This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
QUESTION 5: Who manages the application on the back end, and what policies are in place to thwart insider breaches?|
As the Salesforce.com
| breach illustrates, many security issues are tied more to the flaws of human nature than to some technical weakness.
"A lot of SaaS providers offer optional 128-bit encryption on the fly, but this hasn't always been made mandatory," says Jay Elder, managing director of service development for Incentra Solutions, a security services firm in Boulder, Colo. "Users really need to be trained to log in using [the toughest] encryption and to be aware of the social vulnerabilities of giving away their passwords."
The matter of user administration rights once you're inside the application also can't be underestimated. Gregg Bostick, vice president of transportation at Pinnacle Foods, uses the SaaS application LeanLogistics On-Demand TMS to manage transportation arrangements between his team and various shipping partners. Bostick closely controls who has the right to view certain types of data, such as the carrier rate tables or the accounts payable information.
"This is really process-oriented security," Bostick says. "It's only a problem if you allow it to be a problem."
A bigger problem, perhaps, comes in management of an application back at the provider. Forrester's Herbert says it's important to understand who will be able to modify the application, along with the rules and access rights. From the customer standpoint, this should remain under the control of the business' internal IT team, which can interface with the technical contacts at the service provider, she says. There needs to be strong measures in place to ensure that account information cannot easily be shared or accessed by personnel at the service provider. The company should also have specific policies related to spoofing of accounts and phishing.
QUESTION 6: What is the backup and recovery plan?
But that was a major consideration for Michael Roseman, vice president of finance and strategy at Astadia, a 155-person management consulting firm that uses several different SaaS applications including Salesforce.com, Workday and Cornerstone on Demand.
"These companies can make much better investments in security than we can," says Roseman. "If we did this on-premise, we would have to provide backup and redundancy. How can my company hope to offer the same levels as these providers?"
Gartner's Pescatore says businesses should also be concerned with the physical location of the hosting facility, requesting an on-site inspection if possible. Geography also matters: If the service provider hosts the data in another country, the business should acquaint itself with privacy and data ownership laws of those jurisdictions. "You have to worry a lot more if something goes wrong," he says. Plus, it may be tougher to enforce service-level agreements.
QUESTION 7: How well does the provider's security policy match my company's (if my company has one)?
"This really saves us a lot of money," says Mike Stump, director of information technology for Roundtable Corp., which owns 46 Dairy Queen franchises that use various SaaS applications to manage their operations. "For us, that is the biggest advantage."
For other companies, it comes down to focus--and scale. Dan Nadir, vice president of product strategy for ScanSafe in San Mateo, Calif., which offers managed services for Web security, says many of his company's customers have few IT staffers to handle issues like security.
"We make their headaches go away. ...We use multiple engineers, which they can't. We've got tons of techniques they can't use. We're able to react. The more users we have, the more traffic, and the better off everyone ends up being."
This was first published in May 2008