Jon Oltsik of CNet Blogs had an insightful post
titled - Software as a Service needs a strong foundation of security.
And I could not agree more. This is a key theme that is brought up in
our discussions with ISVs and end customers.
Jon mentions three key points and I quote:
- "SaaS vendors must become security beacons to succeed. These demands
go beyond information and physical security; service providers will
have to be familiar with their customers' business processes in order
to understand where their services are most vulnerable. In my mind,
"business process security" is the new frontier and SaaS vendors must
blaze the trail.- Data privacy is tantamount. Strong authentication, proactive
auditing, and encryption must be a part of the SaaS design in order to
restrict access to private and confidential data. The SaaS providers
must assume liability for the cost and damages associated with any data
breaches.- SaaS vendors find security partners from the get-go. Managed service
providers like IBM, VeriSign, and Symantec have a huge opportunity to
be the Good Housekeeping seal of approval on SaaS offerings. As part of
these big deals, SaaS vendors must transfer risk to security experts,
use these partnerships for marketing advantage, and maintain their
focus on solving business problems."
In addition, I would add the following:
- It is not sufficient for the SaaS vendor to take a 'trust me'
approach - they must be able to show the mechanisms and technologies
they have put in place to ensure data security and privacy. For
example, with Oracle Data Vault a SaaS vendor can ensure that the DBA
will not be able to see the data and only manage and administer the
database. This becomes even more important when the SaaS vendor relies
on a 3rd-party managed hosting provider. The more the number of people
one must trust, the less trustworthy the system is likely to be without
using specific tools or methodologies. - User de-provisioning is very important. The truth is that the
majority of data breaches take place by insiders or ex-employees. It is
therefore important that the SaaS vendor be able to quickly disable (or
de-provision) the user accounts when an employee leaves the company.
This can be done in at least two different ways. First, the SaaS vendor
can choose to use federation and rely on the customer to authenticate
the user. Since each user is now authenticated for only a single
session and the SaaS vendor does not have to explicitly disable access.
The other approach is to put in place an Identity Provisioning system
(such as Oracle Identity Manager) that allows SPML based provisioning
of remote systems. - Think about auditing requirements upfront: It is important to be able to document
the processes used for security and identity management for various
compliance requirements. A system that allows you to explicitly model
the business processes associated with security tasks such as user
provisioning can help meet these requirements. Implicit processes
cannot be seen or audited. BPEL is emerging as a standard language for
modeling business processes.
It can cost a lot of time and money to bolt on security as an after
thought to your SaaS solution. Customers have repeatedly mentioned
security as one of the key hurdles to adoption of SaaS. A SaaS platform
that is designed for secure computing, such as Oracle, can help save on
costs and provide your customers with the confidence that Jon talks
about.
What are the security challenges you face as an ISV? If you are a user of SaaS, what concerns do you have?
(Update: You may want to check out this interesting post on Identity as a Service offering for Social Networking by fellow Oracle blogger, Nishant.)
