Safety in the cloud

It’s a common scenario right now, played out in executive suites across the country. A company is looking to cut back on expenses and overhead. IT, with its myriad of projects, expensive equipment and maintenance costs, is targeted for budget cuts. As CIOs and IT Directors search for an alternative to layoffs, Software-as-a-Service (SaaS) solutions are frequently emerging as a cost effective way to reduce overhead, without the trauma of slashing projects or staff.

SaaS providers typically offer subscription options for different software products, which are hosted on the providers’ servers. While allowing companies to reduce their spending on developing in-house solutions and maintaining the hardware to host such solutions (particularly for large companies), SaaS services also operate in a such a framework as to allow for frequent and effortless (on the part of the user) updates to the service. In this way, companies are able to outsource much of their peripheral work, and reduce the costs associated with this work, in order to concentrate on development of their product and their business needs. This might seem like a no-brainer at first – but take a minute to approach it from a CIO’s perspective. Much of the data that these services store or manage is of a sensitive nature: billing and receipts, customer feedback, proprietary code, sensitive email and documents, etc. It’s not unexpected for security concerns to be a primary issue holding back widespread adoption of SaaS services.

As the CEO of a company that develops SaaS project management tools, aimed specifically at software developers, this is an issue that I’ve encountered on many occasions. Furthermore, this is something that I deal with myself. Not only in ensuring that the services we provide our customers and users are secure and reliable, but also in protecting our own data against system failures and outages, security threats and software malfunctions. As a SaaS provider with customers to service and a reputation to protect, ensuring the integrity of our products is of utmost concern, and the same holds true for most companies in the business of providing a service. A hosted solution will have more checks and balances in place in order to avoid, or if unavoidable, deal with any situation quickly.

That being said, although reliable SaaS providers are outfitted with a variety of security measures such as failure protection systems and backup servers, ultimately it is up to the CIO to do his or her due diligence both in selecting a SaaS provider, and being an active participant in maintaining operations and security within their own company.

What’s out there?
These days, there are many Software-as-a-Service providers in operation, both large scale operations and smaller, more nimble, outfits. As a business model in tough economic times, SaaS offers a cost effective alternative to homegrown and user maintained software. Additionally, in most cases, SaaS applications are business and project management tools of some sort, which aim to streamline business functions. As the SaaS business model becomes more popular, software companies from Oracle to Microsoft are joining the party, along with more established and niche players such as Netsuite, Salesforce, and Elementool, among others.

Since many of the smaller newcomers have limited budgets, in order to offer hosted services they use shared servers or servers that are hosted by small operations in different locations across the globe. Shared hosting means that the SaaS system is located on a server that is being used by other, often undisclosed, companies. In these instances, the security of the SaaS system is questionable at best, and the possibility exists that an application executed by other companies which are sharing the server can cause the entire operation to crash. On the other hand, larger or more entrenched operations will have dedicated servers that are reserved for the use of the provider exclusively. In situations where there is a dedicated server, the SaaS provider will usually have many different standard security and IP protection measures in place such as firewalls, antivirus software, and often times a failure protection system and backup as well.

Choosing a SaaS provider
CIOs or decision makers should be actively involved in the process when evaluating SaaS or cloud computing providers. The following questions are a good guideline of what to be asking potential vendors, in order to ensure the safety of data in the cloud:

1. Does the SaaS provider have direct control over their servers, and can they respond quickly to any security breaches or system failures?
While no company representative in their right mind would respond to the second part of that question with the answer NO, it’s often a simple matter to ask a few probing questions in order to determine a provider’s flexibility and access to security measures such as backup servers, and other fail-safes.

2. Will the SaaS provider offer up testimonials from existing clients for reference?
As it is with choosing any type of service provider, existing users of the company’s SaaS tools should be able to offer a clear picture of how reliable the provider is and how secure they feel entrusting their business operations, or pieces of it, to the providers’ systems.

3. How quickly can you and your IT staff become familiar with the services in question and how they operate?
This one is a question that implies a bit more than the standard, “is it user friendly?” For the software developer or IT worker who is using the tool, familiarity means the ability to see where possible security threats may occur and then proceed accordingly. Additionally, becoming familiar with the protection measures built into the software, such as password protection and session management, allow users to take full advantage of them from the start. For companies planning on using SaaS applications for particularly sensitive data, this deceivingly simple question carries extra weight.

4. Can your company consolidate its SaaS services and needs under the umbrella of one provider?
As more and more companies are jumping into the cloud, software companies that used to offer their products for purchase and installation are moving to web based business models. As more services become available, companies will find that they have a need for more than one hosted application – a time tracker, email and a help desk application, for example. Common sense tells you that the more your data is spread around, the more susceptible it is to a threat. Finding one SaaS provider who offers a range of business tools not only minimizes the hassle of integrating multiple tools from several vendors, but also reduces the vulnerability of your data.

5. Does the SaaS provider offer an option to download your company’s database(s) for self backup?
Providers that offer this option understand that despite backup servers, multiple fail-safes and other protection, nothing is ever 100% guaranteed. Self backup lets the user download their database so that it can be backed up on their company’s system. In the event that the SaaS system becomes unavailable one day, for whatever reason, all information isn’t lost.

Maintaining data safety
The marketplace has been assessed and you’ve chosen a vendor based, among other things, on your faith in their security measures. Once your IT team has begun using the SaaS applications in their daily roles, there are still measures and precautions that can be taken to ensure a safer work environment when using SaaS applications. Most web-based services offer strong password protection features. Don’t take these safeties lightly, or share passwords. Have all users change their passwords on a regular basis, such as every 2-3 months. Lastly, obvious passwords such as names and birthdays may be easy to remember, but they’re also easy for others to guess, so avoid using these for sensitive data and accounts.

While the initial idea of hosting your data elsewhere may be tough to come to terms with, in the end, the savings in time and money offered by Software-as-a-Service applications more than make up for the effort expended to ensure the safety of your data.