Last week I started a series of posts to examine why people are afraid of SaaS. So, let’s dive in and examine one of the fears that I have seen come up all too often – fear of SaaS security. Someone who’s afraid that SaaS isn’t secure may make the following claim:

I don’t use SaaS because I’m afraid of security. Keeping the data on our internal network is safer.

Well my friend, the internal network is not as safe as you think it is. It’s not completely cut off from the Internet like networks in the good old days. There’s always an access point to the net and open ports in the firewall that allow viruses, worms, and hackers to get through and exploit security holes. With security holes being exploited, your data could leak out or get destroyed altogether.

Also, as the cliche says, most break-ins happen from inside the company. Organizations keep a very strict security policy for incoming connections. What about outgoing connections? Or connections that don’t even reach the external firewall? What measures are put in the internal network to make sure it’s secure? In most cases the answer will probably be “not much” until some disgruntled employee who has been cut loose decides to wreck havoc.

Even if you do have internal servers, it’s likely that not all company data is stored in the internal network anyhow. Do you use Gmail/Yahoo Mail/Hotmail/Messenger to communicate with co-workers, clients, send company files, and whatnot? Maybe even Google Docs to work on your documents from anywhere? If so, even though you may not like to admit it, you’re already using SaaS. Some of the company data is lying outside of your internal network, and according to the above line of thought it’s “unsafe”.

What about SaaS? How can hosting services somewhere out there in the web be secure? We’ve seen why the internal network isn’t that great, but that doesn’t make SaaS any safer. So, let’s explore some key points in favor of SaaS when it comes to security.

Since SaaS is accessible from anywhere, SaaS vendors offer stronger security than internal servers. Let’s see how Testuff measures as a SaaS vendor. From the administrative side, the Testuff servers are protected behind firewalls with the utmost strict of policies. We got security people monitoring the servers 24/7 to make sure everything is Kosher. Security patches are updated to our servers at a very high frequency as well. Of course our clients’ data belongs to them and we’re willing to sign an NDA if it’s necessary.

From the technological side, Testuff DBs can only be accessed via user and password. Passwords aren’t even saved on the servers, just their hashes are. All communication to the Testuff servers is encrypted via SSL. Testuff databases are also encrypted, so even if someone were to steal one somehow the sun would burn out before they would be able to decrypt it. Customer DBs are all separated logically, so one customer just can’t access data that belongs to another customer. Are your internal servers as secure as this?

Ironically, using hosted services for company data makes it harder for inside workers to hack. They obviously don’t have any privileges, control, or inside info to go and abuse the system like they would abuse internal servers. With security policies wound much tighter, a pissed off worker would have a much more difficult time to hack a hosted service than a server on the internal network.

Last but not least, as I already mentioned, you’re probably already using SaaS and everything is OK. Not only is it OK, but it’s making your work day more productive and comfortable. You get great tools and can easily collaborate with people around the globe or even in the next room with a service like Google Documents. So if you already use some SaaS, isn’t it possible that SaaS in additional fields may turn out to kick ass? Say a test management SaaS? ;)

To sum it all up, it’s a myth that SaaS isn’t secure. In fact, SaaS can be more secure than locally hosted servers. Of course, before you sign up with a SaaS vendor make sure their security policies fit the bill.

Security is important, but it’s not everything, so we’ll continue exploring people’s fears of SaaS next time. Until then, what are your security concerns when it comes to SaaS? Do you feel that SaaS vendors are fulfilling them, or are they lacking in some way? Drop a comment and let me know!