Just about any business function supported by enterprise IT has the potential to be delivered as a service or hosted externally. Software as a service is particularly popular. Our 2011 InformationWeek Analytics SaaS Survey showed a 13-point jump in the percentage of companies using SaaS, up to 60% from 47% in just 11 months. Need a new community outreach application? Build it for the cloud. E-mail maintenance got you down? Ship that app out. Can't get what you want from Amazon, Google, IBM, Microsoft, or Salesforce? Take a look at the hundreds of new SaaS providers, all of which are making grand promises of uptime, scalability, and cost efficiency.
But what about security?
SaaS vendors tend to shy away from that discussion. They disclose very little about their security practices, your rights as a customer, or exactly how your company's data is protected while in their care.
We predict that the growth of SaaS and other cloud services will eventually stall as compliance failures and data compromises are uncovered, at which time cloud providers will be forced to divulge more information. Until then, it's up you to perform due diligence before allowing sensitive data to reside off site.
What's In A Name? A Lot
When I managed security for a division of Walt Disney, my team evaluated several cloud providers for small community applications--for a contest on ESPN, for instance, or a short-lived Flash game built to promote a show debuting on ABC. These were applications with no sensitive data or even logins. Since Disney is so large, we usually got our security questions answered. We knew we were still taking some risks, since we had no day-to-day insight into the provider's network, virtualization infrastructure, or any internal controls, but we gathered enough facts to make informed decisions. We followed the same process when we launched a Google Apps pilot in some smaller divisions. Again, because it was Disney, Google was willing to share information to get the company signed on as an early adopter.
When you're Disney, life is good. But as I found recently when discussing security with a cloud vendor without disclosing the company I work for now (TiVo), not every customer has that leverage. This time, the rep wouldn't provide security information. He simply recited the marketing line and offered a SAS 70 report for the vendor's data center. This company had taken the stance that providing information on security controls is, in itself, a security vulnerability and said we should just trust it. Once the laughter died down, I asked a serious question: Why should I trust you with my data and the reputation of my company when you won't trust me with documentation or insight?
Unfortunately, for the vast majority of companies, it's difficult to get the formal information we need to make smart decisions about risk. In these cases, we need to take matters into our own hands.
Download the March 2011 issue of InformationWeek