On-Demand SaaS Vendors Able to Secure Assets Better than Customers?

Puzzle
I’m a big advocate of software as a service (SaaS) — have been for years.  This evangelism started for me almost 5 years ago when I become a Qualys MSSP customer listening to Philippe Courtot espouse the benefits of SaaS for vulnerability management.  This was an opportunity to allow me to more efficiently, effectively and cheaply manage my VA problem.  They demonstrated how they were good custodians of the data (my data) that they housed and how I could expect they would protect it.

I did not, however, feel *more* secure because they housed my VA data.  I felt secure enough that how they housed it should not fall into the wrong hands.  It’s called an assessment of risk and exposure.  I performed it and was satisfied it matched my company’s appetite and business requirements.

Not one to appear unclear on where I stand, I maintain that the SaaS can bring utility, efficiency, cost effectiveness, enhanced capabilities and improved service levels to a corporation depending upon who, what, why, how, where and when the service is deployed.  Sometimes it can bring a higher level of security to an organization, but so can an armed squadron of pissed off armed Oompa Loompa’s — it’s all a matter of perspective.

Oompa
I suggest that attempting to qualify the benefits of SaaS by generalizing in any sense is, well, generally a risky thing to do.  It often turns what could be a valid point of interest into a point of contention.

Such is the case with a story I read in a UK edition of IT Week by Phil Muncaster titled "On Demand Security Issues Raised."  In this story, the author describes the methods in which the security posture of SaaS vendors may be measured, comparing the value, capabilities and capacity of the various options and the venue for evaluating an SaaS MSSP:  hire an external contractor or rely on the MSSP to furnish you the results of an internally generated assessment.

I think this is actually a very useful and valid discussion to have — whom to trust and why?  In many cases, these vendors house sensitive and sometimes confidential data regarding an enterprise, so security is paramount.  One would suggest that anyone looking to engage an MSSP of any sort, especially one offering a critical SaaS, would perform due diligence in one form or another before signing on the dotted line.

That’s not really what I wanted to discuss, however.

What I *did* want to address was the comment in the article coming from Andy Kellett, an analyst for Burton, that read thusly:

"Security is probably less a problem than in the end-user organisations
because [on-demand app providers] are measured by the service they provide,"
Kellett argued.

I *think* I probably understand what he’s saying here…that security is "less of a problem" for an MSSP because the pressures of the implied penalties associated with violating an SLA are so much more motivating to get security "right" that they can do it far more effectively, efficiently and better than a customer.

This is a selling point, I suppose?  Do you, dear reader, agree?  Does the implication of outsourcing security actually mean that you "feel" or can prove that you’re more secure or better secured than you could do yourself by using a SaaS MSSP?

"I don’t agree the end-user organisation’s pen tester of choice
should be doing the testing. The service provider should do it and make that
information available."

Um, why?  I can understand not wanting hundreds of scans against my service in an unscheduled way, but what do you have to hide?  You want me to *trust* you that you’re more secure or holding up your end of the bargain?  Um, no thanks.  It’s clear that this person has never seen the results of an internally generated PenTest and how real threats can be rationalized away into nothingness…

Clarence So of Salesforce.com
agreed, adding that most chief information officers today understand that
software-as-a-service (SaaS) vendors are able to secure data more effectively
than they can themselves.

Really!?  It’s not just that they gave into budget pressures, agreed to transfer the risk and reduce OpEx and CapEx?  Care to generalize more thoroughly, Clarence?  Can you reference proof points for me here?  My last company used Salesforce.com, but as the person who inherited the relationship, I can tell you that I didn’t feel at all more "secure" because SF was hosting my data.  In fact, I felt more exposed.

"I’m sure training companies have their own motives for advocating the need
for in-house skills such as penetration testing," he argued. "But any
suggestions the SaaS model is less secure than client-server software are well
wide of the mark."

…and any suggestion that they are *more* secure is pure horsecock marketing at its finest.  Prove it.  And please don’t send me your SAS-70 report as your example of security fu.

So just to be clear, I believe in SaaS.  I encourage its use if it makes good business sense.  I don’t, however, agree that you will automagically be *more* secure.  You maybe just *as* secure, but it should be more cost-effective to deploy and manage.  There may very well be cases (I can even think of some) where one could be more or less secure, but I’m not into generalizations.

Whaddya think?

/Hoff

  1. August 16th, 2007 at 02:16 | #1

    SaaS vendor security.

    Rational Security: On-Demand SaaS Vendors Able to Secure Assets Better than Customers? An interesting post from Hoff on whether having data with SaaS vendors may leave you more or less secure overall. I've had a couple of experiences of this…

  2. August 16th, 2007 at 03:17 | #2

    The Hoffster speaks sooth (once again). In my experience, SaaS isn't inherently ANYTHING having to do with security; it's all in who's doing it and how good they are at it. Fred's SaaS Shop depends entirely upon the expertise of Fred and his crew — the fact that they MIGHT get some savvy customers who push them on the security side isn't enough to give them an edge over those same possible savvy customers.
    In other words, motivation isn't always a reliable predictor of reality.
    That's not to say that all SaaSes Suck; I've seen about the same general distribution of clue that I've seen in other areas of security services.
    But for the SaaS vendor itself, if they're asked, I would encourage them to say to the customer, "Well, we have our own third-party assessment that we'll show you under NDA, but if you really want to test us yourselves, have at it — just let us know when you're starting and finishing so that we don't sic the dogs on you by accident."

  3. August 16th, 2007 at 04:54 | #3

    "But for the SaaS vendor itself, if they're asked, I would encourage them to say to the customer, "Well, we have our own third-party assessment that we'll show you under NDA, but if you really want to test us yourselves, have at it — just let us know when you're starting and finishing so that we don't sic the dogs on you by accident."
    I agree. Many of the SaaS MSSP's would likely be concerned about the type of attack, the volume of the attack, etc. which is why they would be leary of such testing as it may threaten the availability of the entire service across multiple SLA's and customers…
    …but then I have to chuckle because the last time I checked, there's no reservation system or "benign attack" IP header bit that you can request of unknown assailants.
    What you suggest is exactly what I did to my SaaS MSSP's. It was a condition of me signing the PO.
    /Hoff

  4. jnoel
    August 17th, 2007 at 08:09 | #4

    I agree with so much of this post. Specifically:
    "It's clear that this person has never seen the results of an internally generated PenTest and how real threats can be rationalized away into nothingness…"
    and
    "Really!? It's not just that they gave into budget pressures, agreed to transfer the risk and reduce OpEx and CapEx?"
    The budget point is very valid and happens all the time. However, also consider this potential angle for an additional benefit of SaaS MSSP angle – when senior leadership is reluctant to invest in changes to the information security infrastructure – sometimes having a 3rd party tell you that you have problems goes a long way.
    Nice post.

  1. No trackbacks yet.