• Popular Searches
• Human Resource Software
• SaaS
• Business Management Software
• HR Software Company
• HR Management System
• Financial Management Software
• Business Intelligence
• SaaS ERP
• Payroll Accounting Systems
• Staffing Software
• HRIS

THE TRUTH ABOUT SAAS & SECURITY

Home : Innovation : Featured Articles : The Truth About SaaS & Security

By Mary Hayes Weier

SaaS adoption is clearly accelerating. Forrester Research, in a recent survey of 1,007 enterprise software decision makers, found that more than 40% were using or planning to use SaaS, and 30% were interested in it. But nearly one in four respondents had no plans or weren’t sure. “Security concerns” was the No. 1 reason cited by those respondents.

But is that a valid concern? Is on-premise software materially safer than SaaS?

The right answer is, it depends.

That’s because not all SaaS is alike. And for enterprises that haven’t yet established best practices for SaaS security audits, it’s hard to recognize the difference between “fake” and “real” SaaS that’s genuinely secure. While there’s a growing queue of software suppliers claiming to offer SaaS or cloud computing, how and what a provider offers may differ dramatically. A provider’s technology infrastructure, processes, experience, and reputation are all key criteria for determining if a specific SaaS application is at least as secure as onsite applications.

But where to start? That’s where the most experienced people in this area—the CIOs who’ve been using SaaS within their organizations for years—can provide guidance. Their first-step advice: It’s all about due diligence.

Be Diligent About Diligence

Experienced CIOs agree that all organizations must take the time for due diligence before signing a SaaS contract. The ability to turn on SaaS much faster than an on-premise implementation isn’t a license to cut corners.

“I want to see their methodology, and their policies and procedures,” says Steven John, CIO of H.B. Fuller, a $1.3 billion-a-year adhesives manufacturer. His company’s SaaS applications include Workday HCM, Salesforce.com, Force.com, Concur, and very soon, Microsoft Business Productivity Online Suite. Also, examine the supplier’s certifications—SAS 70 certification has become the minimum expectation for a SaaS provider—and review its architecture for disaster recovery and security, John advises.

Take a good look at the provider’s change-management processes too, John says. When it updates software, what processes has it put in place to avoid unauthorized access to data during testing or the actual update? At Workday, for example, the Quality Assurance team tests on test data, not customer data, prior to patches or any other changes.

Gartner Research analyst Jay Heiser, in a March 2010 report, recommends that companies develop a risk analysis process for every SaaS application under consideration. That includes analyzing the technical and process dimensions of an implementation, “not by trying to second-guess what underlies some particular service that is being identified as ‘cloud computing.’” The onus is on vendors, Heiser says, to provide detailed and defensible evidence that everything—from operational procedures to design to build—will protect client data and processes.

It’s also wise to know where a provider’s data centers are located, H.B. Fuller’s John says. China, for example, is a popular destination for building data centers. It’s also a hotbed for hackers. That doesn’t mean a SaaS provider’s China site is a problem, but the provider should provide ample evidence that its site is secure.