There are likely SaaS vendors out there who have not adequately secured their applications and there are definitely SaaS vendors who could do a better job at it. However, the real problem with SaaS security has little do with either of these situations.
No, the real problem with SaaS security has to do with education. I came to this conclusion after speaking with Justin Pirie, director of content and communities at mimecast and author of Paradigm Shift, a blog devoted to SaaS and Cloud product management.
We were talking in the wake of the announcement that a very large company (presumably Wal-Mart) had signed a 2.1 million seat deal with SuccessFactors. Justin, among others, interpreted this announcement as a clear sign that SaaS had "crossed the chasm." Now, when a huge global company decides to entrust important employee data to a cloud-based service, it would seem to indicate that concerns about cloud security are somewhat overblown. After all, somebody is obviously doing it right.
Mentioning this to Justin, he replies, "Not all clouds are created equal. There are some providers that take security very, very, very seriously. It's a 'security first' approach. With those providers, we haven't seen a major breach of security." The real issue, as he sees it, isn't with security per se, but that customers don't know how to properly vet the security measures taken by different SaaS vendors. When asked why that is, Justin responds, "It's hard because the standards are just emerging, and that's the nub of it."
There are standards, of course - SAS 70 and ISO 27001 being the two most prominent certifications in this area - but these cover information security more broadly and are not cloud specific. There are also organizations like the Cloud Security Alliance and CloudAudit who are working on standard practices and certifications, but those are not yet complete. In the interim, Justin says, "It's 'look at what we've done,' 'this is how long we've done it for,' and 'look at our customers.' It's the same old game."
In other words, without a common set of standards, SaaS vendors establish trust with their clients the old-fashioned way: They earn it. "If you look at a lot of the companies doing big deals," Justin adds, "they've got a lot experience in market, successful experience in market, and I think that counts for a lot." Of course, even when you have this experience, demonstrating security can be a hard slog.
"It's very hard to differentiate talking about how you run your business internally," he explains. "And that's one of the reasons that we're all very supportive of standards. They provide a common reference point for people and you are either compliant or not." Until the standards are firmly in place, however, SaaS vendors need to take a more educational approach. As Justin puts it, a lot of pain in the market is coming from the fact that "people don't necessarily understand the architecture" of various solutions. Due to this lack of understanding, they may end up choosing an insecure platform based on price or functionality or how quickly they can get the application into their business.
Price, functionality, and speed are all legitimate business concerns Justin insists, but a focus on these often means that questions of security and compliance go by the board. For this reasons, Justin concludes, "We need to do something to help people understand what makes stuff secure." To accomplish that, vendors need to do more than just talk about their own track record. Instead, they need to provide potential customers with a toolkit to help them evaluate vendors by showing "how to work out whether they have a serious attitude towards security."
For all the challenges, however, Justin is very optimistic about the future of SaaS security. "In the next 12 months," he says, "as the space matures, massively, as the standards come out, then things will really change quickly."
Until then, the name of the game is "educate."
Mar 16 2010, 07:18 PM
Filed under: Security, cloud security, Cloud, SaaS, Wal-Mart, SuccessFactors, Matthew T Grant, SAS 70, ISO 27001, Justin Pirie, Mimecast, MatthewTGrant, Security Web