Terms seem to change meaning so often in IT. It used to be that outsourcing conjured up images of Bangalore. For many firms, outsourcing is now synonymous with software-as-a-service from companies such as Salesforce.com, Intuit and ADP, which will — for a healthy fee — help an organisation trim the fat off its business processes. While software-as-a-service may work miracles for your bottom line, surrendering control of a business process to a partner doesn’t mean you also jettison the risk of your data being exposed. In fact, you probably increase the risk.
Software-as-a-service decouples two typically intertwined factors: control of a process and the consequences of that process failing. Service level agreements (SLA) try to transfer some of the risk — for example, a typical contract might guarantee a minimum uptime. If the provider doesn’t meet the terms it has to pay the customer out. I’ve never seen a contract describe what these providers do to secure their software, however.
How many customers ask software-as-a-service vendors about the security of their code? Is there anything in their SLA about security or breaches? Who’s left holding the bag if their security is weak? The answers are: not many; almost certainly not; and your company.
Another interesting point to ponder is that attackers’ motivations are changing. Breaking into systems is becoming profit-driven and organised. Essentially, software-as-a-service providers are an aggregation point for valuable data — and a juicy target. From a hacker ROI perspective, why would an attacker spend time breaking into a small company when he can set his sights on the drop point for the most valuable data of a whole group of companies?
A 30-person outfit in Idaho probably wouldn’t even show up on an attacker’s radar, but when it lumps its customer data with 1,000 other 30-person companies (and some Fortune 500 firms), you’ve got some serious risk.
At first it would appear this risk through aggregation is similar to the risk companies take every day (from worms and viruses) by using the same operating system and web browser.
The key difference is that, within their own networks, organisations can take specific and individual action to reduce risk, such as deploying firewalls, intrusion-detection systems and anti-virus software.
When the entire system is managed by someone else the only thing that can be done is to make sure the provider is thinking hard — and possibly contractually — about security.
The bottom line is that users need to ask their software-as-a-service providers some tough questions about their security practices.
Your provider is, by proxy, an extension of your own company, with two exceptions: first, it’s a bigger target than you are, and, second, you have no real insight into (or control over) how it manages your critical data.
Not to worry, though. I’m sure your time-sheets, client contacts and whatever else you may be managing with software-as-a-service is fine — but it’s always good to pack an umbrella when the sky’s cloudy.