more than one concern.
We may see some shift in the ordering of these concerns but, we expect these to remain the top four.
Click the link to download the results in our Whitepaper- The Future of SaaS – Survey Results.
The security concern of using a cloud-based service (SaaS) is the same as of an on-premise service. The familiar model of servers in an on-premise data center gives a sense of security. Having the server or service somewhere “in the cloud” brings about a sense of uncertainty. You can’t point to anything meaningful. Of course, the same can be said of using a bank instead of stuffing money under the mattress. Both have a set of risks with which you need to be comfortable.
Security involves two main questions:
- Does the cloud-based service hold data or just process it?
- How can a user gain access to the data?
An Email security service simply processes the email stream. They may hold spam in a queue awaiting someone to approve of messages deemed not to be spam. Past that, the email security services are not email repositories so, here is no data (beyond the spam queue) to see even it were possible to hack into it. There are logs of processing statistics but, there are no message content in those logs. The data is on your email server.
Web security services act as transparent proxies so, no data beyond logs are held by the proxy. Those logs usually show browser and bandwidth histories and may identify users’ specific browsing habits. These systems usually can be configured not to show user’s identity for greater privacy.
In contrast to the above, Hosted services such as email, business intelligence and CRM are data repositories and are of more concern. Unless you have arranged for the use of an entire real or virtual server, your data will be held on a multi-tenant server. All that means is that large capacious clusters of servers host your system along with other organizations. Just as your on-premise server farm can host multiple email post offices each with discrete sets of users, large multi-tenant server systems host multiple systems each for discrete sets of companies’ users.
Access to data
Studies on unauthorized access show that in the majority of cases, the unauthorized access was by someone inside the organization; someone who knew a login and password. The same problem will hold with a hosted service. To prevent someone outside your organization from gaining access, cloud-based systems strictly control the channels through which access can be made. Access to the data on a cloud-based server is via secure Internet connection (https) or a point-to-point VPN. Still, if users are not careful with logins and passwords, it doesn’t matter whether it is to an on-premise or cloud-based service.
A key to confidence in a SaaS data repository is confirming if the provider’s hosting and staff is SAS 70 Type II complaint. This covers all provider’s security, process, and hosting ability. It’s the highest level of audit done on hosted providers. It is unlikely that an organization’s on-premise could pass a SAS 70 Type II compliance audit.
Physical security of the data
Here is where most of first-time clients are surprised. Typically, cloud-based services are far more secure than all but the most extreme on-premise data center. They have to be since their reputation depends on security of your data. These are not some lashed-together servers in someone’s utility closet. Here’s an example of our hosted Microsoft Exchange 2010 system contrasted with typical on-premise conditions.
Our system consists of four clusters of servers throughout the US. Additional clusters are in the UK. Each cluster has the following security layers:
|Firewalls and intrusion detection platform security||Multiple, redundant firewalls +Intrusion Detection System (IDS)||Single firewall, possibly IDS||Single firewall, possibly IDS|
|Physical security||SAS 70 Level II security with: 24x7x365 video surveillance, security guards, secure entry||Limited||Limited|
|Security staff and employee controls||Dedicated security staff; Detailed employee access controls||Security role shared w/IT Ops||Security role shared w/IT Ops|
Putting in a massive cluster of redundant and replicating servers in such highly secure data centers is usually beyond the budget and need of most organizations. What a cloud-based system offers most organizations is secure, pay-as-you-use systems.
So, how do you become comfortable with a potential SaaS vendor? Ask questions. Contrast their solution among vendors and your on-premise solution. For a list of good questions to ask, read our, Critical Questions to Ask a Potential SaaS Provider.