Security May Dog Software as a Service

Software is quickly becoming an Internet service, and that is raising concerns about security. Will security weaknesses derail large-scale enterprise adoption?

As the thirst for low-maintenance on-demand software continues to grow in the enterprise, some security experts and customers worry that security weaknesses could disrupt on-demand applications and leave them high and dry.

For now, these security concerns lurk well below the surface—few of the big vendors pitching their wares at the RSA Conference on Feb. 13 in San Jose, Calif., will have products addressing the security of on-demand offerings. Nevertheless, security experts note that technology departments need to ask tough questions of their service providers and ensure their offerings are as secure as possible.

Meanwhile, the on-demand bandwagon swells. This week, SAP launched on-demand CRM (customer relationship management) software. In November, Microsoft Chairman and Chief Software Architect Bill Gates and Chief Technical Officer Ray Ozzie announced two new Internet-based services: Windows Live and Office Live.

/zimages/2/28571.gifClick here to read more about Windows Live and Office Live.

Those two behemoths join the services-based software distribution model pioneered by companies such as, PeopleSoft (now part of Oracle), Hyperion Solutions and Digital Insight. Lately, the idea has been championed in the consumer space by tech darling Google in programs such as Google Base.

"This is a great business model with some significant benefits, but there are some critical security questions you have to ask your service provider before putting your data on someone elses server," said John Pescatore, an analyst at Gartner, in Stamford, Conn. "Security has to be a key criterion in your decision to outsource IT and business functions. If you neglect security, youre taking the risk of regulatory exposure and loss of business."

Translation: Before enterprises can reap the benefits of on-demand software, providers will have to convince IT managers and CIOs that the services they offer are reliable and, perhaps more important, secure. For many, the push to host information and manage customers data raises the specter of massive information breaches such as those that plagued ChoicePoint and LexisNexis last year.

/zimages/2/28571.gifChoicePoints data breach cost the company the largest civil fine from the FTC on record. Click here to read more.

And the on-demand model presents its own set of unique security problems, including threats such as replay and man-in-the-middle attacks, as well as concerns about the security practices of the hosting and service providers themselves.

Advocates argue that service-based software deployments could mean better, not worse, security for many companies that already struggle to keep up with Internet threats. With the market for on-demand software booming, technology for building secure Internet-based products, securing these deployments and protecting users is poised to become a major area of investment in coming years.

For Care Rehab and Orthopaedic Products, a medical device manufacturer, security was an important consideration when the company was evaluating, a provider of on-demand CRM software services, said Ed Barrett, vice president at the 200-person company.

The company, which makes traction and electrotherapy devices that are used by physical therapy clinics and patients, has been using Salesforce.coms software since March to monitor the activities of its salespeople and to track its entire inventory, as devices are prescribed by doctors and dispensed to patients. Care Rehab audited Salesforce.coms security practices before agreeing to use the software. That audit included getting staff members to show Care Rehab how they secured the data that was stored on their servers and reading documents describing Salesforce.coms security practices.

/zimages/2/28571.gifPaul Roberts explains what IT managers need to do before going with software as a service. Click here to listen to the podcast.

The conclusion?

"Their security is superior to what we provide for ourselves," said Barrett in McLean, Va. "If youre, you have to have the best people in security and the best redundancies. [We] need to have the best salespeople. Im sure we arent the worlds best security people."

That kind of thinking is becoming more common from customers considering a move to an on-demand software model, said Michael Topolovac, CEO of Arena Solutions, a provider of on-demand PLM (product lifecycle management) software. Based in Menlo Park, Calif., Arena has approximately 200 customers and 15,000 users in the high-tech, medical devices and consumer electronics industries. "Security has gone from being [a] top-of-mind [concern] for prospects to a point where more prospects seek out on-demand because its secure," said Topolovac.

/zimages/2/28571.gifIs 2006 the year of on-demand software? Click here to read more.

But are on-demand deployments really more secure?

Most companies already have significant exposure to Internet-based threats and attacks and may not have the expertise or resources to properly manage that threat, Topolovac said. "Its like keeping your money under the mattress instead of in a bank. Customers already have their data online. Its already tied to the Internet. Youre a machine shop in Milwaukee? Youre on the Internet," Topolovac said.

More enterprises are looking for ways to connect remote employees, business partners and suppliers to critical applications. In such an environment, companies such as and Arena are better prepared to address security than most traditional software providers are.

"We dont create a security problem, we provide a solution to it," Topolovac said.

Next page: What to look for before jumping into on-demand.