SaaS – Something, something this way blogs

And on the second day God said “let there be computing – in the cloud” and he gave unto man cloud computing…on the seventh day man said “hey, uhmm, dude where’s my data?”

There has been much talk lately about the “Cloud“. The promise of information stored in massive virtual data centers that exist in the ethereal world of the Internet, then delivered as data or services to any computing device with connectivity to the “Cloud“. Hoff recently ranted poetic on the “Cloud” (here) and asked the question “How does one patch the Cloud” (here)

So what the hell is the cloud anyway and how is it different from ASPs (application service providers) and MSPs (managed service providers) of yesteryear, the SaaS/PaaS/CaaS (crap as a Service) “vendors” of today and the telepathic, quantum, metaphysical, neural nets of tomorrow?

I am not going to spend any time distinguishing between services offered by, or including the participation of, a 3rd party whether they take the name ASP, SOA, Web services, Web 2.0, SaaS/PaaS, or cloud-computing. For whatever label the ‘topic du jour’ is given, and regardless of the stark differences or subtle nuances between them, the result is the same – an organization acquiesces almost complete visibility and control over some aspect of their information and/or IT infrastructure.

There should be no doubt that the confluence of greater computing standardization, an increasing need for service orientation, advances in virtualization technology, and nearly ubiquitous broad-band connectivity enable radical forms of content and service delivery. The benefits could be revolutionary, the fail could be Biblical.

Most organizations today can barely answer simple questions, such as how many assets do we own? How many do we actively manage and of these how many adhere to corporate policy? So of course it makes sense to look to a 3rd party to assist in creating a foundation for operational maturity and it is assumed that once we turn over accountability to a 3rd party that we significantly reduce cost, improve service levels and experience wildly efficient processes – this is rarely the case, in fact most organizations will find that the lack of transparency creates more questions than they answer and instill a level of mistrust and resentment within the IT team as they have to ask whether the company has performed something as simple as applying a security patch. The “Cloud” isn’t magic, it isn’t built on advanced alien technology or forged in the fires of Mount Doom in Mordor, no it is built on the same crappy stuff that delivers lolcats (here) and The Official Webpage of the Democratic Peoples Republic of Korea (here), that’s right the same DNS, BGP, click-jacking and Microsoft security badness that plague most everybody – well plague most everybody – so how does an IT organization reliably and repeatably gain visibility into a 3rd parties operational processes and current security state? More importantly when we allow services to be delivered by a third party we lose all control over how they secure and maintain the health of their environment and you simply can’t enforce what you can’t control.

In the best case an organization will be able to focus already taxed IT resources on solving tomorrows problems while the problems of today are outsourced, but in the worst case using SaaS or cloud-computing might end up as the digital equivalent of driving drunk through Harlem while wearing a blind fold and waving a confederate flag with $100 bills stapled to it and hoping that “nothing bad happens”. Yes cloud-computing could result in revolutionary benefits or it could result in failures of Biblical proportions, but most likely it will result in incremental improvements to IT service delivery marked by cyclical periods of confusion, pain, disillusionment, and success, just like almost everything else in IT – this is assuming that there is such a thing as the “Cloud”

Update: To answer Hoff’s original question “How do we patch the cloud?” the answer is – no different than we patch anything, unfortunately the problem is in the “if and when does one patch the cloud” – which can result in mistmatched priorities between the cloud owners and the cloud users.

Although cloud computing and Software as a Service (SaaS) offer tremendous opportunities for business innovation and return on investment, they also present unique challenges that companies developing new technologies, looking to take advantage of new services, or investors looking for new opportunities must understand.

Security, especially integrity of the service and confidentiality of the information, is critical to the market success of companies offering cloud computing and SaaS solutions. Traditionally security has lagged behind technology innovation, from the dawn of the Internet, to mobility, to virtualization, security is for the most part an afterthought. When security has become important it has generally been driven from the perspective of availability, whether it is the impact of SPAM on email flow or worm attacks that consumed network bandwidth, most organizations have prioritized security concerns once it has impacted availability. Right or wrong, for traditional enterprise software it is easy to understand the importance of service availability over data integrity or confidentiality.

However when we introduce a 3rd party, which is responsible for data integrity and data confidentiality, then these are perceived as and become much more important than data availability. Mashups, offsite data storage, delivery of critical information from a 3rd party, the heavy use of web-based technologies, all introduce opportunities for significant security incidents, especially since SaaS and cloud computing are so reliant on open Internet protocols, many of which are fundamentally insecure. Recently we have seen a dramatic increase in high-profile vulnerabilities against the core routing infrastructure of the Internet, such as DNS and BGP, these impact everyone, but they are especially devastating to organizations highly reliant on Internet stability.

A major security incident against a company offering SaaS or cloud computing is inevitable, the question will become how resilient is the company in responding to the incident and what impact will the incident have on the companies reputation. Salesforce.com experienced a major security incident in 2007, in which a phising attack resulted in the disclosure of customer data, this was then used to phish for more data from salesforce.com customers. In this case the extent of damage was limited, but it could of been worse. Recently a couple of young hackers were able to redirect all Comcast customers to their own website, luckily this was more of a prank but the results could of been much more devastating. In the long run SaaS and cloud computing will thrive, regardless of issues of security, but there will be a lot of companies that will not be able to withstand the damage to their brand reputation if they experience a high-profile security incident.

Against the backdrop of an orgy of breach disclosures, the fundamental weaknesses of the core Internet protocols, and a dramatic increase in financially motivated cyber crime it is imperative that companies offering SaaS or cloud computing implement effective security controls. Companies looking to take advantage of these new services or investors looking for opportunities for growth should investigate and understand the security models implemented by SaaS and cloud computing companies.