Andrew Buss, originally published on The Register
Throughout a workshop conducted on The Register, we have been looking at the factors that affect the acceptance of SaaS. Ultimately what it boils down to is trust, and when we look at what it is that creates trust, you tell us that the most important factors are:
• A demonstrable track record on privacy and security
• The quality of service and support
Looking at privacy and security, it is clear that for many there is still a long way to go before being convinced of moving applications and data beyond firewalls and into the cloud. From the preliminary results of a survey on SaaS security, most of the respondents are of the opinion, rightly or wrongly, that both SaaS security and privacy are worse than on premise capabilities. In many cases there seems to be a defensive reaction to SaaS data storage, with apples to oranges comparisons that skirt the issue of how to share and collaborate securely and effectively:
“If I have my data stored locally then it can only be stolen / lost through my own incompetence. If it is stored in the Cloud then not only am I risking losing it through my own mistakes but also through those of other people. If files are stored on a device kept in my cupboard then not even the most incompetent network admin on the planet can cause it to get taken.”
Some feel that the SaaS model is still immature and has yet to prove itself worthy, and are waiting for a it all to settle down before moving forwards even if their own infrastructure is far from perfect:
“At least keeping our data in house, the equivalent of a hiding our cash under the bed, means we are in control of it and know how it’s being looked after (even if it’s not that well). I think the cloud-computing industry needs to have successfully survived a few crises before we can categorically say that they’re safe enough to entrust with our company’s most precious assets.”
Arguably, the brouha surrounding Wikileaks is one of these defining events in the control of data in a SaaS provider. Regardless of the rights or wrongs of Wikileaks in leaking confidential information, the fact that application and data hosting services have been terminated without a legal hearing should be of concern for all companies.
“The high-handed treatment of Wikileaks by Amazon highlighted a weakness of cloud services. They should be run on the principles relied upon by telephone companies and ISPs – they are not responsible for content. Amazon’s intervention was little less than political censorship. If every carrier in the Internet had this attitude nothing would get through.”
Few consider that SaaS can offer better security and privacy, although there are certainly those that have done their homework and are using SaaS confidently, or that as a SaaS provider have developed a trusted solution that is widely used:
“We have over 1 million users on a PCI/DSS certified cloud platform based in the UK.”
“If you look at most cloud systems they have all the usual stuff. Data centres, firewalls, physical security etc. There is more investment in on demand flexibility and distributed storage, which makes sense for anyone who wants 100% uptime. You are jumping on the back of someone else’s investment.”
The approach that the following companies have taken is to de-risk SaaS, evaluating it on the level with on-premise solutions or to an even higher standard:
“Yes, risk is an issue, but with the right risk policy and data protection plan you can choose the right provider for your services.”
“Use an appropriate standard that provides a higher level of assurance than your current processes. It is highly unlikely that your current processes will pass PCI/DSS, so if you outsource to someone that passes PCI/DSS you have given the job to some one that has passed a much higher level of vetting than your current operation and is thus lower risk.”
Central to risk management is the question of performance – do you trust the provider to actually do what is agreed, and what actions to take should something go wrong. Judging by the feedback, there is a lot of concern here:
“And if your data is in Timbuktu, what about your outsourced admins? A UK admin might be approached with an offer of £50k for data/secrets the likelihood is that he’ll turn it down and report the incident. Offered £1m you might get a bite. A similar £50k offer to someone who has a fraction of the UK salary and living costs would be just as tempting as a £1m to someone in the UK.”
“Do we have any redress when, as they are certain to at some point, things go wrong? Who has a big enough stick to give them a smack on our behalf, occasionally, when they deserve it – or are cloud providers too big or nebulous to hurt?”
Another risk factor of course is what to do in the case of wanting to move providers or get everything back in house. This is a real worry, and something that should be agreed upfront:
“Exporting the data if I should decide to leave my provider is almost certainly going to be hideously complex and expensive.”
In practice, we know that some SaaS providers have some pretty good capabilities to allow for data movement and exchange. From the comments we’ve had it is important not to make assumptions, but to check it out. Another area to look at is the role of emerging standards to ease the movement of data between applications so that costly integration projects are not necessary when moving to another provider.
We know that service and support are major factors influencing the long term cost of ownership or service delivery. On an enterprise scale this needs to be localised and widespread in order for it to be responsive and relevant.
“A more important issue is can you phone them up if it goes wrong. At the cloud summit someone explained that support from Amazon and Google was non-existent – post in a forum and wait 3 months.”
The opinion expressed above, if encountered in reality, would usually result in a swift termination of service and a move back in-house or to a competitive provider. Support is commonly an Achille’s Heel for many IT solutions, not just SaaS, and the quality and capability will vary dramatically. Look for providers that can offer responsive support with local language skills and responsive support based on agreed SLAs, or engage with partners that can provide these capabilities on the ground.
It’s clear the jury is still out on SaaS applications, with divided opinions and a lot of gut instinct rather than cold light of experience influencing the path taken. The evaluation of risk comes down to knowing what it is that you need or want and how to measure it. This is more easily said than done, and the problem is eloquently summed up:
“If you know what you need, you can find it in the cloud. But in my experience, I have not seen too many companies that know what they need.”
For many companies, this leads to implementing IT by default as the accepted path, but it’s not necessarily the best approach for IT or the business. It boils down to knowing what you need, and then selecting the best solution that fits, be it SaaS or a different on-premise solution.