The lure of software-as-a-service is simple: It comes down to cold hard cash.
So in this economic environment, it comes as no surprise that organizations, large and small, are looking to SaaS providers to offer them services where they pay for infrastructure or expertise on a monthly basis.
Salesforce.com is the poster child for the SaaS space offering hosted CRM. Other business applications using the SaaS model include HR, expense reporting and the like. We've seen SaaS models also pop up in the security space with Qualys, Webroot, Google, Veracode, Zscaler, Purewire , among others, offering security services ranging from messaging security to vulnerability assessment to application security testing. With huge data centers, Amazon and Google rent their capacity on a by-job basis.
It seems to me that in a relatively short amount of time this will be the way we use computing power and access applications. It will radically change the ways businesses operate -- much like what Web browsers and email did in the 1990s.
And you've got to adapt. You'll have no choice. So the time is now to look at the security and regulatory implications of these types of services and get ahead of a wave that seems almost inevitable.
The reason SaaS works at the lower price points is because they can host multiple customers on a shared infrastructure. And it's just this type of architecture could be very troubling for a security team. As a security manager, you have to insert yourself into the conversation and lay out a few necessary requirements.
The first must be clear separation of customer data. In addition, you need to determine whether you can get access to logging and audit trails for both compliance and security should an incident occur. Moreover, determine how secure are their Web applications? And what about insider threats at the provider's facility? What are your provider's access controls? How does your provider handle breaches or other insider threats?
Add in government and industry regulations and you've got a lot to muddle through.
But thankfully there is lots of time for discussion and fixes. The market is relatively new and many of these questions will need to be hashed out. It is your job as users of these services to force the SaaS providers to offer you the adequate answers you need.
It will take time but as other technologies before this, the industry, and security practitioners, will come up with a way to make it work.
Kelley Damore is Editorial Director of Information Security and TechTarget's Security Media Group. Send your comments on this column to feedback@infosecuritymag.com.
