I'm a big advocate of software as a service (SaaS) -- have been for years. This evangelism started for me almost 5 years ago when I become a Qualys MSSP customer listening to Philippe Courtot espouse the benefits of SaaS for vulnerability management. This was an opportunity to allow me to more efficiently, effectively and cheaply manage my VA problem. They demonstrated how they were good custodians of the data (my data) that they housed and how I could expect they would protect it.
I did not, however, feel *more* secure because they housed my VA data. I felt secure enough that how they housed it should not fall into the wrong hands. It's called an assessment of risk and exposure. I performed it and was satisfied it matched my company's appetite and business requirements.
Not one to appear unclear on where I stand, I maintain that the SaaS can bring utility, efficiency, cost effectiveness, enhanced capabilities and improved service levels to a corporation depending upon who, what, why, how, where and when the service is deployed. Sometimes it can bring a higher level of security to an organization, but so can an armed squadron of pissed off armed Oompa Loompa's -- it's all a matter of perspective.
I suggest that attempting to qualify the benefits of SaaS by generalizing in any sense is, well, generally a risky thing to do. It often turns what could be a valid point of interest into a point of contention.
Such is the case with a story I read in a UK edition of IT Week by Phil Muncaster titled "On Demand Security Issues Raised." In this story, the author describes the methods in which the security posture of SaaS vendors may be measured, comparing the value, capabilities and capacity of the various options and the venue for evaluating an SaaS MSSP: hire an external contractor or rely on the MSSP to furnish you the results of an internally generated assessment.
I think this is actually a very useful and valid discussion to have -- whom to trust and why? In many cases, these vendors house sensitive and sometimes confidential data regarding an enterprise, so security is paramount. One would suggest that anyone looking to engage an MSSP of any sort, especially one offering a critical SaaS, would perform due diligence in one form or another before signing on the dotted line.
That's not really what I wanted to discuss, however.
What I *did* want to address was the comment in the article coming from Andy Kellett, an analyst for Burton, that read thusly:
"Security is probably less a problem than in the end-user organisations because [on-demand app providers] are measured by the service they provide," Kellett argued.
I *think* I probably understand what he's saying here...that security is "less of a problem" for an MSSP because the pressures of the implied penalties associated with violating an SLA are so much more motivating to get security "right" that they can do it far more effectively, efficiently and better than a customer.
This is a selling point, I suppose? Do you, dear reader, agree? Does the implication of outsourcing security actually mean that you "feel" or can prove that you're more secure or better secured than you could do yourself by using a SaaS MSSP?
"I don't agree the end-user organisation's pen tester of choice should be doing the testing. The service provider should do it and make that information available."
Um, why? I can understand not wanting hundreds of scans against my service in an unscheduled way, but what do you have to hide? You want me to *trust* you that you're more secure or holding up your end of the bargain? Um, no thanks. It's clear that this person has never seen the results of an internally generated PenTest and how real threats can be rationalized away into nothingness...
Clarence So of Salesforce.com agreed, adding that most chief information officers today understand that software-as-a-service (SaaS) vendors are able to secure data more effectively than they can themselves.
Really!? It's not just that they gave into budget pressures, agreed to transfer the risk and reduce OpEx and CapEx? Care to generalize more thoroughly, Clarence? Can you reference proof points for me here? My last company used Salesforce.com, but as the person who inherited the relationship, I can tell you that I didn't feel at all more "secure" because SF was hosting my data. In fact, I felt more exposed.
"I'm sure training companies have their own motives for advocating the need for in-house skills such as penetration testing," he argued. "But any suggestions the SaaS model is less secure than client-server software are well wide of the mark."
...and any suggestion that they are *more* secure is pure horsecock marketing at its finest. Prove it. And please don't send me your SAS-70 report as your example of security fu.
So just to be clear, I believe in SaaS. I encourage its use if it makes good business sense. I don't, however, agree that you will automagically be *more* secure. You maybe just *as* secure, but it should be more cost-effective to deploy and manage. There may very well be cases (I can even think of some) where one could be more or less secure, but I'm not into generalizations.