Making Sure Your Data is Safe with SaaS
Software as a Service (SaaS) has become quite the buzzword these days, and the category covers a wide range of applications that you can access and use over the Internet without having to invest in any servers or install any software on your premises.
A few examples include office applications from Google Apps and Adobe Buzzword and e-mail and instant messaging services by LiveOffice and Hotmail. And you'll find plenty of online backup and data protection services from companies such as Iron Mountain and AmeriVault. And large vendors like EMC, IBM and HP are increasingly turning to such services to expand their markets.
As well as providing the software, companies that offer SaaS either host your data on their servers, or, at the very least, gain access to your computer systems. So just how safe is it to use such services?
"Small and medium-size businesses should be very careful in picking a vendor to store all that valuable data," said IDC analyst Laura DuBois.
Obviously, it is advisable to learn all you can about the company that is providing SaaS. How safe will your information be? If you need to recover data, how long will it take to receive it? Is the company stable enough to survive a market downturn? These are some of the critical questions you should ask and have answered before making any decisions about SaaS providers.
SaaS can save users a bundle on software licensing, hardware and management, but that doesn't mean SaaS is for everyone. When picking a SaaS vendor, you should dig deep to find out just how much substance the provider offers. Obvious giveaways include unwillingness to provide customer references or a reputation for having a low client-retention rate.
"In the SaaS world, customer retention is a very telling number," said Matt Smith, president of LiveOffice, a provider of e-mail, instant messaging (IM) and other SaaS products. "A dependable company should have a customer retention rate of at least 98 percent."
If it's a start-up company that nobody has heard of, you'll need to perform even more thorough due diligence to verify some kind of track record of successful delivery.
Another angle is customer support. The pipsqueak outfits might look flashy, but they are typically weak in after-sale support. In some cases, though, veteran help desk staff and top-notch support may not be worth the premium.
"It really depends on what companies want," said Tom Meyer, general manager of Iron Mountain's Digital Record Center for Images. "Some don't need highly secure content management systems, so cheap and simple online storage might be fine."
Clearly, security should be front and center among vendor selection criteria for SaaS. A vital facet of online services is how vendors keep their data secure and the care they take to ensure it's safeguarded against disaster.
"Small business owners should ask how the vendor stores their data," said Smith. "A good vendor will have multiple, mirrored data centers, which means that client data is backed up in multiple locations and always available."
SaaS vendors use a variety of ways to secure their data. Some prefer a collection of disk arrays with encrypted data. Others like the muscle approach, with the data being locked up in a large vault in an isolated and safe location. Here are a few examples of the type of information that you should glean from SaaS vendors during vendor selection.
Iron Mountain's Digital Record Center for Images, for instance, provides encrypted data transmission, user-access control and secure storage in a data center that's 200 feet below ground.
Backup and storage Saas provider Elephant Drive secures data by replicating it among multiple hard disk-based pools of storage. Data replication protection is built into production systems; i.e., all data is available on at least two geographically independent sites.
Online backup service provider AmeriVault stores customer backups in three places one each in two separate disk-based systems, and they send the third copy to a business continuity site more than 1,000 miles away.
Online backup provider DS3 DataVaulting uses EMC Clariion for primary storage and keeps a backup copy on a completely different high-end disk system for ease of recovery. It operates three data centers, including one for replication of customer information.
"Any reputable SaaS vendor should take appropriate measures to secure their servers and be able to thoroughly outline this process for each client," said Smith.
An excellent tool for achieving SaaS satisfaction is a Service Level Agreement (SLA). An SLA is a contractual obligation for a company to provide a certain level of system reliability. Smith recommends that you don't accept an SLA that's less than 99 percent.
Further, an SLA should include information on what will happen to the client's data if the contract is terminated. In such a case, you want to be very certain that the information remains your property and that you are legally protected.
Prince Street Capital Management, for instance, uses backup services (software by Asigra Inc.) delivered by Data Storage Corp. (DSC). This primarily protects the company's e-mail system. DSC also provides an offsite data storage vault that ensures safe remote storage and rapid recovery of information. An acceptable SLA was an essential part of the deal.
"In our quest to implement an appropriate backup and recovery solution, fast recovery of Microsoft Exchange data was a key determinant in our decision-making process," said Peter McKown, CFO at Prince Street Capital Management. "With the selection of DSC as our managed backup and recovery services partner, our business requirements are met and service levels are beyond expectations."
SaaS In your Future
Worries over SaaS are certainly legitimate. But in many ways, they resemble the arguments about doing business on the Internet from a decade ago. Back then, many small businesses were concerned about guess what data security, whether they could trust start-ups and whether e-commerce was a viable business model. Ten years later, just about everyone has some kind of online commerce avenue. But it took a few years for the business world to come to terms with this new concept.
Similarly, SaaS must go through the same cycle, earn people's trust and ultimately become part of the fabric of the workaday world. But for SMBs with small (or no) IT department, SaaS makes sense provided it's implemented with due care.
And as in the case of Prince Street, you may have multiple suppliers to deal with. IDC's DuBois points out that there are three components to the question of who to trust in SaaS. Who is the technology supplier? Who is the vendor managing their data? Who is responsible for the data center and the infrastructure?
"In some cases, this can be three different entities, and there are potential risks at each level," she said. "But in all cases, find out about privacy, encryption, availability, time to restore, SLAs, cost and terms of contract expiration."
Article courtesy of Small Business Computing