Taking the risk out of SaaS

Mark Gibbs' Web site tips, plus network applications news headlines

I've been thinking about Software as a Service. SaaS is a topic I've covered extensively in this newsletter. Both here and in other press coverage you've heard a lot about the advantages of SaaS: It reduces or even eliminates implementation costs; it minimizes management; it removes the need to perform upgrades or backups; etc., etc. In short SaaS removes many of the headaches that are part and parcel of in-house implementation, deployment, and management.

But there’s a downside that hasn’t been much discussed. This downside arises from the arm’s length nature of SaaS services that makes them so valuable: What goes on “under the hood” of most SaaS operations is hidden; they are “black box” services.

While many SaaS providers offer some guarantees such as backup frequency and availability few, if any, offer “deep assurances.” To name just a few omissions, they typically don’t guarantee backup reliability; provide proof of system hardening; or provide any kind of certification of their ability to detect compromised systems in their infrastructure.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

I've been thinking about Software as a Service. SaaS is a topic I've covered extensively in this newsletter. Both here and in other press coverage you've heard a lot about the advantages of SaaS: It reduces or even eliminates implementation costs; it minimizes management; it removes the need to perform upgrades or backups; etc., etc. In short SaaS removes many of the headaches that are part and parcel of in-house implementation, deployment, and management.

But there’s a downside that hasn’t been much discussed. This downside arises from the arm’s length nature of SaaS services that makes them so valuable: What goes on “under the hood” of most SaaS operations is hidden; they are “black box” services.

While many SaaS providers offer some guarantees such as backup frequency and availability few, if any, offer “deep assurances.” To name just a few omissions, they typically don’t guarantee backup reliability; provide proof of system hardening; or provide any kind of certification of their ability to detect compromised systems in their infrastructure.

This last issue is one that should concern any SaaS user that plans to store any amount of private data on a service. Let’s say a service you use is cracked by hackers or by industrial espionage operators. By whatever method they gain backdoor entry and get access to client data. (Compare Data Leak Protection products)

If it’s your HR data or your corporate accounts they can browse then there’s a serious risk to any or all of private data you have. But even worse how would you know? And even worse still, at least in corporate terms, might be the consequences if the data is modified! Just imagine how hard it could be rebuilding a set of accounts that has been subtly modified over weeks or months.

And should the SaaS vendor find that they have been compromised, would they tell you? If revealing such a problem means that their business could go “belly up” there is the real possibility that the vendor could decide to hush it up.

What is needed is an independent SaaS Business Bureau – an independent organization that evaluates SaaS offerings for their adherence to standards and implementation of “best practice” safeguards and auditing procedures.

Sure, such a certification process would be costly and could result in cost increases for clients, but wouldn’t you rather do business with a service provider that provides guarantees that are more than superficial and are in-line with well-understood and accepted industry practices?

What do you think? How much do you trust SaaS vendors, and has that distrust resulted in reluctance on your part to allow them to handle your private data? What is needed for you to believe that entrusting you data to a SaaS provider is a safe path?

Read more about software in Network World's Software section.

Mark Gibbs is a consultant, author, journalist, columnist and blogger.