As the thirst for low-maintenance on-demand software continues to grow in the enterprise, some security experts and customers worry that security weaknesses could disrupt on-demand applications and leave them high and dry.
For now, these security concerns lurk well below the surface—few of the big vendors pitching their wares at the RSA Conference on Feb. 13 in San Jose, Calif., will have products addressing the security of on-demand offerings. Nevertheless, security experts note that technology departments need to ask tough questions of their service providers and ensure their offerings are as secure as possible.
Meanwhile, the on-demand bandwagon swells. This week, SAP launched on-demand CRM (customer relationship management) software. In November, Microsoft Chairman and Chief Software Architect Bill Gates and Chief Technical Officer Ray Ozzie announced two new Internet-based services: Windows Live and Office Live.
Those two behemoths join the services-based software distribution model pioneered by companies such as Salesforce.com, PeopleSoft (now part of Oracle), Hyperion Solutions and Digital Insight. Lately, the idea has been championed in the consumer space by tech darling Google in programs such as Google Base.
"This is a great business model with some significant benefits, but there are some critical security questions you have to ask your service provider before putting your data on someone elses server," said John Pescatore, an analyst at Gartner, in Stamford, Conn. "Security has to be a key criterion in your decision to outsource IT and business functions. If you neglect security, youre taking the risk of regulatory exposure and loss of business."
Translation: Before enterprises can reap the benefits of on-demand software, providers will have to convince IT managers and CIOs that the services they offer are reliable and, perhaps more important, secure. For many, the push to host information and manage customers data raises the specter of massive information breaches such as those that plagued ChoicePoint and LexisNexis last year.
And the on-demand model presents its own set of unique security problems, including threats such as replay and man-in-the-middle attacks, as well as concerns about the security practices of the hosting and service providers themselves.
Advocates argue that service-based software deployments could mean better, not worse, security for many companies that already struggle to keep up with Internet threats. With the market for on-demand software booming, technology for building secure Internet-based products, securing these deployments and protecting users is poised to become a major area of investment in coming years.
For Care Rehab and Orthopaedic Products, a medical device manufacturer, security was an important consideration when the company was evaluating Salesforce.com, a provider of on-demand CRM software services, said Ed Barrett, vice president at the 200-person company.
The company, which makes traction and electrotherapy devices that are used by physical therapy clinics and patients, has been using Salesforce.coms software since March to monitor the activities of its salespeople and to track its entire inventory, as devices are prescribed by doctors and dispensed to patients. Care Rehab audited Salesforce.coms security practices before agreeing to use the software. That audit included getting Salesforce.com staff members to show Care Rehab how they secured the data that was stored on their servers and reading documents describing Salesforce.coms security practices.
"Their security is superior to what we provide for ourselves," said Barrett in McLean, Va. "If youre Salesforce.com, you have to have the best people in security and the best redundancies. [We] need to have the best salespeople. Im sure we arent the worlds best security people."
That kind of thinking is becoming more common from customers considering a move to an on-demand software model, said Michael Topolovac, CEO of Arena Solutions, a provider of on-demand PLM (product lifecycle management) software. Based in Menlo Park, Calif., Arena has approximately 200 customers and 15,000 users in the high-tech, medical devices and consumer electronics industries. "Security has gone from being [a] top-of-mind [concern] for prospects to a point where more prospects seek out on-demand because its secure," said Topolovac.
But are on-demand deployments really more secure?
Most companies already have significant exposure to Internet-based threats and attacks and may not have the expertise or resources to properly manage that threat, Topolovac said. "Its like keeping your money under the mattress instead of in a bank. Customers already have their data online. Its already tied to the Internet. Youre a machine shop in Milwaukee? Youre on the Internet," Topolovac said.
More enterprises are looking for ways to connect remote employees, business partners and suppliers to critical applications. In such an environment, companies such as Salesforce.com and Arena are better prepared to address security than most traditional software providers are.
"We dont create a security problem, we provide a solution to it," Topolovac said.