Middle East Blogger

Are Software as a Service (SaaS) Solutions Secure?

Home About Contact Privacy Terms Sitemap  


Middle East Blogger

Welcome to my blog.
This is my forum to share experiences, lessons and learning about business software systems, including Customer Relationship Management (CRM) Software, Marketing & Lead Management Systems, Enterprise Resource Planning (ERP) Systems - as they relate to Middle East users and companies.



Salesforce.com User






Understanding Software as a Service Security

Security Remains an Initial Concern to SaaS Adoption

One of the initial questions business executives and IT buyers ask when considering Software-as-a-Service (SaaS) business solutions is, "Is it secure?"

This question comes from multiple perspectives. Business and IT buyers want to ensure the privacy of their company data is at all times protected. They also want to be certain they can regain control of their data if they become dissatisfied with their SaaS solution, or their SaaS supplier ceases operations or otherwise interrupts their services.

While these concerns are understandable, the business reality is that companies have been entrusting their corporate data to third-party service providers for decades, whether for online banking, payroll processing or commerce transactions. Many companies have even outsourced their entire data centers to third-parties in order to cut costs, improve services and better focus on their core competencies.

Just as these decades old services have proven to be secure over the years, there have been no serious security infractions reported among any of the rapidly growing assortment of SaaS providers; this at a time when security compromises continue to plague traditional data centers and legacy software installations.

The fact is that SaaS providers that want to succeed and survive in an increasingly competitive technology market have to implement stringent security measures in order to safeguard customer data, and author SaaS contracts that make it absolutely clear that customers own their data and can retrieve their information on-demand.

In almost all cases, the SaaS suppliers are making far greater investments in information security technologies, staffing and certifications than most businesses can or choose to afford themselves.

They have implemented multiple layer security infrastructures, compared their information security preparedness to best in class enterprises and subjected themselves to controlled vulnerability assessments and penetration attacks. They have instituted process management controls to ensure that information security is adhered to with military-like precision.

These physical and information security measures far exceed what most small and midsized enterprises (SMEs) can implement and maintain. They also go beyond the safeguards of many large-scale enterprises by providing integrated audit capabilities and global third party audit attestations. The hosting provider also delivers built-in disaster recovery and business continuity benefits.

As a result, the adoption of SaaS business systems eliminate much of the security risks associated with lost laptops, inadequate activity logs or other vulnerabilities that have been commonplace in traditional corporate environments.

Even from a cloud-based architecture perspective, the multi-tenant architecture that underlies many of the leading SaaS offerings such as Salesforce.com, Oracle On Demand and SAP's Business ByDesign, actually result in every customer getting the same level of security as those with the highest security standards.

In contrast, legacy enterprise software applications were built to reside behind a firewall with limited access by end-users or authorized third-parties. This has resulted in traditional, on-premise software becoming less useful not only for a mobile workforce, but also for a geographically dispersed customers and business partners. Despite these traditional security safeguards, corporate data continues to be vulnerable to internal and external threats.

The success of online banking, commerce and payroll services clearly shows that online solutions can be safe and secure. So, while business and IT decision-makers must vet the information security posture of any SaaS supplier, it is thereafter time to put aside their fundamental and unfounded opposition to letting their data move beyond their firewall.

But Ask These Questions

Still, organizations should not entrust their data to any SaaS vendor without carefully examining the suppliers' information security capabilities.

Because the range of SaaS solutions is becoming as broad as the overall enterprise software industry, the spectrum of security capabilities and policies among the SaaS vendors varies widely.

Therefore, ask prospective SaaS vendors questions such as the following:

  • What kind of user access controls, back-up and recovery measures, and security vulnerability tests do they have in place?
  • Do they have a Statement on Auditing Standards (SAS) No. 70 Type-2 certification verifying their operational controls?
  • Do they have globally recognized information security audits, such as ISO 27001, performed annually?
  • What methods are in place to permit customers to regain their data on-demand?

Finally, ask for a copy of the Service Level Agreement (SLA) which stipulates these protections and provides financial penalties for non-conformance.


 Middle East Blogger | ERP Systems, CRM Software & Technology Blog