7 Requirements for SaaS

Feb. 11, 2011
What end-users should be looking for in a software as a service provider

Software as a Service (SaaS) is a delivery model in which applications are hosted at an outsourced data center, and sold to the end-user under a monthly subscription. With the physical security industry increasingly shifting to this approach in order to control costs and avoid obsolescence, it is crucial that buyers understand what factors to consider when looking for a SaaS provider.

The tremendous growth of new SaaS security and surveillance services in the past few years has made choosing the best solution tougher than ever, as buyers must sort through a blizzard of competing vendor claims. That said, SaaS has been around for long enough in the general IT market that a number of best practices have emerged for evaluating these hosted service offerings. I have distilled all the information down to seven requirements and applied them to the physical security context.

1. Audited Data Security Controls

Because data security is still reported as the No. 1 concern for CIOs with outsourced application services, it needs to be your No. 1 concern as well as the physical security SaaS end-user.

First and most importantly, this means you need to ensure that SaaS providers undergo regular third-party application security audits, and that they are willing to share those results with you in writing. There are a variety of standards that govern security audits, but one of the most common in the United States is SAS-70. Other standards include SysTrust, WebTrust or ISO 27001/2, depending on the application.

If a SaaS vendor has not bothered to have its system audited to at least one of these standards, then you are assuming far more risk than is reasonable. If your vendor cannot show you a current information audit statement, you should not trust them.

As part of your due diligence, make sure that the audit statement pertains to the SaaS provider's specific application, not just the hosting center. Unfortunately, it has become a common sleight-of-hand for new players to try to pass off their third-party hosting center's audits as their own. The two are very different things. Demand an audit statement for the specific application you will be using.

2. Track Record of High Availability

Right after information security, one of the top concerns among SaaS buyers is system availability, or "uptime." Even though SaaS providers as a group have an admirable track record against in-house solutions, most buyers feel a bit queasy when they cannot reach out and touch their own servers, or wring the neck of their very own IT guy when there's a problem.

That's why it is important to understand the "availability record" of your candidate service providers. Monthly or annual availability figures are something they should be able to provide to you. After all, those of us in the industry live and die by these numbers, and we know them better than we know our own phone numbers. If a provider cannot or will not tell you, it is not a good sign.

As a target goal, you should be looking for an application availability figure in excess of 99.95%, and a data availability figure in excess of 99.99%. This second figure is higher because even if applications or networks are briefly unavailable (that being the nature of the Internet) there is really no excuse for losing anyone's data with today's replication technology.

3. Multiple, secure, disaster-tolerant data centers

Multiple data centers are one of the techniques used by SaaS providers to achieve high availability, but there are more reasons than just that to make sure a provider has housed your data in several secure "telco grade" facilities that are geographically dispersed.

First, it excludes those "mom and pop" offerings where a security dealer or integrator has basically stashed a couple of servers in their office telephone closet and called it a hosted offering. You wouldn't do that in your own IT shop, so do not accept it from anyone else. Telco grade facilities are characterized by having diesel-generated back-up power, multiple independent connections to the Internet, 24-hour staffing and their own secure physical security perimeter. These days those are just minimum requirements, so be sure to ask where the servers are and where your data will be stored.

Second, the requirement for being in multiple geographically dispersed data centers is important because it insulates you from many types of regional disasters - both man-made and natural - as well as transient Internet congestion, which can affect application response time.

On a related note, it goes without saying that in order for multiple data centers to do any good, your data must be replicated across these facilities in real time. Buyer beware: not everyone does this, so ask about it. The simple question to ask is: "explain your data replication strategy." Key words you are listening for are "real-time" and a proven, name-brand database solution, not a home-grown or "proprietary" approach that you cannot research.

4. Look for integrated applications, not stove-pipes

In the current rush to the cloud, one of the things we see happening is a repetition of the age-old IT sin of stove-piping applications. Traditionally, this term has meant deploying single-purpose applications that do not communicate with one another, thereby resulting in poor data integration, poor work-flows and higher costs to the end-user. SaaS will not change that - a stove-pipe in the cloud is just as bad as a stove-pipe in your own data center. You need applications that work together.

In the physical security domain, this typically means integrating one or more of access control, video surveillance and intrusion detection. Given the immaturity of many of the SaaS offerings currently in our industry, we are seeing many single-purpose, stove-piped applications that are unable to communicate with any of the other applications that are normally a part of a full physical security suite. This does not mean they aren't great applications. The problem arises when you need your hosted IP video system to interoperate with your hosted access control solution - and you may find that your vendor does not offer this pairing.

This means that buyers need to ask about application integration up front, and make sure that vendors can provide the combinations they need.

5. Is your vendor asking for inbound holes in your firewall?

Because SaaS security systems exchange data between on-premise devices and off-premise hosted applications, they need connections through your corporate firewalls. There are both safe and unsafe ways to do this.

In a nutshell, your security devices (control panels, cameras, etc.) should be initiating the connection to the hosting center, and not vice-versa. Why is that? First of all, you never want to open any inbound ports on your firewall unnecessarily - that's just bad policy. Second, firewalls are typically already configured to allow outbound connections from your network to external services points, such as Web sites. This principle explains how your corporate network can safely allow employees to connect to millions of Internet sites without specifically having to identify each one in advance, and, at the same time, keep millions of hackers from gaining entry into your network or personal computer. You should ask no less from your physical security solution.

If your vendor tells you that you need to open up inbound ports on your firewall, think twice about using their service.

6. Device authentication

Your system is only as secure as the authentication and authorization procedures that protect it. This security principle applies to physical devices on your network just as it does to human users. Security equipment such as cameras and control panels are essentially "logging in" to exchange data, and they need to be authenticated as well.

The most widely accepted way to do this is to install X.509 digital certificates from a trusted certificate authority on networked devices. These certificates allow the establishment of mutually authenticated encryption sessions between endpoints and applications.

If your SaaS provider's equipment does not allow you to do this, you should ask what they are doing to provide an equivalent level of security.

7. Penetration Testing

Penetration testing, also known as "white hat hacking," is a process for evaluating the security of a computer system and its applications. The purpose is to have experts try to hack your own system before someone else does, and to fix any vulnerabilities uncovered in the process. Typically, SaaS service providers contract with an outside firm for this service because these firms specialize in knowing how to perform all of the latest and most sophisticated attacks.

As a practical matter, you should ask a SaaS provider to identify which firm does their penetration testing, and how they incorporate the results into their product development cycle.

If they will not tell you, there is really no way to know whether your data is going to be secure.
Steve Van Till is president and CEO of Brivo Systems (www.brivo.com).