Last month, I heard from David Rice, the author of Geekonomics: The Real Cost of Insecure Software. Given that many people out there point the finger at SaaS crying over security concerns, I thought it would be interesting to see what Rice had to say about SaaS security.
In an interview with Rice that is now posted on the ebizQ site, Rice commented on whether hosting data outside a company's four walls poses a major security concern. He also addressed the adequacy of the SAS 70 type II certification in guaranteeing SaaS security, and he talked about phishing concerns with SaaS applications.
Rice had some interesting and possibly controversial things to say about SaaS. If you haven't already, take a look at the interview and post your comments below!
Small and mid-size businesses are unlikely to have the skills or money to establish and maintain effective IT security measures. However, a far bigger risk is the people inside the firewall. Many companies, large and small, are at risk from disgruntled or malicious system administrators - more so if their systems are in house. That requires very smart countermeasures, but few companies have them, still recruiting sysads on technical qualifications and then hoping they're ethical people.
SaaS does concentrate the target for malicious behaviour, but it also concentrates the resources to protect them, at least if the SaaS vendor has scale. I am concerned however that too many SaaS start-ups lack the IT security smarts and resources to provide the necessary countermeasures.
You put your money in a bank for a good reason, but the bank has to have a sound and solid reputation. A small neighbourhood bank is an easier target than a national major. So too with SaaS.