SaaS has replaced the earlier acronym, ASP, or application service provider. Software-as-a-service is a Web-based application that is hosted and made available by a software vendor over the Internet. The key difference vs. regular software, however, is that SaaS users pay to rent the application, as opposed to owning it.
Platform-as-a-service is the next step in the evolution of Web services. PaaS provides an on-demand platform -- basically a modern version of the "thin client" -- where a PC receives its operating system and applications from a server. PaaS enables an organization and its developers to focus on what their applications do, rather than what software and infrastructure is needed to run them. Thanks to platform-as-a-service, business processes can become virtual, sharable, and organizations can benefit from economies of scale, uptime and flexibility. But like its predecessor SaaS, it has many of the same data protection issues, mainly that data is being processed or stored by or on third-party systems.
With these kinds of service, an enterprise customer's data security is reliant on the skill and ability of the SaaS or PaaS developers. For small organizations that only have one or two developers, platform-as-a-service is probably a safer alternative. Without discrediting the overworked developer, small teams, heavy workloads and tight deadlines tend to make security less of a priority. When considering SaaS or PaaS, be sure the provider's development team has the expertise -- and has been given the time -- to build applications with a strong information security foundation.
However, can larger organizations afford to assume that their data will be safe in the hands of a third-party provider? Ceding control of how data is stored and accessed requires a lot of confidence and understanding of where and how it is being handled. For me, the "where" is a critical issue.
Let's take an example of a UK-based company using PaaS offered by a U.S.-based company. Under the European Union Data Directive, companies have a responsibility to ensure that any third party managing their data has suitable security measures in place. Under the Safe Harbor data protection agreement between the U.S. and the European Union, UK companies can store their data in the U.S. only if the third party handling the data meets EU privacy protection standards. The data protection measures operating in a PaaS environment, therefore, need to be clearly understood; otherwise the UK company could be in breach of one or more laws.
Finally, data that can only be accessed via someone else's server requires guarantees of its uptime. The best possible uptime for an online service is 99.9% availability. Even then, that's still almost half a day of downtime per year. There will also be times when the service is up but suffering performance problems. PaaS providers probably deliver better uptime than most other organizations can, but service level agreements (SLAs) need to be understood and enforced more than ever in a PaaS environment.
- Learn how to protect service level agreements and other intellectual property.
- At Black Hat 2007, researchers exposed some vulnerabilities to software-as-a-service offerings
This was first published in March 2008