SaaS Security – Tell Me More

By now, it is a well known fact that security and privacy are two of
the biggest concerns for SaaS users. Off late, I have
been doing some research on the security practices by various SaaS
vendors and I am somewhat troubled by what I see on the websites of
many of the SaaS vendors.

Most of the SaaS vendors talk about how their datacenter is protected by biometric scanning, card based access, 24/7 video monitoring, perimeter firewall, IDS, log auditing, etc.. To be frank, this is a case of plain bullshitting. Biometric scanning, card based access, video monitoring are part and parcel of any datacenter operations these days. If a datacenter doesn’t have these measures implemented, then you can be hundred percent sure that they are a fly by night operation. Anyone with basic system admin skills will know that firewall, IDS, log auditing are part and parcel of basic security measures for any server that can be accessible through the internet. Any business having server(s) without even these basic security measures are just a bunch of jokers who shouldn’t be doing business at all. I might have looked at such claims with awe during the early days of web based commerce but they are basic necessities for any web based operation today. Most of the SaaS vendors have their apps hosted either on Amazon clouds or Managed hosting providers like Rackspace or in one of the collocation facilities and all of them have these security measures implemented by default.

As an educated SaaS user, I don’t care about these security measures at all. I assume them to be just there. Instead, I am more interested in people centric security measures. Even though the SaaS vendors have their servers hosted on these highly secured datacenters, they access these servers from remote locations. Their system admin will definitely have root access to these servers and their DB admin will have root access to mysql databases (assuming their app is built on top of LAMP stack). Even worse, if they outsource their system admin tasks to a third party provider, the employees of the outsourcing company will have full access to the servers and databases. I will be more worried about how the access to my data are handled by the SaaS providers than knowing whether their datacenter has biometric access and video monitoring. If these people centric processes were handled badly, the presence of biometric access sensors and video cameras becomes meaningless.

What I would actually like to hear from the SaaS vendors are about how they handle the people centric access to my data. I would like to know things like whether they keep the data encrypted, who has access to the data, how the employees accessing my data are screened and how their access is logged and audited, how the backup of data is handled and where it is stored, whether the access to data is restricted to the bare minimum number of employees, how the access to the datacenters from SaaS providers offices are managed, etc.. These are the issues that are more important to me as a SaaS user than the biometric scanning and video cameras. They are the issues between the SaaS vendors and the datacenter operators. As an user, even though I am concerned about the datacenter security, I am much more worried about the data security and privacy.

It is the responsibility of the SaaS vendors to educate users about their people centric security practices. It is the responsibility of the SaaS users to get to know these details from the vendors. As I have emphasized several times in this space, SaaS requires a mental shift on the part of the users. To make these adjustment comfortable for them, SaaS vendors should be more forthcoming about their security practices regarding the handling of data. In fact, some of the SaaS vendors are already doing this. For example, Google explains their practices clearly in this document.

Data such as email is stored in an encoded format optimized for performance, rather than stored in a traditional file system or database manner. Data is dispersed across a number of physical and logical volumes for redundancy and expedient access, thereby obfuscating it from tampering. Google’s physical protections described above ensure that no physical access to servers is possible. All access to production systems is conducted by personnel using encrypted SSH (secure shell). Specialized knowledge of the data structures and Google’s proprietary infrastructure would be required to get meaningful access to end user data. This is one of many security layers to ensure security of sensitive data within Google Apps.

Google’s distributed architecture is built to provide a higher level of security and reliability than a traditional single-tenant architecture. Individual user data is dispersed across a number of anonymous servers, clusters, and datacenters. This ensures that data is not only safe from potential loss, but also highly secure.

User data is only accessible with appropriate credentials, ensuring that there is no possibility of one customer having access to another customer’s data without explicit knowledge of their login information. Not only does this proven system serve tens of millions of consumer users with email, calendaring, and documents on a daily basis, but is also used by Google as the primary platform to serve its 10,000+ employee base.

Similarly, Zoho (Disclaimer: Zoho is a sponsor of this blog but this is purely my independent opinion) also has a page on their website explaining their people centric security practices. I would like to see such explanations from all the SaaS vendors. Especially, I would like to hear from the smaller vendors who operate from a relatively insecure environment.