Is SaaS Security the best solution for your business?

Having worked in SaaS companies for a long time (going back to when they were called ASPs), I’ve heard a lot of companies not adopt SaaS solutions due to “security concerns”.  This attitude has generated a quite a few blog posts recently, so thought I’d add my 2 cents.

The people involved in SaaS think security is often better in SaaS systems that premise based systems.
Justin Pirie at “The Week in SaaS” (an essential blog for those in SaaS, I think), put it this way:

something struck me- 46% of people surveyed were not moving to the cloud because of security.
This is bonkers! Just because it’s behind your firewall does not make it secure.

Reuvan Cohen at Elastic Vapor summarizes his view:

the new reality is that cloud computing is in a lot of ways more secure simply because people are actually spending time looking at the potential problems beforehand.

So what’s my opinion? Having managed IT operations for a variety of companies, and worked in SaaS companies, I think I can share a realistic view.
There are (simplistically) two aspects to application security – physical security and application level security.

If you are a small company, and have premise based applications, you probably don’t care much about application level security. The company is small, and everyone will be trusted to some degree. The fact that the application is behind a firewall, with no access from outside, does provide fairly good security. The SaaS advantage here is that small companies do not usually have physically secure premise based servers. They are typically in a small server room (or closet), without much in the way of alarms, 24 hour guards, and all the other touted features of datacenters. And if you can physically access a server, you can get to the data on the server. As a friend of mine, the head of sales at a SaaS property management software company, puts it “No Fortune 500 company would consider putting their servers in your SMB server room. Yet they do have them in the same datacenter as our SaaS servers.”

As a company grows, they will typically get on top of physical security, but then application security raises it’s head, as security sensitive applications will now be restricted to a subset of employees. Many premise based applications (especially open source ones or internally developed ones, it seems) are written without any access control designed in. And once a company reaches any size, the premise based application will need to be accessed by people outside the firewall (remote offices, teleworkers, etc). How is that access to be granted securely, without undermining the whole security premise of “Well, it doesn’t matter if it’s not terribly secure, as no one can access it.”

Yes, you can put reverse proxy firewalls or SSL VPNs to provide some sort of remote access, but now the “simple” choice of premise based software for security is getting more and more complicated (and expensive).

So I think the consensus above is correct – in a company of any size, you are more likely to have less security issues and expense with a SaaS solution than premise based software.
(FYI – LogicMonitor has its servers in Equinix datacenters.)

What are your thoughts?