In the first part of this series, we talked about the ideas behind Software-as-a-Service (SaaS) offerings and the distinction between such products and what the Free Software Foundation calls Service-as-a-Software-Substitute (SaaSS) products—i.e., software that does not necessarily have to be hosted remotely, but is.
The previous part ended with a question: ‘are SaaSS products necessarily bad?’ The answer is ‘No, not necessarily’ (which is handy, considering our very own Mitigate is a SaaS product). However, SaaSS does introduce new security concerns that you should definitely consider when choosing such a product. This second part will detail some of the trade-offs that you make when choosing to use a SaaSS product.
Any SaaS product will necessitate sending data to a third party’s servers over the Internet. Without this functionality, the software/service is about as much use as a chocolate fireguard. However, this brings with it all the same pros and cons as the use of general ‘Cloud’ storage, which we have detailed previously. You must ensure that the third party you are sending your data to complies with whatever regulatory requirements you are under (e.g., the EU GDPR) and that your information classification framework is adhered to, as well as ensuring that such data are only sent to the third-part over a secure Internet connection.
A major worry with SaaS is that of access, and this is exacerbated with SaaSS in that you are specifically choosing not to keep the computation local when you could do otherwise. If a company discontinues support for a piece of traditional software, the program will continue to be installable and continue to work (although, obviously, should be replaced as soon as possible). If a SaaS product disappears, so may your files and your means of accessing them. For this reason, you should always choose to use services that provide the option of exporting your files to standard, open file formats rather than proprietary ones—e.g., .odt over .docx, .ods over .pptx, .ora* over .psd, etc.—and from companies that you believe you can trust to give you warning before closing their services. Maintain backups locally, varying in regularity based on importance.
Ideally, you should ensure that even if your SaaSS product were to disappear overnight, with no warning, the disruption to your business operations would be minimal. Even if a product is unlikely to just disappear, this helps to protect you against the risks of service disruption (e.g., if the SaaS provider is undergoing a Denial-of-Service attack), Internet disconnection (e.g., if you are trying to work whilst travelling) and anti-consumer practices (e.g., the service provider deciding to remove features or hike up prices, whilst holding your data ransom—be incredibly wary if a service that previously allowed you to export data into an open format cripples or removes this feature).
SaaS and SaaSS products can provide tangible benefits to your organisation and employees, both in terms of cost and convenience. However, you should be aware of the potential pitfalls and work to alleviate the risk they may pose to you, and sooner is a far better time to prepare for the worst than later.
* Note, though, that the OpenRaster format is still currently a work-in-progress.