Software as a Service Security Concerns
As a network or security admin, you are probably aware of the recent push for software as a service (SaaS). The SaaS proponents are big on the advantages of SaaS -- you no longer have to worry about managing your own infrastructure, which they play out as a good thing, since for most firms, IT isn't their core competency. SaaS fans will say that there's no reason to host your Web, File, Mail, Database and other services. They can take care of all this for you. They have the expertise to install, configure, manage and maintain your IT infrastructure , and do it off-site, so you don't even need to worry about housing your resources.
It sounds too good to be true. Never again will you need to worry about maintaining that mail server. No more backup worries, no more concerns over disk space, no more late night calls on a corrupted mailbox or mail store. Same for the file, database, and line of business servers. All you need to worry about is the Internet connection at your office and away you go.
The problem is that when something sounds too good to be true, it probably is. For example, Amazon has a highly available solution called S3. Their infrastructure is amazing and if anyone can provide "dial tone" service, it's going to be Amazon. However, as noted in this blog post http://blogs.zdnet.com/projectfailures/?p=602 not even Amazon could keep things going.
There are two major problems with SaaS:
The availability problem is directly related to unreliability of the Internet. As we all know, Internet connections go down on a regular basis. The Internet is not a dial-tone service. While there have been great strides made in the last ten years regarding the reliability of the Internet, it's still far from the 99.999+% uptime that we need to make sure that there isn't a significant hit on the fiscal bottom line due to the outages.
Those outages can cost you thousands, tens of thousands, hundreds of thousands or even millions of dollars each time they take place. And you have no control over fixing the problem -- you can't send your own employees out to fix the problem now. You're going to depend upon the kindness of strangers, who may have other problems they need to deal with before putting your datacenter back on line.
Now, you can argue that a solution to this problem is to mirror your datacenter at the SaaS provider. When the SaaS provider goes down, no problem. You have you local datacenter to depend on and work will continue transparently. If that's the solution, why pay for SaaS at all? Aren't you back to hosting your own resources again? If you're going to host your own resources, why not continue to do so and take out the SaaS middleman?
The security problem is even more distressing. While availability can be problematic, depending on how often the service goes down and the duration of the outages, the security problem can quickly become disastrous. Why? Because the SaaS providers are essentially one giant attack surface waiting to be plumbed by the bad guys.
The nice thing about each business managing its own infrastructure is that all the infrastructures are different and distributed among hundreds of thousands of locations. The amount of time it would take dedicated teams of attackers to reach even several hundred of these networks makes it impossible to do significant damage to large numbers of business in a single blow. However, imagine that there were ten large SaaS providers, hosting IT resources for tens of thousands of companies per provider. A dedicated team, or collection of teams, could easily compromise thousands of businesses in a single blow because the methodology required to compromise a single SaaS would give them access to all the resources to all the companies that they provide services.
Biodiversity is a good thing -- it keeps populations strong by preventing a single attacker (for example, viruses and bacteria) from destroying an entire species. The same goes for networks. SaaS has the potential of significantly reducing infrastructure diversity, and thus makes it must easier for a single attack to bring down the entire infrastructure hosting resources for hundreds or thousands of companies. When the shoe drops on your SaaS provider, it won't only be you, but many of the companies that you depend on that will also be nailed.
Time will tell. There are advantages to consolidation, there's no doubt about that. Virtualization, like SaaS, has similar issues. The problem with consolidation is that you significantly increase the risks that come from a single point of failure. It'll be these single point of failure issues that will determine the long term success of SaaS.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)