Even with the growth in adoption of cloud based software-as-a-service (SaaS), concerns about data security have remained. While breaches have been infrequent at SaaS vendors, questions persist about whether they are secure enough. One SaaS vendor told this author that, 'potential customers just assume that we are not secure. They ask us to prove that we are more secure than their closet.' Nevertheless, this SaaS vendor admits there are certain verticals that, due to a lack of ability to control access, will not let their customer data or PII be managed in cloud data centers. Is this all much ado about nothing?
CIOs say, 'No.'
Should we just assume that SaaS applications are safe? The responsibility for answering this question falls on the shoulders of CIOs - especially as they become more and more an orchestrator of business services versus a builder of operational services and cloud brings vendor management to the forefront of their agenda.
Now it is true that SaaS and other cloud vendors have put investment into data security. When I personally ran a SaaS vendor in the early 2000s, we focused early upon data encryption and SAS 70 class audits. But with this investment, do SaaS vendors necessarily have it right and do they have a target on their back for hackers? So should CIOs worry about data protection in the cloud?
When I asked CIOs what they thought and if they truly worry about SaaS data security, they universally said yes. One pointed out that as anyone can make a SaaS application, you have to know what's behind the scenes. For this reason, adopting the motto, 'trust, but verify' is imperative. One CIO bluntly said, 'If you don't worry about it, you won't be CIO much longer.' Another CIO added, 'This is critical to one’s organization and one’s personal survival.' It was suggested as well that the business owner requesting a cloud service or capability is culpable too and there should be shared responsibility for the convenience of SaaS. For CIOs and business owners one CIO said, 'Memories may be short, but forgiveness isn't plentiful. Ignorance is no defense.'
CIOs in general said that it is important to collaborate and communicate with each SaaS partner on data security. As well, they said that SaaS models should be evaluated by Security Control Assessment (SCA) and Security Test and Evaluation (ST&E).
Could your organization do more?
While ensuring that the right processes and procedures are in place at your selected SaaS vendor makes great sense, can you do more to proactively secure the data within them? The answer is yes, you can actually manage the data that is input, used, and output from SaaS applications—the complete information flow between your datacenter and the cloud. In this mode, you have a cloud gateway behind your firewall that allows you to manage data and access to it within each SaaS application. This step takes a significant bite out of the risk of your data being exposed and eliminates the threat coming from a hack of a SaaS vendor. This allows you to securely take advantage of all that SaaS vendors have to offer, whether it be for bursting or replacement of current data center capabilities.
Imagine having a SaaS implementation where you control what happens to your data and more importantly who can access it. By establishing this capability, it would be finally be possible to confidently take the step of moving from on premise to SaaS, proven to eliminate the IT operational cost of internal hosting and freeing up investment to respond to increasingly prevalent digital disruptors.
CIOs are clear that they perceive risk in having data in SaaS applications. Hence, protection has come from selecting the right SaaS vendor and ensuring that they do the right things. Now you can actually do more. You can protect the data itself within the SaaS application before it goes in and as it comes out. To learn more about how this works, please read the below two articles. Data clearly should not limit you in your selection of SaaS vendors.
Learn more about controlling your data in the cloud