Salesforce, Google Apps, and Microsoft Office 365 are all examples of "Software as a Service" (commonly called SaaS), which are cloud-based programs that businesses use for any number of functions, ranging from accounting to word processing. (For more on the cloud and its security issues, check out the post “Should I Join the Cloud Security Alliance?”)
Rather than purchasing software and installing it on their computers, businesses subscribe to an SaaS and run the program virtually through their browser or other web platform.
Proponents of SaaS point to its many advantages. SaaS programs can be updated constantly. If Microsoft wants to add a feature to Office 365 or update its security, they can do so quickly and you won't have to download an update or patch.
But evaluating an SaaS is more difficult than it seems. In this article, we'll look at two areas you need to pay attention to when you’re weighing one SaaS against another: security and service.
How Do I Know if SaaS Is Secure?
There isn't a universal standard for judging the security of cloud computing architecture, so how do you know if the SaaS you purchase is truly secure?
Some businesses undergo what is called a "security audit," where they test their security infrastructure with a set of industry-standard protocol. If they pass the audit, they will often advertise it (as Amazon did here in its ISO 27001 audit).
But these audits don't give you the full picture. Let's go over three common security audits and what they actually tell you about SaaS security:
- SAS 70. As Network World points out, cloud security standards are weak and SAS 70 is one of the weaker ones. SAS 70 tests how much control companies have over secure data, but unfortunately the test was designed by accountants and not cloud security experts. SAS 70 wasn't made specifically for cloud computing, so while many companies point to their SAS 70 audit, it doesn't necessary mean they are secure.
- ISO 27001. ISO 27001, on the other hand, is a stronger and much more comprehensive security audit than SAS 70.
- COBIT. Like ISO 27001, COBIT is considered to be a stronger, more thorough analysis of a company's security infrastructure.
The takeaway: check an SaaS provider's security documentation. If they have an ISO 27001 or COBIT audit, that's good. While SAS 70 isn't bad, it's a less accurate measure of cloud security.
What You Should Look for in an SLA?
SLAs (service-level agreements) are the legal documents that specifically define the service a cloud company offers and give you an idea of the typical problems they have.
Among other things, SLAs list how frequently service goes down, how long it takes the company to become operational again, and when the service will have scheduled downtime for maintenance.
Many SaaS companies won't give you an SLA unless you ask for one. They are trying to minimize their liabilities by not formally defining their service. That's bad for you. As in any business deal, you need to make sure you "get it in writing."
If a cloud company supplies an SLA, make sure you check it over thoroughly. Many of these agreements are written to protect the company and not the customer.
To learn more about SLAs, read this extensive SLA walkthrough made by the IT company intreis. The guide uses Amazon's software policy as an example, showing you the legal pitfalls you need to be aware of in SLAs.
Protect your Business from Cloud Liability
But what happens if something does go wrong? Let's say you check over the SLA and scrutinize the security audits before recommending cloud-based accounting software to your client. If your client has a problem with the service or suffers a data breach, they can still sue you.
That's why there's insurance for IT consultants. If you'd like to learn more about the cost of IT insurance, look at these free insurance quotes for small businesses, or contact one of our agents for a free quote tailored to your business.
