Like or Dislike: 0  0

Like or Dislike: 0  0

Like or Dislike: 0  0

I am not saying that going with a SaaS provider automatically grants you a magical security shield. But I do believe that SaaS environments are easier to protect than a hodge podge of traditional software running in an enterprise.

This space is not nearly mature enough to provide metrics yet, but while the promise of security is not universally true across all providers, my premise that the SaaS model providers a unique *opportunity* for better security is far from conjecture.

Our infrastructure team has tested and rolled out security patches across more than 1,200 systems within hours of their release, which is something I would not even attempt in an enterprise setting. There are very few situations that require a release cycle this fast and it has inherent risks of it’s own. The broader point is that when I needed to push a patch I considered beyond critical, I could and I did.

Like or Dislike: 0  0

Just so I understand your point better, when *you* said:

>> Fact remains that the SaaS model does afford you the ability to
>> control the entire software stack and provide much higher level of
>> security and reliability than possible with traditional software.

…which “you” are *you* referring to? The consumer/customer or the provider?

Also, please supply me with some factual evidence (metrics, proof points) beyond conjecture and “should” to support your assertion. If I compare a SINGLE web-based application built and delivered in the enterprise to that delivered by a SaaS vendor, how are they going to be “more secure?”

I find it interesting that even in these early days, the most visible “Cloud” breaches have all come from SaaS providers (Salesforce.com, Monster.com and GoogleDocs)

I see Wolfgang just commented, so I’m going to take a look-see…

/Hoff

Like or Dislike: 0  0

Commenting here still from Europe, trying to stay awake with the help of a Hoffachino…
I actually believe we are in agreement, but here are some clarifications:
1. “patching applications” – SaaS based providers can do a better job in patching the applications that they are responsible for as they have the money/volume of users to maintain the dedicated resources necessary to do so. Not doing so will ultimately result in the failure of the business. Example: Salesforce/Netsuite should be more up-to-date in their patching and security than your average in-house CRM/ERP implementation. Even on the desktop side these are things that I would want from successful VDI provider: aggressive testing of patches, speedy roll-outs of patching of standard applications, general monitoring of the state of systems as far as configuration and updateness goes, additional mitigation technologies, etc
2. Correct – that should read “Cloud Providers can be held to a higher standard in terms of security” to limit it to applications that SaaS controls. While I believe that we (Qualys) provide a valuable service, we do not provide automatic security to everything we touch.
3. True.
4. Absolutely
5. Agree 90 % – I do not understand the PaaS offerings too well, but in the IaaS arena we can apply the same reasoning as well – I would want them to show me how they are securing the Infrastructure – physically and logically – how is the datacenter secured, how quickly do you patch infrastructure software (the recent VMWare vulnerability comes to mind – VMSA-2009-0006), are you using firewalls, IDS/IPS, are you monitoring these servers for outgoing botnet connections, etc – and what is the policy to getting these alerts to me. I can see the potential to get more clarity from the IaaS provider than internally and anecdotally have heard of some cases…

-
Wolfgang

Like or Dislike: 0  0

Fact remains that the SaaS model does afford you the ability to control the entire software stack and provide much higher level of security and reliability than possible with traditional software.

So semantics aside, I agree with Wolfgang 100%. Sounds like you do, too.

Like or Dislike: 0  0