This is an old blog post when Zefort was known as Aivan.ai. Oh, those were the days!
Myth: SaaS services are inherently unsafe
Lots of companies choose to go with on-premise software because they believe their data will be more secure that way. It may feel safer to store data on your own physical servers that you can touch, but the location of your data doesn’t really determine how secure it is. In fact, self-hosting an application is typically less secure than a cloud service.
SaaS vendors take huge efforts to secure their environments in a way their average client could never do. Security is critically important to cloud vendors, and they tend to take it very, very seriously. Their business depends on it.
Every company needs to focus on its core business. If hosting secure IT services is not at your core, why insist doing that yourself, instead of trusting a company that lives, eats, and breathes network security? How much more secure is it if you have one or two IT guys running a service, versus having a specialized team monitoring the servers and applications and responding to incidents 24/7?
Myth: On-premise security is better than cloud
Penetration testing companies regularly report that it is disturbingly easy to access most areas in typical company premises; including labs, R&D areas, management offices and server rooms. Most companies have never tested their physical security.
In contrast, physically getting into most a cloud provider’s data center is very difficult indeed. Data centers have strict access control at the perimeter and building ingress, professional security staff utilizing video surveillance, intrusion detection systems, and more. Authorized staff must pass multiple levels of authentication multiple times to access the data center.
Myth: Shared services mean shared risk
Cloud services are typically multi-tenant, that is, multiple clients share the same physical servers. It seems like an easy conclusion to make that a shared system must obviously be less secure than a dedicated system.
However, by it’s very nature, a multi-tenant service has at least one extra layer of security built into it that is not seen with single-tenant systems. Logical content isolation ensures that data is protected, even if an outer layer of security is breached. Consider an office building, housing multiple businesses. Even if you break in through the front door, you must still separately break into the company premises.
Myth: Certification guarantees a cloud provider is secure
In the end, security certifications are primarily about compliance, and only secondarily about actual security. A successful audit does give some level of assurance that the things covered by the certification were OK. Unfortunately, there are always plenty of attack surfaces not covered by any particular certification. A certified system might be trivially exploitable by a vulnerability not covered by the certifications.
Rather than relying on any single indication of security, you should use a more holistic approach when evaluating the security of a SaaS app. A good, although costly, approach is to have an independent third party conduct a security audit.
While any application has the potential for unauthorized access, SaaS poses no greater intrinsic threat than software hosted internally, and in many cases is more secure. Aivan Innovations Oy has extensive experience in designing, building, and deploying secure cloud services. Security is built into the core of our software and services, instead of added on as an afterthought.