Monday, April 09, 2007

Security Means Availability: Google and others need to address this ASAP in SaaS

As enterprises explore Software as a Service, security experts like David Brussin are keeping a watchful eye. Clearly there are serious security implications whenever data is allowed to live beyond the--hopefully, strongly defended--perimeter of the enterprise fortress. Typically those implications are first thought of in terms of confidentiality and integrity: Will our data be safe from prying eyes and unauthorized access? But the third pillar of security, availability, should not be neglected. How much does strong protection against unauthorized access matter if authorized access is impaired?

Google must be pondering this question right now as news of outages spreads: "Little over a month after introducing Google Apps' Premier version, which includes a 99.99 percent uptime commitment, Google is failing to meet that service level agreement (SLA) for an undetermined number of customers." PC World article highlighted in this succintly titled posting by Ann All on the Straight to the Source blog at IT Business Edge: It's the SLAs Stupid.

This is timely data for me as I have just spent a week over in Europe meeting with executives of a VLO to discuss information security strategy in the context of a possible shift to SaaS as an alternative to out-sourcing (VLO = Very Large Organization).

Actually, I see not one but two availability question marks with SaaS. The first is supplier-side: Will the SaaS vendor's infrastructure keep up with demand. This seems to be the very problem Google is wrestling with right now.

Second is the user-side connectivity question: What use is Google Mail if the user can't get on the Internet? This is such a basic question that I am almost embarrassed to raise it, but I feel I must. Failure to question underlying assumptions is a shortcoming sadly endemic in technology adoption (the classic is probably "Sure, it's safe to handle this stuff" --Madame Curie).

SaaS seems to be predicated upon universal high-speed connectivity, a wonderful thing, but not yet a real thing, and not--perhaps ever--a cheap thing. Try to keep working on an online document as you move from office to train to plane to hotel to client to airport and back to the office. How successful you are will depend upon, among other things: where your home is; what hotel you stay at; what your client's connectivity policies and facilities are like; and your budget. This last item may be even more critical when you consider "working securely on an online document as you move..."

As for enterprise SaaS solely at the office, there will still be two SLAs to consider: Your SaaS vendor SLA and your ISP SLA.

No comments: