Just recently, T-Mobile, which employs software as a service (or “cloud”) technologies to store its customers’ data, suffered a serious systems failure. This failure cost many of its customers their contact information. Following the event, it was blogged how these “incidents clearly illustrate that whenever organizations entrust their data to a third party, whether via a cloud computing service or a traditional outsourcing arrangement, it is important to carefully evaluate the vendor’s technical and operational capabilities to fully protect the data to mitigate potential business risks.”
The T-Mobile incident and other similar occurrences underscore the urgent need for executives to better understand the security protocols of their current or prospective SAAS providers. As such, here are a few tips executives at any size business should use when seeking out SAAS services.
What constitutes data protection?
Data protection concerns should be the critical deciding factor in selecting a SAAS provider. But it’s not security against hackers and viruses that should stir the most alarm; rather, it’s the loss of irreplaceable data due to outages and technical glitches that’s proven most problematic.
Whether this data is found in e-mail messages, contracts or other critically important business documents, the permanent loss of such information can and has proven devastating to companies of all sizes.
Compliancy Is Key
Compliancy is key
First and foremost, no company should engage with a SAAS provider if they aren’t certified as SAS 70-compliant, which is the professional standard that auditors use to assess internal controls.
Secondly, for those companies that will exchange monetary funds via SAAS applications, PCI Level One compliance should be considered the minimal accepted standard to ensure the validity and security of transactions.
To date, most SAAS providers do not have the infrastructure to guarantee 100 percent data protection. As such, businesses need to inquire about the data backup protocols and should only engage with providers that habitually back up data every 60 minutes.
By implementing this type of recurring data backup procedure, even the most devastating security breach will only net a loss of 60 minutes’ or less worth of data. Of course, even losing 60 minutes’ worth of data is frustrating-but it’s much more manageable than having to re-create days, weeks or even months’ worth of information.
Furthermore, SAAS providers should maintain a minimum of two geographically dispersed data centers. By doing so, they can better guarantee low latency for application performance, better protect data, and significantly enhance the speed of data recovery in the event of a disaster.
It’s one thing to talk the talk about data protection but it’s the sturdiness of the infrastructure that ultimately walks the walk. We’ve already discussed the importance of inquiring about the number of active data centers, but businesses need to take the next step and request specifics on the bandwidth providers that connect each data center to the Internet. Why?
Because, by maintaining relationships with multiple telcos for bandwidth, SAAS providers are better equipped to manage service availability and performance. Additionally, utilizing different providers for each data center enables optimum routing to client endpoints and the ability to route around unexpected service issues that can occur within the Internet cloud.
In addition, businesses should seek out SAAS providers that utilize database snapshot technology. This technology compliments the benefits of having multiple data centers by automatically creating a copy of the database every hour. What’s important about this service is that in the event of a data loss, it enables the restoration of data in minutes versus the hours or days it would take from a traditional tape backup infrastructure.
Returning to business as usual
Although it’s hard to accept, businesses should understand that the infrastructure of SAAS providers is not yet robust enough to guard against all security breaches and technological outages. In fact, any SAAS provider claiming immunity from such instances should automatically raise a red flag. Thus, businesses must not decide on one provider over another based on unfounded guarantees; rather, they should inquire about services that provide the most complete protection enabling a speedy return to business as usual.
With the right infrastructure and security protocols in place, a SAAS provider should be able to place a guarantee around the protection of your critical business data. All business data-whether it’s one year’s worth of e-mail messages or hundreds of megabytes’ worth of documents-should be protected by appropriate technologies.
If proper technologies are in place, then the provider should be able to place a guarantee around the ability to restore your data after a catastrophic event. Businesses should not formulate partnerships with any SAAS providers who cannot tangibly demonstrate their ability to provide this guarantee of data protection.
Jonathan McCormick is Chief Operating Officer at Intermedia. Jonathan manages all of Intermedia’s hosting operations and all operations staff. Prior to joining the Intermedia team, Jonathan was the senior vice president of operations and client services for SAVVIS, a global provider of managed hosting, network and collocation facilities. In this capacity, Jonathan was responsible for the management of all operations and customer service organizations globally. He can be reached at [email protected].