Conventional wisdom has it that software as a service (SaaS) is the “insecure but convenient” alternative for IT solutions. However, increasingly sophisticated SaaS solutions and growing awareness of possible limitations with on-premises solutions are turning that conventional wisdom on its head: SaaS might very well be the more secure and enterprise-ready of the two alternatives for a wide class of IT solutions.
Before diving into specific comparisons of SaaS vs. on-premises alternatives, let’s review some common perceptions about SaaS:
- Data loss: SaaS is more prone to loss of sensitive data
- Availability: The cloud has outages and critical services cannot be trusted to SaaS
- Governance and control: It is harder to lock down and control changes to a SaaS solution
Now, this is by no means an exhaustive list, but it certainly covers the top concerns. Let’s weigh each one and contrast SaaS against the alternative.
Digging Deeper Into Data-Loss
At first glance, it seems like a no-brainer that SaaS solutions have much greater potential for data loss, including:
- Loss of sensitive customer information because the SaaS vendor got hacked
- Theft from a rogue employee at the SaaS vendor
While SaaS vendors attract a lot of negative publicity when they get hacked, that same attention drives them to much higher security standards than on-premises solutions, which have an almost laissez-faire attitude to security because they operate inside the firewall. Security-related loss tends to happen where it is least expected, which means these on-premises solutions actually present substantial risk to a customer organization.
There are several security auditing frameworks to help you understand the extent to which a SaaS solution has protected against data loss, including the well-regarded Cloud-Security-Alliance’s STAR assessment. These audits focus on the techniques SaaS solutions employ to minimize the risk and likelihood of data loss, including:
- End-to end-encryption
- Stripping uniquely identifiable information to de-sensitize data
- Sharding data into small, uniquely encrypted buckets
- Enterprise key management to reduce the access of the data within the vendor organization or code
- Consistent security tests and penetration tests
Another factor to consider is that when IT uses multiple SaaS solutions in their environment, each solution has a dedicated security barrier, which makes it very difficult to compromise the environment in its entirety.
Comparing Service Availability
Conventional wisdom also tells us that SaaS solutions are more prone to outages and availability problems than on-premises solutions. Again, the reality is that SaaS providers tend to be doubly concerned about availability and implement better solutions to guarantee service levels as opposed to making it someone else’s problem.
Let’s dig in a little more to see if that is really the case.
- Service availability: SaaS solutions deliver a service. On-premises solutions do not. Almost counter-intuitively, the SaaS provider worries about “the service level agreement (SLA)” from the get-go and designs and implements systems to deliver that SLA. On-premises solutions tend to be more cavalier (although there are always model citizens such as OS and hypervisor products) because the concept of an SLA is not something they are measured against. Instead, IT owns the SLA and if they didn’t configure replication or HA by following the 23-page instruction document to a tee, it isn’t the vendor’s fault.
- Network availability: Another question is whether dependency on a viable network creates a single-point-of-failure for SaaS solutions. Now, this concern has some merit — but how many organizations are productive when their network link to the internet is down? As all software everywhere is communicating via APIs, even on-premises solutions have developed dependencies on the network. For example, without a good network connection, time synchronization can break on servers which can cause SSL validation to fail, leading to all sorts of problems. Also, many organizations are distributed and have remote offices that can only communicate via the same network link.
Governance and Control
Some organizations are concerned about whether they can control the changes being applied to a SaaS solution and can review and approve / test these changes before accepting them. SaaS solutions, by their nature, abstract some of these changes from customer organizations — which is at once a benefit and a potential sticking point.
Now, there can be no debating that traditional on-premises solutions provide greater ability to lock-down the version of software, test it, and approve it for use.
Having said that, there is an inherent flaw in the notion that customers, particularly IT departments, should even be involved in the testing of software provided by their vendors. In an ideal world, their sole focus would be on accelerating innovation within their own business context, and they would trust their vendors to deliver quality software.
And that is exactly what SaaS does. Because SaaS providers understand their customers cannot control, audit, and test changes on their behalf, it makes it solely a SaaS provider’s responsibility to provide a seamless experience, regardless of how much testing that takes. SaaS providers have another big advantage: they service thousands, if not tens of thousands, of customers and have the insight to catch problems that a given customer might not yet know about, but could run into (“collective intelligence”).
As someone who works for a SaaS company, I am admittedly biased. However, SaaS is clearly gaining massive traction within the enterprise, with no sign of weakening any time soon. Thinking beyond conventional wisdom about SaaS provides good food for thought about the trade-offs between SaaS and on-premises solutions, as well as some fuel for the next time you encounter this classic debate.