What are the security and risk issues relating to SaaS

Arif Mohamed

The business benefits offered by Software-as-a-service (SaaS) include reduced and predictable IT costs, speedy application deployment and greater flexibility in scaling up and down IT usage. But many organisations still have concerns about the risks associated with moving their computing into the Cloud.

Liz Herbert, Forrester Research principal analyst, comments, “As more firms examine SaaS as an option for strategic enterprise-wide deployments, SaaS buyers are weighing the tradeoffs between the appeal of fast deployment, flexibility, upfront cost savings, and reduced dependence on internal IT resources against concerns over risk, security, and total cost of ownership.“

The analyst firm recently carried out in-depth research amongst SaaS adopters, and found that their initial range of concerns spanned physical and data security, data privacy, business continuity, uptime and performance.

The security of the Cloud is a key issue for most organisations that are used to controlling their own IT estates. But Herbert says, “The majority of the customers we interviewed revealed that their SaaS vendors were doing more to secure their data than their own IT departments could do. One reference said, "Our greatest fear became our biggest confidence."”

She adds that disaster recovery was particularly troubling for many of the users Forrester spoke to, especially regarding SaaS vendors with data centres located in earthquake-prone zones. “Companies also expressed concerns about security and information privacy,” she says.

Uptime and performance are also areas that SaaS adopters needed to be convinced about, according to Herbert. “SaaS buyers were concerned about application availability and performance. Beyond uptime, some SaaS buyers were worried that their users would find Web-based solutions sluggish. One client, which operated call centres and tracked a lot of invoices, had concerns that SaaS would struggle in its high-transaction environment.”

However, the report found that SaaS service providers have concentrated their efforts on strengthening application security, uptime and reliability, among other things.

For example, Google now uses two-step verification for signing-on securely to GoogleApps, which requires users to input their password and a code sent to their mobile device. In 2010, Gmail was available 99.984 percent of the time, for both business and consumer users. This figure translates to a total of seven minutes of downtime per month over the last year.

Google says that seven minutes of downtime compares very favourably with on-premises email, which is subject to much higher rates of interruption that affect employee productivity.

Krishnan Subramanian, an independent cloud computing research analyst, says one of the concerns cited by people who believe in traditional ways of computing is the issue of service availability in the public Cloud.

“They associate availability to the presence of the software inside their organisational boundaries. If we talk to enterprise users who use email systems hosted on-premise, we can hear horror stories of how their email was not available at some crucial juncture.”

But he adds, “Downtime is a reality for any service that is available over a network irrespective of whether it is hosted on premise or on the public Cloud. We should only worry about reducing the downtime to the minimum.”

Subramanian says that over the years, public Cloud providers have improved their uptime so much that their downtimes are significantly less than almost all the organisations that use on-premise email.

“According to [analyst firm] Radicati Group, on-premise email had on an average 3.8 hours of downtime per month, making Gmail 32 times more reliable than the average email system and 46 times more than Microsoft Exchange on-premise. It is not just Google but there are other SaaS providers who are confident about their availability too,” he adds.