Cloud, Security

Get ready for some SaaS about your security

9 Nov , 2007  

SaasI put my first blog post up on the NetworkWorld Microsoft Subnet blog today. It’s a "guest post" as my blog account isn’t quite finished setting up (I had to get some information to them to complete the setup process.) It’s about Microsoft’s conspicuous absence from the SaaS infrastructure and applications market.

SaaS you say? Where did that topic come from? I’ve been at the Software Information Industry Association (SIIA) On Demand conference the past two days. On Demand is the new buzz word for Software as a Service, or SaaS. In the security space, Qualys is one of the few product companies using the SaaS business model. SaaS represents some interesting challenges and opportunities from a security perspective. My advice. Get ready for it now because the business is going to want it, that is, if they don’t already have it.

On the one hand, SaaS vendors are in effect another operations center, applications, infrastructure (network and software) and an organization that may or may not be up to snuff with your security standards, plan and architecture. SaaS is often purchased by senior business executives and business units, and may not include IT in the buying or review process.

What amazed me from the conference is that On Demand applications can be very narrow or specialized, like a tax application for your finance department, pricing for heavy equipment a purchasing department might use, or an information database that helps assess insurance risk for employee health care costs. A business department could sign up for an On Demand application with very few internal approvals, that may only require sign off within that business organization or business unit. You may, and likely will, get SaaS applications in your organization without a word being whispered to anyone in IT.

On the other hand, SaaS vendors who have a good security plan, have regular audits, and have already passed PCI, SAS70 or other 3rd party security requirements, relieve some of the headaches internal security teams might have to deal with. There’s probably enough work at the home office, and a good On Demand partner who takes security seriously could make for a very good partner. Web services and data exchange security, data encryption, etc., still need to be looked at for proper best practices, but a good partner can make this process easier because they have other customers ahead of you who have asked and required the same kinds of security.

So if you are a security practitioner, start thinking about how you can help the business by best utilizing On Demand applications and services, and incorporate these new types of IT systems into your security planning and architecture. You may encounter On Demand partners who are very secure and some that aren’t. In either case, don’t be a roadblock, but take a helpful approach to the business.

SaaS On Demand isn’t likely to replace all you IT systems but it’s very likely you’ll be seeing it as part of your IT systems. Best to plan for it now so you can support it instead of being viewed as a roadblock to the business leaders after the fact.