I completely appreciate all the arguments Axton has made here - especially the non-technical ones that lean more on legal bindings, during and after a tenure with a SaaS vendor, which many might "almost forget" to consider or disregard based on a trust relationship with their vendor(s).
Not that I have any disagreements with SaaS based solutions, it is a great technology that meets the needs of businesses that have limited financial capabilities, and/or limited budgets towards solutions they want to pick, but these are great arguments one might want to consider before they accept the risk of hosting their solution at what may well be considered a public repository, even though for marketing reasons it might be dubbed as a private one. Joe _____ From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Axton Sent: Wednesday, February 26, 2014 11:35 PM To: [email protected] Subject: Re: salesforce --> Got ur little black book ** Interesting read indeed. I had not considered that vector. There are many parties involved in a SaaS offering. Consider the stack: - data center owner (may not be the company with the SaaS offering) - physical access to data center (provider, security staff, vendors, etc.) - data transit providers - where are the offsite backups stored (different legal jurisdiction?) In a nutshell, there are dozens or many more companies involved with providing that SaaS that all have some degree of access to the facilities or data that provide that SaaS. The security is as strong as the weakest point of that entire chain of entities. There is also a lot of policy that is either assumed or promised but not validated or impossible to validate. - what legal jurisdiction presides over the data center - backup/off-site data location: different legal jurisdiction? - is data in the cloud really every your data? what are your legal rights? are those legal rights enforceable or are you bound to mandatory binding arbitration or some other means by which your rights are signed away? - what happens to data if the company is acquired by another organization? - what happens to data if the company is dissolved (closes it's doors unexpectedly)? - what happens to data when you terminate service with a provider; is it destroyed? - depending on the legal jurisdiction, is the SaaS provider required by law to disclose breaches in security? - is the hardware sufficiently scrubbed before it is retired? - what happens when a load of tapes are lost or stolen? are you notified? does this depend on the applicable legal jurisdiction? This all gets even trickier with international dealings. Imagine a Chinese technology company using a SaaS offering based in the US, or vice versa... Just remember that a corporation will always do what it sees in it's best interest. It's interests are driven by it's stakeholders (primarily shareholders, for those publicly held companies). The dollar is the bottom line and decisions are most often made based on closely calculated risk. If a company is not legally required to do something that would negatively impact their bottom line, it will most often not do it (there are, I suppose, rare exceptions, though none come to mind at the moment), even if unethical (I know, shocker, right?). That means not disclosing breaches (theft of your data) if not required to do so under legal/regulatory penalties. Make a decision based on calculated risk when considering cloud offerings. Evaluate whether using a cloud offering makes sense for each given situation. Don't do it because: a) it's the trendy/popular thing to do b) migrating to SaaS has an immediate positive impact on the balance sheet Instead, ask yourself: - If our data in the cloud were available to the world at any given point in time, what is the possible impact? - If our data were to surface in the future after we stopped using a cloud provider, what is the possible impact? - If our data were secretly sold to another entity, what is the possible impact? - If our data were secretly stolen by another entity (criminal, government actor -- technically, I supposed it's only stealing if it's someone else's gov't --, competitor), what is the possible impact? - If our data were openly/publicly known to be stole by another entity, what is the possible impact? I use the term "our data" loosely. When you put it out on the net, I don't believe it is "our data" anymore. It becomes just data, accessible by many. All of the scenarios listed above can happen even if under a roof you own, but at least with under your roof you have some semblance of control. How you choose to exercise or neglect that level of control is still up to you. There are places where cloud offerings make sense. There are other's where it does not. Axton Grams On Wed, Feb 26, 2014 at 3:50 PM, Joe D'Souza <[email protected]> wrote: ** I thought this was an interesting read too. This is one of the few reasons I was interested in getting better acquainted with real life advantages and disadvantages of the two strategies. Joe _____ From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Brian Goralczyk Sent: Wednesday, February 26, 2014 10:09 AM To: [email protected] Subject: Re: salesforce --> Got ur little black book ** A rather interesting read after Joe's discussion regarding SaaS. I also like that they pointed out that it wasn't a weakness in Salesforce.com but a weakness in the trusted relationship between the client and the server. Something else to pay attention to. On Wed, Feb 26, 2014 at 8:48 AM, patrick zandi <[email protected]> wrote: ** http://www.theregister.co.uk/2014/02/26/zeus_salesforce_malware/ -- Patrick Zandi _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
