When people make choices about technology adoption, it seems to me that they often compare their options against a base line thats ideal rather than real. For example, people observe—as I have observed myself—that software as a service is a proposition that creates substantial security risks. And, of course, theyre right. The question, though, ought to be: compared to what?
A properly secured in-house environment certainly has the potential to be more secure than a service provider arrangement. This is overwhelmingly obvious, since the service arrangement adds additional and fully disclosed interfaces by which to access data and behaviors. Moreover, it adds network traffic across external links.
Its therefore certain that a securely coded, properly deployed monolithic application will become at least somewhat less secure when its recast as a constellation of services that are accessed across remote links. When developed and delivered with equal attention to security, an in-house application simply has fewer potential points that invite attack.
That statement came wrapped, however—in case you didnt notice—in an enormous fluorescent-yellow caveat of "with equal attention." External service providers that mess up security are going to lose their provider status, quickly and catastrophically. The mere fact of creating applications with service interfaces increases the mobility of service consumers from one provider to another.
The ease and rapidity with which a security leak becomes worldwide news is likely to make service providers much more careful about security than the typical in-house developer, especially since service providers are likely to be managing a more modern and more narrowly focused portfolio of code and hardware than the typical in-house department.
Its useful for prospective service buyers to be highly aware of the potential pitfalls of service security, and its important to specify security practices on the same level of priority as any other aspect of quality of service. Service buyers should acknowledge, though, that their present exposure is not zero; service-related security issues may not be a net negative.
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.