Ego Pharmaceuticals’ ICT manager, David Slattery, uses SaaS platforms from Google and Salesforce.
Cloud computing and Software as a Service (SaaS) can save money, deliver elastic access to technology and allow a business to focus on its core operations. But can every SaaS provider be trusted to keep enterprise data private and secure? What happens to data if a cloud vendor goes bung? How easy is it to access data and switch suppliers?
Organisations don’t just want SaaS, they want safe SaaS.
As Gartner research vice-president Jay Heiser says: “If you can’t afford to lose your data, don’t put it in a mystery box.”
Heiser, instead, recommends organisations do proper due diligence on SaaS vendors and plan for a disaster scenario to ensure they could survive the worst the cloud could throw at them.
But he shies from the suggestion it’s possible to design a SaaS contract that will provide watertight guarantees.
“There is overestimation of what you can achieve in a contract. You need to move away from the contract to examine the policy and technology of the vendor,” he says.
“In cloud services, there is very little flexibility to accommodate individual requirements. I would say that it is very difficult or impossible to make useful distinctions between comparable providers in terms of, say, security. Google and Microsoft have very well rehearsed responses but neither have very different attack responses.”
The challenge is magnified when the SaaS vendor is part of a chain of providers where software sold by one company is hosted on another company’s hardware, hosted in yet another company’s data centre.
Ego Pharmaceuticals’ ICT manager, David Slattery, uses SaaS platforms from Google and Salesforce and is negotiating with another cloud provider to manage the work flow associated with Ego’s image database.
“The first step is to try and pick reputable providers and make the usual assessments against your requirements,” Slattery says.
He says “check their use of open standards and I’d only go with someone with a good API [applications programming interface]”, so that data could be extracted if required.
Slattery recommends asking how and where data is held, whether it is encrypted, whether the vendor adheres to open-cloud standards, and about the service level agreements available.
While he acknowledges it can be hard to get much detail out of the big vendors, the questions should be asked.
The question to ask internally is what data should be on a SaaS platform.
Slattery says Ego would never put critical data – lab tests, product recipes and manufacturing data – into a cloud.
He says it’s important to review the company’s infrastructure. It doesn’t matter how reliable the SaaS provider is if users can’t access the application.
Ego has contracts with two internet service providers using separate lines; “in case someone puts a backhoe through the fibre”.
Technology One executive chairman Adrian di Marco approves of the belt and braces approach.
His company offers its SaaS platform from two active-active data centres, which mirror one another in real time to reduce the risk of systems outages.
It also allows customers to take an image of their data every night and put it in a separate repository.
He acknowledges contracts have a role to play and can deliver comfort but, ultimately, SaaS decisions are built on trust.
“It’s like when you go into hospital. Do I trust the guy with the knife?”
HBF chief information officer David Gollan says the questions companies buying SaaS need to ask are no different from those asked of external service providers for the past 20 years.
Describing HBF as a conservative organisation, Gollan says it uses SaaS in its call centres and for some HR applications but not for member data.
If any sort of sensitive data was to be held outside the organisation, Gollan says he would want to see the provider’s ISO 27001 certification for information security management and view the facilities.
That would involve a trip to the United States if he were to use NetSuite, which provides SaaS for 16,000 companies worldwide out of two US data centres.
According to NetSuite managing director and regional vice-president Mark Troselj, early discussions with new cloud users generally focus on risk, security, privacy, intellectual property and sovereignty.
He maintains the sorts of systems a SaaS provider can deliver will be more robust and secure than the average medium-sized business can achieve, and the standards hoops that a listed US-based vendor has to climb through should add a further level of comfort.
“This is core to the survival of our business. What you do in your data centre in a cupboard doesn’t compare.”
But he admits there is “no way you can 100 per cent mitigate against risk”.
SaaS can fail
Gartner’s Heiser says he asked one of the world’s largest SaaS vendors about a problem it had that affected just 0.02 per cent of its customers.
But it had a million users, and the problem took four days to rectify.
For those 200 companies, that was a major problem.
“The industry has done a relatively good job to show that they can protect the confidentiality of the data but there have been incidents where corporate data has been corrupted and not recovered. You need to have a contingency,” he says. “You [also] need to understand your requirements in terms of confidentiality, integrity and availability.”
For many organisations, that generally means including lawyers.
Gilbert + Tobin partner Ken Saurajen says traditional lawyers concentrate on strict contractual rights and attempt to apportion risk between the customer and the provider.
“Cloud is special,” he says, adding that with SaaS contracts, companies don’t want the right to sue; they want the service to run without a hitch.
“We are increasingly trying to move clients to articulate that in the contract processes . . . for example, the disaster recovery [plans] and frequency of back-up. When you approach risk that way, because you get comfort about what would happen if it all goes bung, it depressurises the traditional discussions re liabilities. One thing that can get forgotten is what happens at the end; data portability.
“It’s important to see the transition out at the end of the contract; not just to deliver up the data but deliver it in a way that is useful and can be migrated to alternative applications.”
Heiser says organisations need to weigh the risk of SaaS versus no SaaS.
“Small organisations need to know that they can buy even cloudy cloud and it’s more reliable than anything they could build, where a large organisation could generally build something more secure. We are being forced to choose our battles.
“You have got to make business decisions if the data is in a public cloud – accept that some ambiguity is OK – if it’s not, then keep it in-house. I firmly believe that there will be more of it and that everyone will be happy but there will be more failures that impact a huge number of customers.”