Addressing SaaS Concerns

By Guest    July 9, 2009

This is the second part of a two part post on using SaaS (Software-as-a-Service) applications within your business. In the first part, Guest Author Vikram Prashar looked at the benefits of using SaaS and why it has become so popular. In this post, he will provide information on the potential risks of using this software and ways to mitigate those risks.

How do you make sure YOU are comfortable?

Ultimately, the most important point is for the accounting department- generally the CFO & Controllers to be comfortable that their valuable data is held somewhere secure and that privacy is maintained.  Any organization regardless of size should have an in-house security policy in place that addresses access levels, access control, password policy, etc.  Without an enforceable agreed upon policy the business is vulnerable to internal employees.  This would hold true for manufacturing or engineering applications as well, but financial data tends to draw greater security concerns.  To take this to a level where the CFO will be more comfortable a comprehensive list of items must be addressed regarding SAAS:

• What access controls are in place? Who can make changes to various user groups within the application and are those changes logged?
• What change control processes are in place? When can the systems be brought down for scheduled maintenance or patches? Does it require client approval or is it determined by the service provider?
• Does the service provider conduct regular external 3rd party security audits on their systems? The service provider should have a penetration test conducted by an external firm such as eEYE or Qualys.  These reports should be made accessible to the clients for their systems upon request.
• What kinds of backup and recovery methods exist? Can the service provider ensure that backups are done in manner consistent with company policy? Furthermore, can they restore data deleted either accidently or maliciously?  This MUST be tested before going live.
• If the application connects to your internal user directory (Active Directory), how is the connection? Is it a point to point VPN? How does that affect your access away from the office? Many applications offer single sign on, but that requires access to your network.  It is not unreasonable to ask for security certifications from the provider’s network engineers- CCIE, CCISP, or similar.
• Does the service provider have a Statement on Accounting Standards (SAS-70) certifications? This helps validate that they have adequate operational controls in place.
• Does the service provider give agreeable Service Level Agreements on all their services? It is imperative that clients get a detailed SLA in writing from any service provider but particularly for a financial application.  What are the consequences for clients not being able to access their systems- refunds, credits, ability to exit the contract?
• Just because the application is provided by an external service, it doesn’t mean the organization can ignore all the application specific security issues. They must make sure they have controls and methods to ensure password policy, account lock-outs, detailed log files that record unauthorized access, etc. One item to ask them is whether passwords are sent over the internet encrypted or clear-text.  This will provide a strong indication as to the security focus of the Application Service Provider.  If you get a blank look from them when asking them this question, that would be a major red flag.
• If the application can be accessed via a web browser, who is responsible for updating the security certificate?  Lastly, ask them about the tools used in their application and whether they routinely plug holes for their Java or similar tools.
• The ASP should be willing to provide you with a tour of their data center upon request. It need not be the exact data center where your applications are stored but it will give you a general idea of their operations.

Summary

In conclusion, SAAS can be as secure as any in-house application.  It requires a similar level of due diligence as the security of your office network, in fact more.  If the aforementioned items are covered and the service provider will give references for any of their clients (you select which ones you want from the service provider’s website) you should be able to enjoy the many benefits of SAAS.  Understand that you will be required to maintain a relationship with your service provider to make sure they continue to meet your needs in a secure and auditable manner.  Enlist the services of an experienced IT consultant or ensure that someone from within the organization does a comprehensive check on these and other organizational specific security concerns.  All application providers will swear that they have a secure and reliable infrastructure, but it is ultimately your responsibility to ensure that a sound policy and service level agreement exist and that these can be enforced.

For further information, Vikram Prashar can be contacted at vprashar@prasharconsulting.com.

Is SaaS right for your business?

By Guest    July 2, 2009

SaaS stands for Software-as-a-Service. It is sometimes referred to by the terms “on demand” or “cloud computing” and is gaining in popularity with smaller business. Traditionally, desktop software was installed on a single computer for one person to use while enterprise software was installed on large servers with many users connecting to it via a client application (or increasingly through a browser).  SaaS vendors run their enterprise scale software in large data centers and allow individual companies and users to use the software remotely over the internet. This has become big business – Salesforce.com became the first company of this type to reach over $1B in annual revenue.

In this two part post, Guest Author Vikram Prashar will look into why you might use SaaS applications and how to mitigate the risks. Vik is an IT Consultant who has held VP roles at large organizations managing IT departments.

Why SAAS?

SAAS has steadily been emerging as a very popular method of operation for companies of all sizes.  For larger firms, they like the ease of implementation, ability to easily charge back costs to departments, and low overhead required for these applications.  Smaller firms have benefited from it in many ways too.  The biggest advantage is they get pricing normally offered to large corporations.  Additional benefits include:

• Increasing costs of running a data center
• Server consolidation
• Reduced capital investment
• Reduced energy usage
• Ability to use the latest technology and tools
• Business continuity advantages
• Reduced IT staffing needs
• Ability to run applications from any location

These are all good reasons why more and more companies are relying on SAAS for their ERP needs.  Applications are becoming more of a commodity that can be purchased on demand on a per user per month basis.  As the company grows licenses can be purchased or returned generally with little impact on software contracts.  From an end user point of view, there are really not a lot of differences between a SAAS vendor and an internal IT department.  Generally an application on a server located on the same local network will perform better than on the cloud, but for many applications the differences are not significant enough to outweigh the numerous benefits of hosted applications.

Basic Concerns:

Of course just because the software is essentially outsourced, it doesn’t mean we can ignore all the other components of application service.  Many of the same concerns that apply to in-house applications also apply to SAAS.  These include:

• Security
• Backups & Restores
• Application availability
• SLA’s for uptime and performance
• Application support- patches, software updates, etc.

In Part 2 Vik will give you suggestions on how to mitigate these risks. For further information, you can reach Vikram Prashar at vprashar@prasharconsulting.com.