Users See Security Issues in SaaS

ORLANDO, Fla. -- Software as a service (SaaS) may be one of the hottest storage networking technologies, but users are still nervous about sending their critical data off-site.

We just don’t feel comfortable with that; it’s more secure for us to keep it in-house,” said William Souder, the chief information security office at Berry College in Mount Berry, Ga. “Our data is so sensitive with regard to the Family Educational Rights and Family Act (FERPA) and HIPPA, that we’re constrained.”

A myriad of vendors, including IBM, Google, Dell, and EMC, have thrown their weight behind SaaS, whether in the form of cloud computing , hosted email, or online backup services.

Berry College’s Souder did not rule out the possibility of using SaaS at some point in the future, but said that he would take some convincing before deploying the technology.

“We could put things out to a third party, but the vendor would have to be certified, and we would have to think about the transport of the data going over the WAN,” he said.It is not just the educational sector where data has to be carefully guarded, and a user in the health care sector told Byte and Switch that he is also nervous about the SaaS model.

”We’re keeping all our stuff in-house,” said an IT manager from a Florida-based health care provider, who asked not to be named. “Security is one thing but cost is a big factor also.”

HP is the latest vendor to get in on the SaaS act, unveiling its Upline online backup service earlier today.

It seems vendors clearly have a job on their hands persuading users that the benefits of SaaS outweigh the potential risks.

”From the supply side, there’s a hell of a lot of evangelizing to do around this,” said IDC analyst Doug Chandler during a presentation today, in which he urged users to perform extensive due diligence before jumping into SaaS.”Make sure that the provider understands your security concerns. What type of encryption are they using? What type of security do they have for their own data centers?”

In short, users need to consider all the possible scenarios involved in a SaaS deployment, including what could happen when vendor relations go sour.

”Something that a lot of people don’t think about off the bat is the exit plan,” explained Chandler. “If the contract has to be ended -- how do you know that you have got all your data back, and how do you know that the provider has destroyed all the copies of your data?”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.