Tuesday, 19 October 2010

SaaS Cloud Computing - The Security Question

Earlier today I attended a session at Softworld about Cloud Computing. This had a panel of users and vendors (providers). What was clear when they contradicted each other was that even these "experts" don't know all they need to know about cloud computing - and I mean "need to know", if they (and you) are to gain the benefits without excessive pain at some stage.

That's not a criticism of these people, as the cloud is a relatively new fangled thing. However for those of us who have been using SaaS (Software as a Service) applications in front line business for over ten years, we have had our parts bitten, and know first hand what matters.

One of the comments that remained unchallenged was on the matter of security, in terms of access. This was along the lines of that old chestnut "We've been using internet banking for years, so SaaS is safe." We've also been using SaaS ervices such as Hotmail, and every now and again it and similar systems get hacked.

The difference? Like GoogleMail and many others, Hotmail relies only on a userid and password, where the userid is public knowledge - typically the email address. Many business SaaS systems similarly only use a userid and password. At the other end of the spectrum, the banks have at least one extra level of security, such as random digits from a PIN or second password, and/or the need for a physical device. Chalk and cheese.

So what does a confidential application like payroll use? Dennis Keeling gave the opening keynote address at Softworld this morning. Turns out he is an HR and payroll specialist, as part of a broad knowledge of the packaged software market. He tells me that for larger organisations, remote access to payroll services is typically by userid and password, but always in combination with a "private cloud" secure internet pipe. Without that, he would expect some additional level of security, such as random digits from a pin number (like some of the banks do).

For smaller businesses, here are a number of internet payroll services. These talk about various security methods, such as 128-bit SSL (secure socket layer) encryption, as is used by the banks. Nonetheless.here are some incidents of web payroll systems being hacked, to try and make immediate fraudulent electronic payments.

In an ordinary accounting system, there is often an equivalent mechanism for supplier and staff expenses payments. Good access security in these systems is therefore vital.

IN CONCLUSION

A simple user id and password is not as secure as the internet banking systems, nor as secure as the better payroll systems.

There will be many applications in a business where a userid and password combination is adequate, given the low potential consequences of unauthorised access. But there will also be applications, such as Accounts Payable, where some additional level of access security is a must.

For more "myth busting", see last week's article "SaaS Cloud Computing - The Hype, The Truth and The Wardrobe"

.

2 comments:

  1. You have hit the nail on the head, as usual. SaaS is not a generic "tool". It is no more valid to say SaaS is safe (or not) than it is to say Software is safe (or not). It all depends on the Software you use - after all, SaaS is nothing other than a program that runs over the internet rather than locally.

    There is an additional concern with using the internet for which there is some degree of uncertainty about how exposed we may be. But the very well established concern over hacking into a company's system with identical consequences does not stop us using computers in our business. It just means we need to make sure we have effective security in place, but which is commensurate with the risks.

    There is not much of a risk, after all, if someone were to "steal" the homepage of a company's website. Companies spend a good deal of money to make it happen. But companies may want to take a few more steps to make sure that someone does not change its content without their consent.

    As with local computer systems, techniques exist to make the web especially safe (viz. internet banking). As with local computer systems, they can never be fail safe (viz. the hacker who got into the Pentagon's internal computer system).

    The sophistication of hacking these days means the risks of SaaS over the internet are no longer significantly greater than the risk to a local business, since staff have to have access to the internet. The trick is to match the risks involved with the cost of the steps taken to prevent them. Understanding the risks and the steps that can be taken to prevent them is key to ensuring business can run safely these days - whether it is with SaaS (which is often hosted by people who are fairly savvy about security), or with local software but through which security holes are punched every time a member of staff receives tainted emails or inadvertently accesses a hack-laden website.

    ReplyDelete
  2. Thanks Nigel
    Looking for solutions, I'm uncomfortable with just a userid and password for any SaaS system.

    If each app were to provide an extra security level with a range of questions such as "What is your mother's maiden name", then I could use a different question for each app. Assuming the question appears when logging in, then I would only need to remember one userid, one password, and the obvious answers to a range of questions to make each app different.
    Not only would it be more difficult to access each app, if someone found out how to get into one app, they couldn't get into others.

    ReplyDelete