THE TRUTH ABOUT SAAS & SECURITY

Home : Company : News : Articles : The Truth About SaaS & Security : The Truth About SaaS & Security

Under the Hood

Due diligence isn’t complete without a solid understanding of the SaaS provider’s data centers, the technology infrastructure it uses, its methods for backup and recovery, and more.

Physical security of data centers must be rock solid. Workday, for example, has surveillance cameras constantly monitoring inside and outside its multiple data centers. Access is restricted to approved individuals, and requires both biometric and badge identification. Servers are located in private, secured areas within the data centers.

In the area of backup and recovery, all of Workday’s servers are diskless and system monitoring is constant. Encrypted back-up files are replicated to storage devices in a back-up data center.

And then there’s the database that’s going to hold your data. The Workday Object Management Server (OMS) uses an in-memory object model, which is defined by metadata. Unlike a traditional database, which might store thousands of tables containing personal data, the Workday OMS interprets the metadata and builds the in-memory object model during runtime. That means the Workday OMS only has to store a handful of tables containing the attribute values and object references that make data meaningful while the application is in use.

What’s more, those attributes and object references are encrypted, meaning they can only be interpreted by the OMS itself. Encryption, and avoidance of a traditional database schema that stores data in tables at all times, make Workday’s data storage approach uniquely secure. Even if someone were to access Workday OMS or a backup file, the data and tables would be virtually incomprehensible.

The encrypted database approach sat particularly well with Workday customer McKee Foods, a $1 billion-a-year snack foods company. “We came away with the realization that Workday can host the data in a more secure way than we can internally, primarily because their data structure is encrypted,” says Floyd Walterhouse, McKee’s group manager of information systems.

Also, a Workday customer with access privileges can view logs of every person who has signed on to the system, any instances of wrong passwords, reset passwords, or incorrect names entered during sign on, as well as logs of any changes made within the system.

A SaaS relationship is, at its core, an outsourcing relationship, notes John, and the SaaS provider might outsource some of the work to lower-cost regions. Ask providers if they do, and demand they show why you should be confident there are no security vulnerabilities with the outsourced vendor.

Finally, remember that verbal claims hold little weight. “Be skeptical of vendor claims, and demand written or in-person evidence,” Gartner’s Heiser writes in his report, Analyzing the Risk Dimensions of Cloud and Saas Computing.