What's your take on the commonly cited security concern of companies that fear SaaS due to having their data hosted outside their four walls?

Companies are rightly concerned for a number of reasons. The irony of SaaS is this: companies are moving to SaaS in large part because of the expense of securing, managing, and maintaining low-quality, dysfunctional, insecure software. But while the financial model has changed under SaaS, the security and quality concerns of "bad" software have not. In fact, security and quality concerns will most likely intensify.

First, the software engineering techniques used for single-instance software (like SaaS) are the same techniques used for multi-instance software (like word processors or operating systems). The engineering model has not changed. More importantly, neither have the market incentives for software manufacturers. Without proper incentives for making better software, software manufacturers simply will not. This means software manufactured under a SaaS model most likely is not any better than previous models. This has consequences.

Features sell. Period. Under the SaaS model, software manufacturers add features incrementally and on-demand to satisfy client requests as well as remain competitive. This sounds like a good thing to both buyers and manufacturers. It is not, at least not under the current market circumstances.

The market incentive for software manufacturers is to add as many features as possible because features are part of the beauty contest among software applications. Security is not. This means SaaS applications are guaranteed to have a continuous and relentless stream of ad-hoc features (over an above the rate at which features are added to their multi-instance cousins) each of which add more complexity to the application and the likelihood that one or more of those features contains a bug (at best) or a vulnerability (at worst).

Features then, are the distinguishing element among software manufacturers, SaaS or otherwise. So low-quality, feature-rich software tends to dominate, driving higher-quality, secure software from the market. There is really no such thing as a "final release" in SaaS, making SaaS a particularly dangerous form of software. Features, and therefore potential vulnerabilities, tend to dominate. As such, buyers will never be free from acting as crash test dummies for the manufacturer (and paying handsomely for the privilege).