SaaS is the acronym for software as a service. SaaS solutions are delivered using the Internet (the cloud) via a web browser, paid for by subscription and hosted in a central location on the cloud where all updates, fixes and enhancements are applied. Sometimes SaaS is referred to as on-demand software. SaaS requires no software program or application to be loaded onto the user’s computer and therefore requires the user to do nothing except log in and use the features the SaaS offers.
Because SaaS solutions are not loaded onto the users’ computers or servers over which they have control, some people are nervous about its security. But this is really a control issue and not a security issue.
How do we know this is true?
Look at the facts learned by investigating the locations where most SaaS solutions are hosted. 94% of organizations in the corporate sector now use at least one SaaS solution. This shows that the concerns over SaaS and cloud security have been addressed and overcome in a big way.
Fear of Control Loss
Even the notion of giving up control over any solution that impacts your business is concerning to you. Software that creates, stores, or has access to any personally identifiable or sensitive information, it can be a potential source of a crippling data leak. This fear fostered objections to using SaaS or other cloud solutions, for that matter. These objections hinged on three (flawed) notions:
- You can do a better job of protecting your system and data if you remain in control.
- It’s difficult to properly vet a SaaS vendor’s security controls and protocols.
- Multi-tenant environments (i.e., cloud servers where multiple SaaS store data) can open up an organization’s data to the risk of being accessed (whether by accident or by nefarious attack) because of its close proximity to other SaaS solutions.
These are real concerns – not myths – and have real factors behind them. However, there is very real data to show that SaaS solutions and the cloud are as safe – and in most cases more secure – than solutions and data under your own control.
SaaS solutions employ security controls and protocols that no individual can afford to implement upon their own network or computers. This requires a massive investment as well as the IT expertise to oversee it. The economies of scale work in the favor of SaaS providers, allowing them to share the massive costs with hundreds of other SaaS solutions.
It may interest you to see all of the things that SaaS companies do to ensure the security of their solutions. It’s quite a list that includes some details that may cause you to scratch your head, but I think seeing this will help you understand why SaaSs are so secure.
- Closely align with ISO 27034 requirements
- Provide security training and certification for product teams
- Perform product health, risk and threat landscape analysis
- Conduct mandatory static analysis
- Develop secure coding guidelines, rules and analysis
- Conduct secure complete stack
- Utilize big data for advanced threat detection
- Develop service roadmaps, security tools and testing methods that guide the security team to help address the Open Web Application Security Project (OWASP) Top 10 most critical web application security flaws and CWE/SANS Top 25 most dangerous software errors
- Provide secure architecture review encryption and penetration testing
- Conduct source code reviews
- Ensure regulatory compliance
This list if obviously far too intimidating and costly for you to handle. It’s absolutely out of your wheelhouse. (And after reading that list – you’re probably glad!)
Cloud security has sort of “proved itself” and many companies now seek out SaaS solutions over software they would purchase and load onto their computers because of its stringent and proven security measures.
SaaS solutions also provide a bigger bang for the buck. Since many, many users are bearing the cost of a SaaS solution, more features and more robustness can be “acquired” by SaaS users. Another significant cost is dispersed and that is management of the solution. Owning a SaaS solution is quite different than owning software. There is no responsibility on the part of the user for maintaining or updating SaaS solutions. There are no specs or requirements for the computer that you use your SaaS solution on. It simply needs to be connected to the Internet and browser. The management, maintenance, updates and enhancements of the SaaS solution are born by the SaaS itself. The SaaS’s IT experts are the ones who maintain “control” and it’s a good thing because, in addition to the massive cost of security, you could never afford the level of IT expertise that SaaS companies employ.
Serious About Security
SaaS solutions are hosted by companies that do nothing but provide secure environments for its solution vendors. This means that having the best possible security is their ultimate priority. It is literally their brand and they are serious about it.
Security isn’t your priority. In fact, software isn’t either. Your ultimate priority is providing students with the best possible experience in your facility. You are serious about their progress, their happiness and their parents’ satisfaction. If you’re good at all of these things, it follows that your business will grow and prosper. The last thing you need to worry about is the security of the sensitive data that you store.
And that may be the best case in favor of your use and confidence in SaaS solutions. They are just as serious about security as you are about your students.
A recommended process to use in making the decision to go SaaS is pretty simple:
- Look at what you have at risk.
- Establish a set of security requirements that you have for your data and your business.
- Analyze SaaS solutions from a security perspective. One of your “solutions” should be your own data environment.
When you choose SaaS, you aren’t losing control. In fact, you’re actually putting much greater controls in place that offer tremendous security and protection for your business.
Resource: Info-Tech Research Group