Web applications, cloud computing, software-as-a-service (SaaS) and similar activities in which the Internet is the platform are a growing trend. It's not hard to understand why: This approach increases speed and capacity, and makes new and exciting technologies quickly available to organizations of all sizes.
There is a fly in the ointment, however, and it is ably described in this Forbes story. Using the Web as a massive desktop creates security issues that must be carefully considered. On one level, there are potential legal challenges. A company using Google, Box.net or other storage providers may be approached by legal authorities to surrender that information. The piece says this sometimes can be done without the owners of the data knowing. Lists culled from the raw data are sometimes sold to marketers by less-than-honest companies.
The story also deals with the actual security concerns of using the cloud. The data is at risk both when it is at rest -- reposing in the Web providers' facilities -- and while the user is working on it. The story recommends encryption programs such as PGP, TrueCrypt and Hushmail.
It is fair to point out, however, that it is possible that the security offered by the Web provider actually is superior to what would be offered by the company if it hosted the application in the traditional manner. Indeed, this likely is true in many cases, since Web-based companies' fates depend on their ability to keep data safe.
Regardless, organizations must think carefully before sending their crown jewels -- their data -- to an outside company. Predictably, vendors are all over the issue. Webroot expanded its Channel Edge Partner program with new products, including SaaS software and TriCipher this week introduced myOneLogin, a single sign-on product that can handle more than one SaaS service simultaneously. myOneLogin, according to the company, enables a user to sign on once but use Web-based applications from Salesforce.com, WebEx, Google Apps and others. The company says the product guards against phishing and helps with compliance.
Global Innovation Outlook provides a good overview of the security challenges of cloud computing. The author reiterates the trade-off -- cloud computing and its variants offer convenience and in many cases greater technical abilities, but the organization loses total control of its data. The writer muses that he now has "valuable data sitting in hard drives on four different continents." The writer says this raises interesting questions, including whether private organizations that house so much private data are entitled to governmental protection.
This vignette describes a roundtable in which the writer listened to a CIO from an named (but "really big") networking provider say that his firm was the biggest customer of a similarly unnamed SaaS provider. The customer was uncomfortable with the amount of its data that was not physically at its locale, and is demanding that the vendor deploy a hardware appliance within the company's offices. The Fountainhead blogger suggests that the case against SaaS is strong in five cases. These are companies concerned about service level agreement (SLA) and availability, compliance, privacy and legal requirements, liability and responsiveness. All of these are to a greater or lesser extent related to security.