5 Steps To Secure SaaS update from March 2011

Download the entire Mar. 7, 2011 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

2011 SaaS Poll: Serving Two Masters?

Just about any business function supported by enterprise IT has the potential to be delivered as a service or hosted externally. Software as a service is particularly popular. Our 2011 InformationWeek Analytics SaaS Survey showed a 13-point jump in the percentage of companies using SaaS, up to 60% from 47% in just 11 months. Need a new community outreach application? Build it for the cloud. E-mail maintenance got you down? Ship that app out. Can't get what you want from Amazon, Google, IBM, Microsoft, or Salesforce? Take a look at the hundreds of new SaaS providers, all of which are making grand promises of uptime, scalability, and cost efficiency.

But what about security?

SaaS vendors tend to shy away from that discussion. They disclose very little about their security practices, your rights as a customer, or exactly how your company's data is protected while in their care.

We predict that the growth of SaaS and other cloud services will eventually stall as compliance failures and data compromises are uncovered, at which time cloud providers will be forced to divulge more information. Until then, it's up you to perform due diligence before allowing sensitive data to reside off site.

What's In A Name? A Lot

When I managed security for a division of Walt Disney, my team evaluated several cloud providers for small community applications--for a contest on ESPN, for instance, or a short-lived Flash game built to promote a show debuting on ABC. These were applications with no sensitive data or even logins. Since Disney is so large, we usually got our security questions answered. We knew we were still taking some risks, since we had no day-to-day insight into the provider's network, virtualization infrastructure, or any internal controls, but we gathered enough facts to make informed decisions. We followed the same process when we launched a Google Apps pilot in some smaller divisions. Again, because it was Disney, Google was willing to share information to get the company signed on as an early adopter.

When you're Disney, life is good. But as I found recently when discussing security with a cloud vendor without disclosing the company I work for now (TiVo), not every customer has that leverage. This time, the rep wouldn't provide security information. He simply recited the marketing line and offered a SAS 70 report for the vendor's data center. This company had taken the stance that providing information on security controls is, in itself, a security vulnerability and said we should just trust it. Once the laughter died down, I asked a serious question: Why should I trust you with my data and the reputation of my company when you won't trust me with documentation or insight?

Unfortunately, for the vast majority of companies, it's difficult to get the formal information we need to make smart decisions about risk. In these cases, we need to take matters into our own hands.

To read the rest of the article,
Download the March 2011 issue of InformationWeek

Research: SaaS 2011

Adoption Soars, Yet Deployment Concerns Linger
Become an InformationWeek Analytics subscriber and get our full report on SaaS 2011.

This report includes 43 pages of action-oriented analysis packed with 30 charts. What you'll find:

Get This And All Our Reports