This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
QUESTION 4: Is there a single-tenant hosting option separated from that of other customers?|
Another complicating factor is that in a true SaaS multi-tenant deployment, your company's data may be side-by-side with another company's data.
So it's important to understand how things are kept separate.
"The risk is that your data could leak out of your environment and be seen by other customers, potentially even their competitors," says Acumen's Stanley.
There are several ways in which customer data can be separated, and it's important to understand which method your SaaS provider uses, she says. For example, if the division occurs within the application itself, a bug within the application could cause a failure of separation, meaning your data could be exposed to other customers or, in a worst-case scenario, to the outside world. Another way of keeping customers separate involves working with separate Web servers running on shared hardware.
The rise of virtualization, with customers potentially hosted on different virtual machines, should make separation easier. But Burton Group cautions that while this will cut down on risks, these virtual operating systems are subject to the same risks. Moreover, the hypervisor management layer adds a level of vulnerability.
Stanley says your provider should run regular
| tests for data leaks. If it is not, you might be better off insisting on a single-tenant data storage option (closer to outsourcing) or looking for a provider that offers this choice, she says.
This was first published in May 2008