Security as a Service (SaaS) is the business destination for a number of valuable reasons – cloud software is more centralized, easier to maintain, and easier to integrate with other applications. Even Microsoft is throwing its weight behind the movement. Office 365 will move the entire Microsoft Office suite into the cloud, carrying with it all the benefits that affords. However, given that SaaS is still coming into its own, there are some issues you should consider before switching over wholesale.
4. Cloud Security Standards Are Immature
When you’re shopping around for a software vendor, one of the first things you want to see are the vendor’s security qualifications. Passing various standards makes this process easy – if a company boasts certain credentials, you can immediately understand the measures that company has taken to secure your data. Unfortunately, there aren’t any standards built around cloud software just yet.
Many vendors brag about passing the SAS 70 audit, but the standards for this audit are lacking. The standards for SAS 70 were set before cloud computing even existed, yet for some reason it has become the de facto standard in cloud security. Analysts have gravitated towards the ISO 27001 standard. According to Forrester Analyst Chenxi Wang, this standard is much more accurate in guaranteeing customer security.
“That to me is at least a starting point to evaluate how mature a SaaS provider is,” Wang said, while noting that passing the SAS 70 audit is “more of a self-imposed exercise.”
Even that doesn’t make the ISO 27001 standard ideal. Gartner Analyst Neil MacDonald feels that the standard is “the best one out there, but that doesn't mean it's sufficient.”
5. Your Data May Move Without Your Knowledge
A big perk of cloud computing is the lack of local storage. All of your files are stored on a remote, centralized server, which means you can access and modify your data from anywhere. However, one technical step that makes this possible is “load balancing.” If you access your files from a geographically distant place – say you’re on a business trip in Europe and trying to access your files from an American server – your cloud network will actually copy those files to a closer server to you to improve performance. This is a great feature, but it can run afoul of certain regulations – such as the Federal Information Security Management Act (FISMA) that requires companies to keep sensitive data inside the US. The situation is even stickier in other countries.
“If you're in Switzerland, that's just a law, period. If they can't guarantee that information will be on servers in Switzerland, that's a non-starter,” Symantec Hosted Services Senior Vice President Rowan Trollope said. “The typical SaaS vendors have held the view that it doesn't matter where the servers are. We understand your laws, but the Internet doesn't work that way.”
Some companies offer guarantees that they can lock your data down to a particular geographic nation, but this is still a rare feature in SaaS vendors. Until vendors can reliably guarantee the geographic location of your data, or until a third-party vendor can accurately track the migration of that data, companies with sensitive data will need to make extra preparations before jumping into SaaS.
By CRM Software Blog Editors, Find a local Microsoft Dynamics CRM expert