If you’re looking for a secure form of computing, you can certainly do a lot worse than software-as-a-service (SaaS), but like any technology, SaaS is far from 100 percent secure.

SaaS, a remotely operated form of computing offered by the likes of Salesforce.com, nSite (part of SAP Business Objects), Qualys and others, is growing in popularity among small and mid-sized businesses, but still has fairly low penetration. A survey by Forrester Research, of Cambridge, Mass., of businesses with fewer than 1,000 employees in 2007 showed only 11 percent were using SaaS. “It’s starting to expand out and playing a much more crucial role,” says Liz Herbert, an analyst with Forrester.

The appeal to small business is obvious. Having software managed by a third party obviates in-house IT positions and places the onus on maintaining consistent uptime (99.7 percent seems to be the norm) on someone else. Moreover, security concerns are fewer than with in-house systems. “It hasn’t prevented people from signing up,” says Robert DeSisto, vice president and distinguished analyst at Gartner, of Stamford, Conn., said regarding security. “I wouldn’t say it’s a big issue, but it’s an issue.”

Security concerns

The truth is, there are security gaps in any kind of technology. SaaS programs are vulnerable to the following threats:

  • Mass SQL bots, which compromised hundreds of thousands of websites.
  • The loss of data.
  • And the publishing of confidential data on the Internet.

Those are worst-case scenarios and not all that likely, but if you’re contemplating a contract with a SaaS vendor, Wolfgang Kandek, CTO of Qualys, recommends hitting the prospective company with questions about their approach to secure computing.

First, Kandek suggests tackling the loss-of-data question. “You should ask, ‘If I lose data, how will you get it back to me?’” Kandek says. While most companies will back up information like CRM databases as a matter of course, a bigger issue is if such information is made available to the public or competitors somehow. Kandek deems it unlikely that a competitor would go so far as to hack a rival company to get such information. A more likely scenario is that the information is made available as collateral damage during a random hack or bug attack.

Questions to ask a provider

For the latter reason, Kandek advises that those who use Microsoft’s SQL Server especially to grill their potential SaaS provider about how often they update their software with patches provided by Microsoft and the like. “Patches could be important so you should ask when they do it, do they wait until the weekend or do it as soon as they can. That gives you a good idea of how diligent they are about it,” Kandek says. The issue doesn’t just apply to Microsoft. Even if you’re using a Linux-based system, there are patches issued on a regular basis that may be relevant.

Kandek says another question to pose is about data security. “You should ask, ‘How do you make sure it doesn’t go away,’” he says.

Meanwhile, Kandek says you can ask vendors for Web application codes for further reassurance, but you’re unlikely to get them. “That is usually considered proprietary and competitive information,” he says.

Another tip is to ask for a third-party security monitoring of the prospective firm. While there’s always the possibility that such results could be questionable (the monitoring firm could be in cahoots with the SaaS vendor), there are ways of checking the integrity of the third-party monitor. In the end, just as there is no 100 percent guarantee of security with any form of computing, there’s no way to be completely certain that your vendor is on the level, either. “You can be defrauded,” Kandek says. “It’s a trust relationship you have to build.”