Companies must trust an ISV to use their SaaS solution. Many customers have a real fear of losing control as their data moves into the cloud. The revelation the CIA was spying on SWIFT does not help; nor does the French government’s continuing BlackBerry ban. ISVs and PaaS providers can only succeed by working together to create a believable end-to-end SaaS security and privacy story.
We Europeans are complex when it comes to privacy.
At one extreme the UK has probably the world’s highest density of security cameras. At the other, tax returns in Norway have been public information since 1863.
Many share intimate details on Facebook and other social networks. When it comes to business data, however, they expect much more.
Spies are everywhere
Your SaaS solution moves your customers’ data into the cloud, so expect fear and doubt about loss of control. Experience shows that sometimes these fears are real, in others (perhaps) not:
- CIA Caught Spying on Global Banking Network. A secret order forced SWIFT to grant US officials access to copies of bank transfers mirrored to the US. There was uproar in Europe when the New York Times revealed the spying action. A new SWIFT data centre in Zurich means in future only transactions to or from US banks cross US borders.
- French Government Bans Unsecure BlackBerry. The French government banned officials from using the BlackBerry mobile service. They claimed third parties could intercept messages routed through servers in the US and UK. RIM was quick to reassure subscribers there was no basis to French claims; still, doubts remain about Blackberry security.
Create your SaaS security and privacy story with such examples in mind; your customers will have read about them. Reassure them about when and where you store and use their data. Pay particular attention to anywhere their data could be “in the clear”. Also, remember any third-party services you use (direct or indirectly)–they are a potential source of leaks.
Secrets and lies
US legal threats forced SWIFT to hide the spying from their member banks. This is not something unique to the US, however. Many governments try to keep their data mining secret; although these powers sadly end-up used for other purposes.
SWIFT had enough power to demand limited audit controls. How will you react if (or when) a government demands secret access to your SaaS solution? Can you limit access to the data of a single customer, or is the door open to them all?
Who can you believe?
You must trust many providers, most of which your Platform as a Service provider hides from you. That, of course, is the idea behind PaaS. However, ask your PaaS provider detailed questions about security and privacy. Ask them how they will react if they are ever in the same position as SWIFT…
You might never know whether your PaaS provider (and in turn their providers) is telling you the truth. Even so, you must create an end-to-end security and privacy story that is believable enough to reassure customers.
Remember: S-is-for-Service not S-is-for-Spying!
Coming up…
Next time on paasTalk I will look at a survey’s claim that small and medium German ISVs are rejecting SaaS: Survey reveals 2,548 German ISVs asleep at the (SaaS) wheel!.
