Enterprise Cloud Applications (ECA) or Software as a Service (SaaS) is clearly the next evolution in business application software. Watching Marc Benioff at Dreamforce say the same thing confirms this. The question is what is holding business back from achieving lower Total Cost of Ownership (TCO) and higher functionality offered by SaaS solutions?
Security is a key concern among potential clients. These concerns are understandable. There are three facets of security that I would like to address today:
- User Security - Security from internal attack
- Data Security - Data Retention and Fail Over
- External Attack - Attacks from external parties to extract data
Ensuring users do not get access to data or views they do not have privileges for, is a well understood problem. It is addressed by SaaS providers such as Salesforce.com and Workday, leveraging role-based security. Additionally, direct data access is managed by restricting IT access to the data via a trusted source within the company. Most SaaS providers offer change logs to allow an IT indiscretion to be tracked and addressed. Additionally, data access is restricted for the SaaS provider’s resources as well. It is safe to say that SaaS is just as secure as traditional on-premise solutions.
High availability, fail over and data retention strategies are crucial to the survival of SaaS companies. A small to mid-market business can only afford lower end equipment and solutions to address these challenges. However the economies of scale and use of the multi-tenant strategy of SaaS vendors allows the purchase and deployment of world class data security technology and provides this to all clients equally. To ensure confidence in the market, SaaS companies achieve the highest levels of certifications. These security measures far exceed what most small and mid-size enterprises can put into place. They also go beyond the safeguards of many large-scale enterprises by providing integrated audit capabilities. Additionally, the off-site hosting brings built-in disaster recovery and business continuity benefits.
SaaS solutions are designed to be hosted in secure efficient sites and deployed to users over the Internet. It also enables them to be accessed globally, in many languages, through many devices (PCs, Notebooks, iPad, smart phones etc.). SaaS providers use network encryption with Secure Socket Layer (SSL) for securing data flow over the Internet as well as specific data encryption. Sufficient safeguards are adopted against network security issues such as Man-in-The-Middle (MITM) attacks, IP spoofing, port scanning, packet sniffing, etc. Furthermore, independent security researchers should be utilized to validate SaaS claims. The SaaS leaders are acutely aware of this challenge and use their economies of scale to deploy security professionals to develop, test, and detect attempted intrusions. You have to ask yourself as a potential client, "How much expertise do I have compared to this SaaS provider in the area of security?"
Legacy software was built to sit behind a firewall with limited access to end-users or authorized third parties. This has made traditional, on-premise software less useful not only for a mobile workforce, but also for geographically dispersed customers and business partners. It also puts the burden of security on small security teams (or a single resource). While you should ask the questions necessary to build your comfort, the SaaS security expertise is typically world class and far stronger than what an end business can provide for itself.