Image: Developers have not really given much thought to whether they can trust a locally installed compiler. Can you take the same approach with a PaaS provider, or will you need to follow a “trust, but verify” approach?

We Europeans are complex when it comes to privacy.

At one extreme the UK has probably the world’s highest density of security cameras. At the other, tax returns in Norway have been public information since 1863.

Many share intimate details on Facebook and other social networks. When it comes to business data, however, they expect much more.

Spies are everywhere

Your SaaS solution moves your customers’ data into the cloud, so expect fear and doubt about loss of control. Experience shows that sometimes these fears are real, in others (perhaps) not:

• CIA Caught Spying on Global Banking Network. A secret order forced SWIFT to grant US officials access to copies of bank transfers mirrored to the US. There was uproar in Europe when the New York Times revealed the spying action. A new SWIFT data centre in Zurich means in future only transactions to or from US banks cross US borders.

• French Government Bans Unsecure BlackBerry. The French government banned officials from using the BlackBerry mobile service. They claimed third parties could intercept messages routed through servers in the US and UK. RIM was quick to reassure subscribers there was no basis to French claims; still, doubts remain about Blackberry security.

Create your SaaS security and privacy story with such examples in mind; your customers will have read about them. Reassure them about when and where you store and use their data. Pay particular attention to anywhere their data could be “in the clear”. Also, remember any third-party services you use (direct or indirectly)–they are a potential source of leaks.

Secrets and lies

US legal threats forced SWIFT to hide the spying from their member banks. This is not something unique to the US, however. Many governments try to keep their data mining secret; although these powers sadly end-up used for other purposes.

SWIFT had enough power to demand limited audit controls. How will you react if (or when) a government demands secret access to your SaaS solution? Can you limit access to the data of a single customer, or is the door open to them all?

Who can you believe?

You must trust many providers, most of which your Platform as a Service provider hides from you. That, of course, is the idea behind PaaS. However, ask your PaaS provider detailed questions about security and privacy. Ask them how they will react if they are ever in the same position as SWIFT…

You might never know whether your PaaS provider (and in turn their providers) is telling you the truth. Even so, you must create an end-to-end security and privacy story that is believable enough to reassure customers.

Remember: S-is-for-Service not S-is-for-Spying!