Security May Not Be Part of the Service

By Peter Coffee  |  Posted 2006-02-05 Print this article Print

Security may not be part of the service in "SAAS."

When people make choices about technology adoption, it seems to me that they often compare their options against a base line thats ideal rather than real. For example, people observe—as I have observed myself—that software as a service is a proposition that creates substantial security risks. And, of course, theyre right. The question, though, ought to be: compared to what?

A properly secured in-house environment certainly has the potential to be more secure than a service provider arrangement. This is overwhelmingly obvious, since the service arrangement adds additional and fully disclosed interfaces by which to access data and behaviors. Moreover, it adds network traffic across external links.

Its therefore certain that a securely coded, properly deployed monolithic application will become at least somewhat less secure when its recast as a constellation of services that are accessed across remote links. When developed and delivered with equal attention to security, an in-house application simply has fewer potential points that invite attack.

That statement came wrapped, however—in case you didnt notice—in an enormous fluorescent-yellow caveat of "with equal attention." External service providers that mess up security are going to lose their provider status, quickly and catastrophically. The mere fact of creating applications with service interfaces increases the mobility of service consumers from one provider to another. Click here to read about security concerns surrounding software as a service. The ease and rapidity with which a security leak becomes worldwide news is likely to make service providers much more careful about security than the typical in-house developer, especially since service providers are likely to be managing a more modern and more narrowly focused portfolio of code and hardware than the typical in-house department.

Its useful for prospective service buyers to be highly aware of the potential pitfalls of service security, and its important to specify security practices on the same level of priority as any other aspect of quality of service. Service buyers should acknowledge, though, that their present exposure is not zero; service-related security issues may not be a net negative. Technology Editor Peter Coffee can be reached at

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel