Thursday, June 07, 2007

Security continues to be a key challenge for SaaS vendors

Jon Oltsik of CNet Blogs had an insightful post titled - Software as a Service needs a strong foundation of security. And I could not agree more. This is a key theme that is brought up in our discussions with ISVs and end customers.

Jon mentions three key points and I quote:

  1. "SaaS vendors must become security beacons to succeed. These demands go beyond information and physical security; service providers will have to be familiar with their customers' business processes in order to understand where their services are most vulnerable. In my mind, "business process security" is the new frontier and SaaS vendors must blaze the trail.
  2. Data privacy is tantamount. Strong authentication, proactive auditing, and encryption must be a part of the SaaS design in order to restrict access to private and confidential data. The SaaS providers must assume liability for the cost and damages associated with any data breaches.
  3. SaaS vendors find security partners from the get-go. Managed service providers like IBM, VeriSign, and Symantec have a huge opportunity to be the Good Housekeeping seal of approval on SaaS offerings. As part of these big deals, SaaS vendors must transfer risk to security experts, use these partnerships for marketing advantage, and maintain their focus on solving business problems."

In addition, I would add the following:
  • It is not sufficient for the SaaS vendor to take a 'trust me' approach - they must be able to show the mechanisms and technologies they have put in place to ensure data security and privacy. For example, with Oracle Data Vault a SaaS vendor can ensure that the DBA will not be able to see the data and only manage and administer the database. This becomes even more important when the SaaS vendor relies on a 3rd-party managed hosting provider. The more the number of people one must trust, the less trustworthy the system is likely to be without using specific tools or methodologies.
  • User de-provisioning is very important. The truth is that the majority of data breaches take place by insiders or ex-employees. It is therefore important that the SaaS vendor be able to quickly disable (or de-provision) the user accounts when an employee leaves the company. This can be done in at least two different ways. First, the SaaS vendor can choose to use federation and rely on the customer to authenticate the user. Since each user is now authenticated for only a single session and the SaaS vendor does not have to explicitly disable access. The other approach is to put in place an Identity Provisioning system (such as Oracle Identity Manager) that allows SPML based provisioning of remote systems.
  • Think about auditing requirements upfront: It is important to be able to document the processes used for security and identity management for various compliance requirements. A system that allows you to explicitly model the business processes associated with security tasks such as user provisioning can help meet these requirements. Implicit processes cannot be seen or audited. BPEL is emerging as a standard language for modeling business processes.

It can cost a lot of time and money to bolt on security as an after thought to your SaaS solution. Customers have repeatedly mentioned security as one of the key hurdles to adoption of SaaS. A SaaS platform that is designed for secure computing, such as Oracle, can help save on costs and provide your customers with the confidence that Jon talks about.

What are the security challenges you face as an ISV? If you are a user of SaaS, what concerns do you have?

(This blog post is cross posted from The SaaS Plug-In Report on Oracle Blogs).

No comments: