News

06:27 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

5 Steps To Secure SaaS

To keep your off-site data safe, don't let vendors dodge the hard questions.

InformationWeek Green - Mar. 7, 2011 InformationWeek Green
Download the entire Mar. 7, 2011 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

2011 SaaS Poll: Serving Two Masters? 2011

Just about any business function supported by enterprise IT has the potential to be delivered as a service or hosted externally. Software as a service is particularly popular. Our 2011 InformationWeek Analytics SaaS Survey showed a 13-point jump in the percentage of companies using SaaS, up to 60% from 47% in just 11 months. Need a new community outreach application? Build it for the cloud. E-mail maintenance got you down? Ship that app out. Can't get what you want from Amazon, Google, IBM, Microsoft, or Salesforce? Take a look at the hundreds of new SaaS providers, all of which are making grand promises of uptime, scalability, and cost efficiency.

But what about security?

SaaS vendors tend to shy away from that discussion. They disclose very little about their security practices, your rights as a customer, or exactly how your company's data is protected while in their care.

We predict that the growth of SaaS and other cloud services will eventually stall as compliance failures and data compromises are uncovered, at which time cloud providers will be forced to divulge more information. Until then, it's up you to perform due diligence before allowing sensitive data to reside off site.

What's In A Name? A Lot

When I managed security for a division of Walt Disney, my team evaluated several cloud providers for small community applications--for a contest on ESPN, for instance, or a short-lived Flash game built to promote a show debuting on ABC. These were applications with no sensitive data or even logins. Since Disney is so large, we usually got our security questions answered. We knew we were still taking some risks, since we had no day-to-day insight into the provider's network, virtualization infrastructure, or any internal controls, but we gathered enough facts to make informed decisions. We followed the same process when we launched a Google Apps pilot in some smaller divisions. Again, because it was Disney, Google was willing to share information to get the company signed on as an early adopter.

When you're Disney, life is good. But as I found recently when discussing security with a cloud vendor without disclosing the company I work for now (TiVo), not every customer has that leverage. This time, the rep wouldn't provide security information. He simply recited the marketing line and offered a SAS 70 report for the vendor's data center. This company had taken the stance that providing information on security controls is, in itself, a security vulnerability and said we should just trust it. Once the laughter died down, I asked a serious question: Why should I trust you with my data and the reputation of my company when you won't trust me with documentation or insight?

Unfortunately, for the vast majority of companies, it's difficult to get the formal information we need to make smart decisions about risk. In these cases, we need to take matters into our own hands.

To read the rest of the article,
Download the March 2011 issue of InformationWeek

Adoption Soars, Yet Deployment Concerns Linger

Become an InformationWeek Analytics subscriber and get our full report on SaaS 2011.

This report includes 43 pages of action-oriented analysis packed with 30 charts. What you'll find:
  • An assessment of lingering SaaS deployment concerns
  • Exclusive year-over-year trending data
  • Insight into the emerging SaaS mobile market
Get This And All Our Reports


Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed