Blogger: Eric Maiwald
Over the last two days I have had a few conversations with clients around security when using software-as-a-service (SaaS). Since the conversations went along the same lines, I thought I would take a few minutes and provide a glimpse of the issue from the vendor’s perspective. For this discussion, I’m talking about SaaS vendors who offer an application that requires the customer to input some type of sensitive information (sales data, customer data, employee data, etc.).
SaaS vendors make money by having a lot of customers use their applications. They make a profit by offering the service as cheaply as possible. For most SaaS vendors this means that they create a single infrastructure (network, servers, databases, etc.) to serve all of their customers (this is called multi-tenancy). What this means is that the vendors build an infrastructure to serve the needs of the majority of customers they seek to attract and they mix customer information within the infrastructure. It also means that they will do their best to make a one-size-fits-all product. In fact, earlier this year, I moderated a panel of vendors and I asked about this issue (the idea of one size fits all). The response I received from one of the vendors was this, “We cannot afford to customize our offerings or contracts for every customer. If we need to build in extra security protections to attract a large customer, we will provide those same protections to every client.”
When a vendor is very young and still learning the business, customers may be able to influence how contracts are written and how the vendor conducts business but as the vendor matures it will become increasingly difficult to cause a change in how the vendor does business. In some cases the vendors will allow customization of the application but if you look carefully at what can be customized, you can see that the vendor’s infrastructure and basic way of doing business does not change.
Another aspect that the vendor has to deal with is risk. The SaaS vendor wants to control his risk (just like you want to control the risk to your business). The vendor will build into the infrastructure the necessary controls that the vendor feels are necessary. However, when it comes to guarantees or service level agreements, most of the vendors become very conservative. If the vendor offers a guarantee, he is balancing his costs against the possibility of failing to meet the guaranteed level of service and having to pay some type of penalty. Some things can be controlled (or at least planned for) pretty well. Availability is a good example of this. The vendor may promise a certain level of availability of the application. He provides this by the extra cost of redundant infrastructure (which may include backup and recovery sites). If the vendor fails to meet the required availability, he promises to refund customers for the time the application is not available. In this case, the vendor knows the cost of implementing the necessary redundancy and the cost of a failure to live up to the agreement.
Generally, you will not find the same types of agreements around the confidentiality of customer information. The vendor may know the cost of implementing various security controls but the vendor faces the same dilemma that all of us in the security business face – it is very hard to determine the probability of a breach depending on the controls within an environment. The second issue is that a breach of confidentiality could occur in many different places. It could be that the vendor was breached or it could be that an authorized user made a mistake and disclosed the information. The vendor might end up in a situation where he has to prove that it was not his fault (which could be nearly impossible). The third issue is the penalty for a failure of confidentiality. Does the vendor have to pay for breach notification, damage to the customer’s brand, damage to the customer’s customers? The costs can be large and variable so how does the vendor determine his risk?
In the end, vendors will provide the controls they feel are necessary to get and retain customers. They will provide proof to the customers of the controls if asked and as long as the proof does not increase their costs too much. The risk to the customer still resides with the customer and therefore the customer still must do the appropriate investigation of the vendor.