Breaches have happened to Google, Microsoft, and countless other SaaS providers. Here, it was a relatively small breach where a misconfiguration – presumably by a Microsoft employee – created a hole globally. To its credit, Microsoft spotted the problem and fixed it within 2 hours, and the data was relatively innocuous. But the damage is done.
At the recent Gartner Data Center Conference, a room full of CIOs and CISOs identified one of their biggest security concerns around public clouds as being “other customers might see my data.” Now there are concrete examples of SaaS security breaches from multiple providers.
CIOs need to make the tradeoff between the convenience of SaaS, which introduces app-level multitenancy risks, and IaaS, which provides many opportunities for data encryption, but places an expensive operational burden on the IT department. For the next few years, I predict larger IT departments will start big cloud projects using IaaS precisely because it gives them more security controls than SaaS offerings. With SaaS, enterprises generally don’t have the option to encrypt their data with off-site keys, and they don’t have DLP offerings, or many other normal enterprise-grade security offerings.
SaaS providers will need to radically increase the transparency and breadth of their security capabilities. If they can’t show large IT shops how they track configuration changes and prevent misconfiguration, large IT shops just won’t trust some data to those providers.
On the other hand, if a misconfiguration error opened up your Exchange address book to outsiders, are you confident your own IT department could spot it and fix it within 2 hours, as Microsoft did in this case? If you’re running a small IT shop, the odds are that SaaS providers, especially big ones like Microsoft or Google or Salesforce.com will have better security practices than you do.
If you’re faced with making the call between SaaS and IaaS, I’d love to hear your story. (I’m an evangelist; I have no quota!)