Businesses Likely to Use SaaS for Sensitive Data: Gartner

Despite caution from businesses when using SaaS platforms to store sensitive data, there is still a lack of policy coordination, a Gartner report finds.

Organizations that use software as a service (SaaS) platforms for data are more likely to use it for sensitive data than for mission-critical data, according to a new report from IT research firm Gartner.

The study, which is based on a survey of 425 respondents from IT risk management disciplines in the United States, United Kingdom, Germany and Canada, shows that organizations take different approaches to risk management when they face a need or opportunity to share data with different types of external parties. Compared with platform as a service (PaaS) or infrastructure as a service (IaaS), organizations were about 30 percent more likely to have a policy against putting sensitive data into SaaS (26 percent), and about 45 percent more likely to have a policy against putting it into outsourced data centers (29 percent).

"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," Jay Heiser, research vice president at Gartner, said in a prepared statement. "This year, we asked about both data availability and data confidentiality policies. Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it."

However, the report found only 57 percent of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the form is more likely to be a proprietary one, unique to the buyer's organization, and less likely to be based on industry standards. Just 36 percent of respondents said they had a policy against putting mission-critical data into an outsourced data center, with 29 percent saying this policy applied to SaaS, with only 22 percent saying it applied to IaaS/PaaS.

"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," Heiser concluded. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."