Is SaaS more secure?
Peter Campbell and I have had an ongoing conversation/argument about whether or not Software-as-a-Service (hereby known as SaaS) is more secure than in-house facilities in a small, IT resource-poor organization. So we decided to "have it out" so to speak, on the Idealware blog.
First - we are talking here about small or medium-sized nonprofit organizations with no dedicated IT staff. And the question is, basically, "is it more secure for that organization to house their data and services 'in the cloud', instead of in-house?" My answer is "no." Don't get me wrong, I think SaaS is a great thing - my company implements it, and I've been thinking a lot about SaaS using open source tools. And it's not less secure, at all, either. But it is not a security panacea, and it shouldn't be thought of that way.
Why is this? I want to start by asking the questions "what is security?" and "what are they risking?" Security is, in my mind, is their data safe from getting in the wrong hands? And the risks are not only stolen data, but also corrupted and lost data.
People who spend a lot of time thinking about security do get lost in the depths of encryption, blocking ports, protections against attacks, and virus/worm protection and the like. And I think it gets easy to imagine that if someone (a SaaS vendor) does security "right" and a nonprofit, who has little or no access to good IT expertise, will inevitably do it "wrong", then SaaS will be more secure for them.
But lack of access to good IT expertise means a few things:
So my opinion is that we can't say definitively which is more "secure," because there are too many factors at play. And the most important thing is education of organizations around security and risk.
First - we are talking here about small or medium-sized nonprofit organizations with no dedicated IT staff. And the question is, basically, "is it more secure for that organization to house their data and services 'in the cloud', instead of in-house?" My answer is "no." Don't get me wrong, I think SaaS is a great thing - my company implements it, and I've been thinking a lot about SaaS using open source tools. And it's not less secure, at all, either. But it is not a security panacea, and it shouldn't be thought of that way.
Why is this? I want to start by asking the questions "what is security?" and "what are they risking?" Security is, in my mind, is their data safe from getting in the wrong hands? And the risks are not only stolen data, but also corrupted and lost data.
People who spend a lot of time thinking about security do get lost in the depths of encryption, blocking ports, protections against attacks, and virus/worm protection and the like. And I think it gets easy to imagine that if someone (a SaaS vendor) does security "right" and a nonprofit, who has little or no access to good IT expertise, will inevitably do it "wrong", then SaaS will be more secure for them.
But lack of access to good IT expertise means a few things:
- Yes, it does mean that their in-house network is likely insecure
- It also means that they might not know how to understand or choose SaaS products that are known to be stable and secure, with solid business models.
- It means they likely won't know how to get their data out when they need to, for whatever reason
- It means there is a lack of understanding of the risks of SaaS, especially in organizations, like human rights or activist organizations, with sensitive data.
- And the human factor in security doesn't pay attention to where the data lives.
So my opinion is that we can't say definitively which is more "secure," because there are too many factors at play. And the most important thing is education of organizations around security and risk.
Subscribe through Feedburner
2 Comments:
Michelle,
I think the two models have their pros and cons with regard to security. As of right now, I think people perceive on-premise as more secure, only because they feel they are "more" in control. In reality, security can be flawed just as bad. Security is all about implementation. Just because you are running your application behind your own firewall doesn't mean it is safe. Each application, regardless of on-premise or SaaS, will have their own implementation of security. The engineers behind the software will ultimately decide what is safe and what isn't.
Vincent
MHelpdesk, Service Management Software
I believe that a good balance between the two models is necessary even when a non-profit might have an IT staff. Being someone who worked as an IT specialist in a Non-Profit I can tell you that we were stretched very thinly trying to administer our local web sites, e-mail servers, mailing lists, networks, databases, reporting systems, servers, backups, archives, in addition to our daily tasks of developing web and windows applications.
You might argue here that I am talking about non-profits that already have an IT staff that can help in the process of migration from an in-house to SaaS system, but the same is true if not more important for organizations that don't have a dedicated IT staff. I believe that the price of hiring a consulting firm to help get their infrastructure in place is worth every penny.
Lets look at the example of e-mail servers. A properly functioning system that adheres to legal standards requires:
1) Setting up an e-mail server
2) Securing the network and server
3) Formulating a Backup strategy
4) Formulating an Archive strategy
5) Testing you backups once a month to practice your recovery strategy and making sure the backups are not corrupted.
6 etc. etc. etc.
Or the alternative would be to use a SaaS like gmail and let them worry about data security and legal requirements.
In the case above I know that gmail can provide a much safer system than an in-house non-profit system with no IT staff.
I am not saying that SaaS is the end all solution, but in some situations it is more secure than an in-house system.
Post a Comment
<< Home