Open Beta

SaaS: Sounds Awesome, but awfully scary

09/07/2014

"The only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it.". Gene Spafford

A couple of weeks ago, we were able to see private pictures of our favorite celebrities leaked from the servers of one of the biggest companies in the world. While maybe embarrassing for the victims, and a really serious privacy issue, that's not the main point(I do believe we all kinda suspected Jennifer Lawrence had boobs) what's behind that is what's scary: How much data from your company does the hacker has, what he's doing with it? Because it might turn your company into the next CD-Now. No matter how good you do things, you willingly distributed sensitive company data across "an unknown magical place called the cloud". Quoting any IT specialist from ten years ago: Are you nuts???

While Gene is right, the full pitch comes later by explaining that's the starting point, then you need to negotiate between all the security pillars and usability.

Security Pillars?

While different versions, the most simple way to define those are: Confidentiality, Integrity, and Availability. And I'll explain those by example, if you work in a medical center, and a patient enters with an urgency, you NEED to have access to your patients clinic history, and you need that data to be accurate; later, you wish it is confidential. On the other hand, if you are an online sex-shop, then confidentiality is king, and then availability and integrity come in second and third place.

Say your clinic has a shiny service that makes the clinic history of your patients available in all your devices, your Apple devices. Then you will be uploading your data to your SaaS provider, the SaaS provider will use iCloud, and iTunes will sync all that data. Amazing! nearly 100% Availability! and close to 0% confidentiality. Apple has thousands of employees, and you're trusting their data security rules are enforced enough so not many of those thousands have access to your data. What about the SaaS provider? Pretty much the same. Let's go one step beyond, and have a website that allows your patients enter and modify that information, in WordPress, and of course, not interconnected directly with your SaaS provider, but maybe across a WordPress plugin that imports/export that data. See what's happening here? You're willingly providing sensitive and private information to a lot of external sources, to the point your demilitarized zone has more access to YOUR data than yourself.

But wait, isn't Aptugo a SaaS, aren't you spitting upwards?

Yes and no, Aptugo is a PaaS that generates SaaS. But that SaaS is yours only, you can even take it to your intranet and secure it with as many firewalls as you need so nobody has access to it but you. That's Aptugo pledge and difference with any other provider out there: We return the data to the rightful owner, that means: you.

comments powered by Disqus