THE TRUTH ABOUT SAAS & SECURITY

Home : Company : News : Articles : The Truth About SaaS & Security : The Truth About SaaS & Security

Reputation and Trust

H.B. Fuller’s John has a unique connection to Workday: his father Darwin John, now retired, was also a CIO at several organizations, including Scott Paper, The Mormon Church, and the Federal Bureau of Investigation. John’s father personally knows Workday founder and co-CEO Dave Duffield, as some of those organizations were customers of Duffield’s previous company, PeopleSoft. Although those PeopleSoft engagements had their ups and downs, a bond of trust was developed between the two executives, John says.

As a result, John cites a level of “generational trust” with Workday, but that doesn’t eliminate the need for a good contract. Any level of dependence on a vendor involves some faith and trust, John notes, while adding, “you can’t have trust without verification.” That gets back to conducting due diligence, and understanding, in writing, all the terms of the relationship.

There’s also something to be said for a SaaS provider that has large companies on its customer list, meaning it’s been examined inside and out by those large companies’ likely substantial IT security teams.

The Schumacher Group’s Menefee notes his SaaS vendors, including Workday and Salesforce.com, have client rosters that include Fortune 500 companies “with dedicated departments whose sole purpose is to focus on security and privacy.” A data breach would create a public relations disaster for a large company, so those companies and their providers have a strong incentive to ensure adequate security and disaster recovery processes. Best of all, if the provider’s SaaS architecture is multitenant, its standard security policies and procedures are the same across its customer base. The way Menefee sees it, as a midsize company, he’s receiving the same security assurances from Workday as large company customers.

Experience matters, too. Menefee points to Salesforce.com, which has been serving up SaaS for more than 10 years to companies in all industries, including those in very data-sensitive industries such as financial services. “Other software services have learned a lot from how Salesforce does things,” Menefee says.

Additionally, providers that have built their business around SaaS are most likely going to be extreme about security—even more so than most of their customers’ IT departments.

“I don’t have a ‘paying’ customer. I have internal customers, and they’re not focused on how I document my security processes,” notes H.B. Fuller’s John. “If I were selling a software service, and part of the sales process was providing documentation on security and processes, I’d be certain that it’s there and that it’s enforced.”

But while the industry thus far has a near-flawless record on security, planning for a worst-case scenario is still as much of a requirement as it is for on-premise datacenters.

So what if a data breach did happen? John refers to a term used in hiking, “self arrest,” meaning the ability of a hiker to stop a fall down a treacherous slope when he hits a patch of loose footing. “If there is a security breach, there must be processes in place for a successful self- arrest,” John says. That means knowing, ahead of time, what data would be exposed and how your company would recover it in the case of a data breach—whether the breach occurs in onsite or offsite systems.

Because, once again, whether the systems are onsite or offsite is irrelevant. It’s how those systems are protected and managed, and how, in the case of something gone awry, data is recovered and restored. To the question of whether SaaS is less secure than onsite systems, the answer isn’t yes or no. It depends on the supplier, the infrastructure, the relationship, and the processes. Examine those in great detail, and you’ll find the answer.

Mary Hayes Weier is an award-winning journalist, writer, and editor with more than 20 years' experience covering business and technology. In recent years Mary's reporting and research has focused on the software industry, software-as-a-service, and cloud computing. You can write to her at mary.hayes@workday.com.