<Is SaaS less secure?>

Home > IDC Study Projects Mobile and Cloud Computing to Fuel 2010 IT Growth >

Is SaaS less secure?

Author: Michael Osterman on September 14, 2009 - 2:01 PM

In a major study of the SaaS messaging market that we will be publishing this week, we address the perception of many IT decision makers that the security of a SaaS solution is inferior to that of on-premise systems. For example, in response to the question, “What level of security do you feel that hosted/SaaS providers offer versus internally managed systems?”, 25% of IT decision makers told us that hosted/SaaS providers offer a lower level of security. By contrast, only 20% of decision makers believe that SaaS providers’ security is better than their own, while the bulk of them believe there is no difference.

What are the specific fears that decision makers have with regard to hosted/SaaS solutions? Among the reasons given in the research were the following, in order of concern:

· Non-authorized users from providers will have access to the data

· Lack of familiarity with providers’ security procedures

· Data may be compromised during transmission

· Security of in-house solutions can be enhanced by having multiple layers of protection

I believe there are two key takeaways from this data:

· First, SaaS providers need to embark on a serious education program to help IT decision makers understand just how secure their infrastructure and data transmission really is. That might include white papers, online videos, in-person tours, etc. that demonstrate the logical and physical security that all leading SaaS providers offer.

· As a corollary to this, SaaS providers need to help decision makers understand the gaps in many of their prospective customers’ internal security procedures that may be giving them a false sense of security. For example, SaaS providers need to point out that in many organizations, any employee can gain access to a server room or a backup tape quite easily, leaving the organization vulnerable to serious data loss.

I want to be clear that it’s not our position that internal security is always inferior to the level of security offered by SaaS providers. Many organizations have deployed very robust security that can protect their data from unauthorized access. However, on average, SaaS providers – at least the leading ones – offer better security than most of their prospective customers because they have a) the resources to do so and b) they have much more to lose if they don’t.

OR Commentary for Messaging Wire

Week of 09/14/09

add to:

del.icio.us |

Digg It | Yahoo! MyWeb | slashdot

Comments

SaaS Security

Thanks for the article. The argument is pretty straight forward, since security management is centralized, the SaaS vendor can afford a more robust security infrastructure than a company whose main business is something else. Moreover, as companies get experience handling solution security, it is an area they develop expertise in. You have rightly said, SaaS vendors should extensively document security arrangements and make this information available to end customers. In this spirit, we have published a white paper, laying out in detail our security, so that our customers can make an informed decision. Pankaj http://www.hyperoffice.com

Posted By Pankaj on 09/22/2009 1:22 PM

Appropriate Fear. In-appropriate Reaction

The fear of security or the lack thereof is quite appropriate for IT to have. After all, it is their jobs on the line if sensitive data ends up in the wrong hands. However, looking at the reaction of IT to use security as a shield and shy away from SaaS is in-appropriate. The situation gets more complicated when there are so many SaaS vendors cropping up and they are small operations and to really provide a trustworthy service, the SAS 70 audits pose a very expensive hurdle. What would be great is there are analysts in the industry who provide a 3rd party rating on the how good a job these vendors did on securing the data. At PivotLink, when large enterprise companies, public companies and companies with sensitive HIPAA data engaged with us - they clearly highlighted this issue. And we listened. Our operations team just won the company a SAS 70 Type II certification for the entire service end-to-end. We are the first SaaS BI company to do this and we think that with this certification some prospects will find that we are actually better at handling their data than their own internal operations. They will also find that it will help reduce their cost of SOX compliance around their BI operations. http://www.pivotlink.com/sas-70

Posted By Ajay Dawar on 09/18/2009 9:43 AM

Add a Comment

Name: