Simple SaaS security tips

Most people and companies are now using a significant amount of SaaS solutions. Companies are running sales support software, file sharing, collaboration, e-mail and a lot more in the cloud.

But that usage also leads to concerns about the security of those solutions. How safe are they? What risks do we run?

Here are a couple of tips to increase the security of those applications.

The biggest risks to handle in using SaaS are leaking data and losing control. And the top way to control theses risks is simple: watch your passwords, and know how to survive a cloud provider exit.

If you look at famous data breaches in the past year, such as the i-Cloud celebrity hack, you will find out that most of them have to do with weak passwords and password reminders.

Improving the protection that passwords offer is often fairly easy. Security experts recommend using so-called two-factor authentication. This basically means that you use more than one way to prove your identity. Examples include security tokens or dongles, and fingerprint scanners.

This used to be inconvenient for the user, but in the past years a number of usable scenarios have been developed. It does not have to be a daily hassle, and you don’t have to fear being locked out.

For example, you can configure your Dropbox account to ask you for an SMS confirmation when you use it on a computer you have not used before. Check it out, they have really thought this out well, and there is absolutely no excuse to not use this. You will find it under Account -> Settings -> Security.

Gmail too allows you set up security like this, and once you have done this it will alert you of suspicious activity. Like with Dropbox, the easiest thing is to use your mobile phone, but they also support additional extra tools. No need to be scared if you lose your phone.

Other services that you use might have some of these features as well. Go explore.

If you are the administrator of a cloud service this is even more important because you will be the prime target of any hacker.

As a cloud service administrator there are a few other basic things to do too. If feasible you should first create a secondary administrator account to do day to day work with. If that account gets compromised, you will have the first account to fall back onto.

Another basic cloud service administrator task is to apply hygiene on your user list. Regularly review if the users are still active in your company or project, and that they don’t have more rights than they need to have. (In larger organizations this is better done by ‘identity federation’, so you don’t have to do this on a service by service basis.) You don’t really want former employees or contractors to still have access.

I ran into a simple example the other day on a Google Docs document. It was not mine, but I could totally edit it. They may have wanted to give me some access, but it would be better to give me “Comment” or “Review” access.

Losing the provider or the data that is stored at the service is the other big risk. And preparing for losing all your data can also protect you against losing some of your data.

There are so many reasons why a provider may stop servicing you. They could have a hiccup, they could suffer from a disaster, they could go out of business, or they go in a direction that you don’t like. In all cases it makes sense to have an ‘exit plan’ or ‘plan B’: a plan to move to a different provider.

If you don’t have an exit plan, you are basically saying that you accept the risk of losing the data that is at that provider and the capability to use that data. This could be a valid decision. I am not that interested in my Doodle archive, for example, so making a backup of that is not a big concern.

At its most basic, an exit plan describes how your most valuable data is stored in a secondary place. For example, my Gmail mail archive is also on my laptop as it is automatically downloaded by my mail program. Moving to a new mail provider, should I want to get away from Gmail, is not something I have spend much time thinking on, but with the mail and contacts safely stored elsewhere I am confident that a new provider will help me do that migration.

For my customer management system I make regular copies of the entire customer database and contact details. Again, moving to a different provider will be a hassle, but not impossible.

If your business really depends on it, you may want to have a cloud system on ‘hot standby’. However, most of the times, this is not very easy with SaaS, because no two SaaS providers are alike.  You are better off to first think about which data to save to a secure location. If and when you want to move, your functional requirements will have changed anyway, and there are likely to be new SaaS providers as well.

For a deeper dive into cloud security issues and controls, have a look at the research that the Cloud Security Alliance is doing.

Which Cloud service model is right for you?

Cloud Computing is no longer an option, but a reality in the IT landscape of almost all organizations. At the same time cloud computing has a lot of variants and choices. These choices are relevant for the IT strategy, and in some cases even the company strategy.

This article outlines in a step by step way the most important questions that you can ask to come to the right cloud strategy.

The first question is: what to expect of cloud computing? Which business improvements do you aim for? Cost advantage? Agility? Mobility? Innovation? If you don’t have a clear idea on this, it may be sensible to first dive into cloud characteristics, models, options and alternatives.

infographic cloud service model

The next question to ask yourself is this: which IT applications and functionality are the most important ones for your organisation? What is most needed in IT, now and in the future? Is that e-mail, ERP, CRM, a big website, or something else?

With this overview, you can ask yourself the central question, the one question that has a fundamental impact on your strategic cloud choice. And that question is: are these important applications unique for your organization? Do they make the organization into what it truly is, are they nowhere else to be found, are they of vital importance?

If the answer to this question is ‘no, these applications are not uniquely important to my organisation’, this means that the core competence of your organisation is not in IT. That is not a bad thing, you can be a very successful 5 star restaurant, or a manufacturer of advanced pumps for the process industry, without having unique software. In that case, having your own hardware is senseless, in the long run. It may take a while for the software market to realize this, but you are ultimately a SaaS ‘consumer’.

Star restaurant or not, as a ‘SaaS consumer’ the most important IT competence is selecting and implementing SaaS offers. Depending on the type of company this also requires quite a bit of IT competence, but that will be the topic of a later article.

If the answer is: ‘yes, my software is very unique, i cannot get it elsewhere’, then new opportunities arise. Your software and the associated data is a ‘strategic asset’. It would be a waste to only use it for your own company. There are probably other organisations who could also benefit from this software. If you are not directly competing with them, you could be their SaaS provider.

You should also consider giving your partners in the supply chain (customers, suppliers, etc) access to that software to enable them to do their work better, and to generate new business. This is in line with the practice of certain insurance companies: they give their agents direct access to their policy database. It is even thinkable that there are start-ups that would love to innovate with that strategic software. Procter and Gamble, for example, has opened up its research database to enable innovation by outside companies. As a result the percentage of patents that are actually used in products has risen from 10% to more than 50%. As early as the 1960s, American Airlines set up the SABRE flight information and reservation system that was used by travel agencies and other airlines.

My proposition is this: if you have strategic software assets, you also want to be a cloud provider for that software.

So, as a provider of software services (SaaS), what are your strategic options? Unless you have a substantial and constant workload it is not very sensible to purchase a lot of servers and associated hardware. The more obvious approach is then to procure your servers in an IaaS model (Infrastructure as a Service). This has the disadvantage that your system administrators, in collaboration with your software developers have to have substantial expertise in software scalability. You will have to deal with choices around multi-tenancy architectures, and detailed capacity and performance management. It may be worth your while, but there are quite a few alternatives these days.

Instead of IaaS, you can also focus on a PaaS (Platform as a Service) strategy. Scalability of the architecture is then no longer an issue for the developers. One disadvantage of this strategic choice is the potential for ‘vendor lock-in’ if the software is not easily ported to a different PaaS provider. This will then be something to address in the software architecture.

An example of this approach is the website that was built in 2011 for the British Royal Wedding. It was developed and deployed on Google App Engine. The scalability of the website was very important, and could be guaranteed easily with this design choice. For a website of this type, vendor lock-in is also not very hard to avoid. Most of the content is fairly static, functionality is limited, and the lifetime of the website is also short.

A few other strategic design choices for the cloud provider have to do with the degree to which services of other cloud providers can be used. For starters, you can ask yourself if you want to go to market all by yourself, or that you want to work with a ‘broker’ who includes your service in his portal (which is like an app store). That too has implications for your software architecture, because the portal can assume some of your functionality, like customer registration.

Finally, once again, it is a good idea to ask yourself which part of your functionality is truly unique. As an example, if you are a start-up companies it does not appear to be very distinguishing to develop your own software for helpdesk, payments and identity management.

In summary, cloud computing offers a lot of opportunity for setting up IT and positioning an organisation for a bright digital future. But doing it all by yourself is only rarely the best plan..

Interested in finding out more? Find yourself a relevant cloud training or workshop, or contact me directly.

How good is Google Sites?

How good is ‘Google Sites’ as a web hosting platform?

For my contribution to the Computer Measurement Group’s (CMG) yearly conference (CMG Las Vegas 2012) I am reviewing a number of webhosting options. One of the basic options is ‘Google Sites’, which is a content management system (CMS) with hosting and a content distribution network, all rolled into one. You can have a reasonable website running in a few minutes, just add content. It is sort of an alternative to blog hosting on wordpress.com or posterous.com. And it is free.

The obvious question then is: how good is it, and what kind of load will it sustain? First some basic results: one of my sites is hosted at Google Sites, and it failed 15 out of 8611 tests in June 2012, which is an uptime better than 99.8%. The average load time of the first request is under 900 milliseconds, though it differs a bit by location. The load time of the full page is a bit longer. This takes around 1.5 seconds to start rendering and 2.5 seconds to be fully loaded. See http://www.webpagetest.org/result/120706_VE_BTR/ for a breakdown of the site download.

A more interesting question is: how does it scale? Can it handle more load than a dedicated server?

A regular dedicated server will run at more than 100 requests/second. If a web page visit results in 10 requests, this means such a server will deliver at least 10 pageviews per second, which sounds good enough for a typical blog. Most vanity bloggers will be happy to have 10 pageviews per hour :-).

Here is what I did, step by step. I started by creating a page on a fresh domain at Google sites. With Jmeter I set up a little script to poll for that page. This script was then uploaded to WatchMouse, for continuous performance evaluation, and to Blazemeter for load testing. After an initial trial with a single server we fired 8 servers with 100 threads (simulated users) each.

You can see the result in the next graph. You will see Google Sites easily handling over 150 requests per second, with a bandwidth of 3 Megabyte/second. Each request is a single HTTP request.

Interestingly, Google Sites does some kind of rate limiting, as we can see in the next picture. As the number of simulated users increases, the response time increases as well, already at low volumes. There is no ‘load sensitivity point’ indicative of resource depletion.

In the next picture you can see that the response rate just levels off.

In fact, it is even likely that Google Sites is rate limiting by source IP address. While this test was ran, the independent monitoring by WatchMouse showed no correlated variation.

Some final technical notes: If you want to maximize the requests/second you need lots of threads/simulated users with delays built-in. Jmeter is not good at simulating users that don’t have delays.

By the way, the site under test was served by more than 40 different IP addresses. The site has low latency to places around the world: for example locations in Ireland, China, San Francisco, Malaysia all have connect times less than 5 milliseconds. This substantiates the statement that Google Sites is using some kind of CDN.

5 organizations that got value from using cloud computing

Just to let you know that I created a brief note about 5 organisations that got value from using cloud computing.

It is brief, but explains the main business reason and how they did it.

Examples include profit and nonprofit businesses, public cloud and private cloud.

You can get immediate access to it by filling in your e-mail address in the box on the right.