The delivery of cloud based application functionality via the Software as a Service (SaaS) model frequently sparks security-related concerns. In our latest workshop on hosted apps, Reg readers have been very forthcoming about their nervousness in this area. In parallel with the workshop, however, we have been gathering data …
amber and green
"If you took part in the survey and your responses fell more into the red or amber areas on this picture then you obviously have some significant user-related exposure"
Either I've recently gone colour-blind or there's been some sort of SNAFU.
What if you responses fell into the grey or really-dark-red areas of the picture?
nail, head... contact!
As a SaaS provider, my research and feedback within the general computing community aligns with this survey; i.e. Security is the primary concern. As you rightly highlight, its not so much physical security, but data security - how can you even tell if a data breach has occurred and your data compromised? Lets not forget there's a major(!) SaaS CRM provider who is reported to host all user entered data and information IN THE SAME DATABASE as for every other customer! If a single Actor gains access to the database with escalated privileges then they get everything from every one.
Personally, the thought of using many of the online office suites and other applications spinging up causes me to come out in hives and run around screaming in fear. IMHO you'd have to be very brave(!) to use a SaaS application for anything that's businesses related without a thorough due diligence investigation on the provider and obtain a 3rd party penetration test report to consider using them. Alternatively avoid them like the plague if they won't comply - including Google. If they're not serious about protecting your data, then they don't deserve your business.
I'm starting to think El Reg is getting kick backs from 'cloud' companies.
You certainly seem to spend a lot of time publishing articles advocating 'cloud' solutions to every possible IT scenario.
That hurts, really hurts (from the author)
Seriously, me, accused of being a cloud advocate :-)
A quick Google search on the author name and the word 'cloud' should put this latest article into perspective - I mostly get accused of being a cloud sceptic for not accepting all the rhetoric from the evangelists in this area.
However, I am not really a sceptic but a realist, and those who make generalised negative claims are as bad as the cloud marketeers in my book.
The point I am trying to make here is that lot's of people are bashing SaaS providers indiscriminately on the whole security thing, when at the same time they are telling us (though surveys on this site and other research) that their own on premise solutions are far from perfect, and their user bases (for various reasons) are a bit of a liability. Against this background, a good SaaS service could actually improve things. Does that mean I am saying go out and do the SaaS thing to solve all of your security problems? Of course not, but it's equally ludicrous to say don't consider anything SaaS because you are bound to run into security problems.
Look, like it not, SaaS is here to stay, and its use is growing. Right now, a big part of my day job is encouraging people to think and do proper due diligence before diving in because the positive coverage far outweighs the negative stuff across the industry, and it's too easy to get sucked in. In the interests of objectivity, though, we also need to call it when people are put off considering SaaS (or any IT delivery option, for that matter) because the risks have been exaggerated.
And please don't leap on this as me saying that security concerns with SaaS are totally Ill-founded, but there is a lot of generalisation, misinformation and frequently encountered lack of perspective that does tend to exaggerate the issues.
RE: That hurts
I think a lot of it is down to the way humans judge risk. To use an analogy, many people are really scared of flying because of the perceived risks, but will happily get in a car. One involves placing your trust in people who are highly trained and highly regulated, where the vehicles are well maintained, and an industry that actually has a good record overall. The other involves placing your life in the hands of people who got the bare minimum of training, possibly only just scraped through the test, and have never had their skills checked since - and often using vehicles that only get the bare minimum of maintenance the owner can get away with (and only then when the annual basic check comes around).
So what is the difference ?
Well to start with, when flying, unless you are the pilot then you get a seat with a poor view and you have no control over your own destiny. The downside to being the pilot of course is that you are normally closest to the accident since aircraft don't normally reverse into things in the air :) Accidents are generally not common, and when they do happen are often hyped in the media. Though things do seem to be improving, a typical report of a small plane making an emergency landing might well mention that it missed a school by only 2 miles ! The fact that accidents to commercial aircraft to tend to involved infrequent but large loss of life tends to dominate memories (Pan Am over Lockerbie, and Tenerife 1977, for examples), while incidents where people walked away tend to be less well remembered : The "Sullenberger Approach" to a landing on the Hudson River, and the "Gimly Glider" as examples.
So flying is associated with "we're all going to die" if anything goes wrong.
But for driving, it's something most people do every day - there's no novelty value, and accidents are so common that they rarely make mass media headlines. Only the most serious even make national TV news, while most will be lucky to do more than the front page of the local rag. Yet in the UK alone, around 8 people a day are killed on the roads.
That means in the UK alone, 2 to 3 times as many people are killed on the roads each year as are killed worldwide in aircraft accidents. Yet people are scared of flying, but not worried at all about driving.
So it's all, or mostly (yes I know, there's all sort of other factors to include), down to perception.
Getting back to the subject of SaaS, I think it's much the same.
With SaaS you are not in control, and something you can't control is something most people fear - even if you are outsourcing to a much bigger organisation that can throw more knowledge/skills at the problems than you as a small business can justify. Yes, in house measures (whether it's security or backups or availability) are likely to have problems, but they are something you feel you have control over and can juggle with your priorities. Once you outsource all that, you lose visibility and control - and that causes fear.
Yes, as professionals we should be able to look at this sort of thing objectively, but we are also human and suffer from all those human traits. Also, at the end of the day, many decisions come down to preference - you often cannot say option A is better or worse than option B, just different, and you make a personal decision based on which you prefer.
I like this analysis. It's an analogy I hadn't considered before, but it really does help to explain some commonly encountered attitudes and behaviour. Nice one.