Thoughts on what businesses actually need from the Cloud, not what vendors wish they needed.

Chris Bliss

Subscribe to Chris Bliss: eMailAlertsEmail Alerts
Get Chris Bliss via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Cloud Security and SaaS Safety: 5 Things You Should Consider When Migrating To The Cloud

Who's got your back? This guy?

Probably the biggest question for businesses looking to migrate to the cloud is security. Maybe you’ve had a CRM provider run you through a demo and you’re thrilled with what’s being offered. But the one hiccup that crosses your mind is the idea that someone could steal five years of contacts, knowledge base and financial information from a remote location and you would be left hung out to dry.

Cloud computing means trusting your most important data to an external service partner. When done right, this makes so much more sense than trusting your intern, your own computer’s hardware, and anyone who could have access to your office. But Cloud computing falls apart if the security question cannot be properly answered. Here are some things to consider when evaluating a SaaS provider:

  1. SSL security should only be the beginning – this should be a no brainer but I’m amazed at how many SaaS providers stop the effort at just having entry level SSL as their main security measure. Certain SaaS apps send reminders or external messages to contacts with full URLs of where data is (not the access mind you, but plenty of breadcrumbs). And while we’re all fond of ie6, the boldest and smartest SaaS providers require mandatory use of more modern browsers that are light years ahead in terms of security – this alone abates probably 80% of security issues.
  2. Identity management and social engineering deterrents are crucial – You can have all the most powerful security measures in the world but it doesn’t mean squat if your SaaS provider isn’t keen on social engineering techniques. Identity theft is so easy now, the last thing you need is a dupe for a partner who will fall for the “forgot your password” trick. Many SaaS vendors want the experience to be as easy as possible – but password recovery is an area that many make too easy.  Is betting the whole company’s critical data security on “What’s your mom’s maiden name” really a good idea? If you have to ask…
  3. Fine grained access because interns are not CEOs - Role-based accounts are the status quo, but SaaS providers who go the extra yard with reminders, warnings and clear delineated explanations of what access levels provide are sadly very rare. What you should expect and demand is a clearly laid out structure of how roles work in the application. This can be a serious burn two months in when you realize that you can’t limit the write access of an important contact or project.
  4. A clear partner access policy means you know who knows – Partnerships are about trust. By paying for a SaaS service, you recognize that your data is in the hands of another team. The transparency of that relationship, and how well that is communicated to you is likely a good indication of how serious and mature they are about handling your data. Does your SaaS provider clearly state who has access to your account’s information? At what level? Is there an SLA in place that deals with accountability should there be a situation where someone in their company makes a mistake, or worse, deliberately gains access to your data?
  5. If and when it hits the fan, are they there to sort it out? – This is probably the single most important and least discussed area of security. Breaches happen, things go wrong, we’re all human – that’s a problem that no one can avoid all the time. What’s most important is how your partner reacts – do you have a clear line of communication? Can you reach them whenever there’s an emergency? Are they quick to update you on issues and are they transparent with what’s happening? The best SaaS providers anticipate problems and have not only safe-guards but serious protocol in place to recover as quickly as possible, and ultimately to grow and make a better service.

SaaS and Cloud Computing have come a long way in terms of security but taking policy and sales pitches at face value is a losing game. Being prepared with the right questions and looking for these few points can go a long way in evaluating a potential partner. Recently, the SaaS Customer Bill of Rights has gained a lot of credibility and praise for an evolution in SaaS partner relationships but as to any compliance and regulation it’s still the wild wild west.  For most of us, hopefully security will never be an issue, and instead be more of an insurance policy, but trusting that choice blindly to a new partner is a risk you can’t afford.

Read the original blog entry...

More Stories By Chris Bliss

Chris Bliss works at VM Associates, an end-user consultancy for businesses looking to move to the cloud from pre-existing legacy systems.