Recently, I found an interesting article about Securing SaaS, in the current Information Week (Digital Edition, available here). The article talks about some survey results – notably that 34% of enterprise respondents are less comfortable with the compliance and auditability of SaaS than with internal systems (41% say they are equally comfortable, while 16% say they are more comfortable). Putting aside the 16%, who will be a topic for a future blog posting, I’d like to focus on the 34%.
Clearly, SaaS vendors should do a better job of promoting the security of their systems, as it is a concern to at least a significant minority of potential customers. Note that this implies that they need to actually improve their security compliance and audit readiness, not just talk about it. That is, enterprise customers today are sophisticated enough to treat compliance and auditability as a proxy for the underlying security of their SaaS vendor, just like they see within their own enterprise.
Part of this concern seems to be related to the classic security aspects of network perimeter protection and server hardening, but, at least among the enterprises I’ve spoke with, this is increasingly seen as “table stakes” for SaaS providers.
Instead, there is an interesting new access angle to this: Customers recognize that they’re entrusting SaaS vendors with critical and sensitive applications and data, and want some assurance that those employees responsible for running the cloud do not have unauthorized or improper access to the enterprise’s data. That is, just as they have compliance policies for access to internal systems, they want some assurance that the same security and regulatory guidelines can be applied to externally hosted systems.
So, Enterprises, make sure that you hold your SaaS providers to a compliance standard as high as you have internally. Cloud vendors, look to this as a potential differentiator, and a means of eliminating this as a barrier to an enterprise sale.