CircleID

As the industry-wide paradigm shift to cloud computing and software-as-a-service gradually continues to make the transition from buzz to reality, security and availability continue to emerge as the main barriers to customer adoption. A recent ISACA survey of over 1,800 US IT professionals found that only 17 percent believe the benefits of cloud computing outweigh the risks. Only one in 10 respondents said they would consider using software-as-a-service (SaaS) for mission-critical applications.

While some of this hesitance can probably be attributed to an overabundance of caution and the general human tendency to be wary of change, some security concerns are well-founded.

Companies entrusting their sensitive data to a SaaS provider need to be reassured that the data cannot be accessed by unauthorized third parties, such as employees and other customers of the provider, whether at rest or in transit. Data leakage has always been a potential issue at the low end of the hosting market — budget customers on shared servers — but the co-tenancy sometimes involved in cloud computing carries the perceived risk of bringing the problem to enterprises. SaaS providers need to be open and transparent with their customers about their security precautions, such as their encryption and access control regimes, as well as their layers of physical security.

There are other concerns, such as distributed denial-of-service attacks. As DNS service providers and others can attest to, when you have many thousands, or millions, of customer accounts running on the same infrastructure, you increase the risk of that infrastructure becoming the target of an attack. It's the old all-your-eggs-in-one-basket problem. To a DDoS-attacker focused on extortion, political retribution or simple vandalism, a broad customer base looks more like a convenient, aggregated attack surface. They can channel their resources on a narrower choke point, getting their message across by attempting to cause maximum collateral damage.

Of course, the opposite case can also be made: securing systems can be an expensive proposition, and companies can actually benefit from the substantial economies of scale that SaaS providers offer in terms of cost and security. Benefits include the availability improvements brought about by consolidated patch management, the economics enabling a much more diverse technology base that is less vulnerable to exploits, and the ability to quickly respond to DDoS attacks by reallocating resources.

It's important that both SaaS providers and their customers do not overlook reliable DNS provision as a key component of their overall security strategy. Companies can often blow their budgets on a super-redundant hosting infrastructure and forget about DNS — the only way their customers can actually reach it. Far too many times DNS is allowed to become the weak link in the chain, making it an ideal target for would-be attackers. All DNS services must come with a Service Level Agreement (SLA). Accepting anything less than 100% up-time for that SLA means you are accepting downtime for your business.

SaaS customers, however, often forget about DNS. Signing up for Google Apps, for example, is fairly straightforward and free, so it's easy to be quickly lured into a false sense of security, believing that your critical applications now reside on one of the world's largest and most robust data centers. This is of course not completely true. While cloud services such as Google Apps have brought many efficiencies to enterprises, they usually do not natively support DNS resolution. If you've forgotten to effectively provision your DNS, and it goes down, so does your Google Apps.

For a SaaS provider, surveys showing customer reluctance to adopt your services should of course be of some concern. But this hesitance also provides cloud computing companies with excellent opportunities to differentiate their services. When customers make buying decisions with security and availability as their primary concern, there's a clear incentive for SaaS companies to compete on security — a rising tide that carries all boats with it.

By John Kane, Vice President of Corporate Services, Afilias

Related topics: Cloud Computing, Data Center, DNS, Security