Monday, December 12, 2011

Implementing SaaS Solutions Reduces Security Concerns

"The user's going to pick dancing pigs over security every time" - Bruce Schneier"

In this post I am publishing an article by a guest contributor - Rashed Khan ( who points out interesting study results...

Software as a service (SaaS) for application delivery is a hot topic when it comes to questions of security. Adding SaaS components in any form is something that seems to generate acute anxiety in anyone who takes the time to consider it. Fears about the loss of privacy and other related security issues top the list of current concerns.

On the other hand, those who are already using SaaS solutions or have added elements of SaaS to their systems are considerably more confident about security issues than non-users. When it comes right down to it, SaaS appears to be something that one must experience in order to trust.

Forrester Research has recently completed a study that supports this premise. In companies where SaaS was already in use, having replaced a complete solution, concerns over security are noticeably lessened. This is also true in companies where the decision to replace a complete solution with SaaS had already been made and was about to be implemented.

By contrast, companies that were only contemplating or planning to augment their solutions with SaaS, or in companies that were using just a few SaaS components, anxieties over safety were still running high.

Miroslaw Lisserman, analyst at Forrester Research, believes this to be a strong validation of the future of SaaS technology. Lisserman had this to say about the findings: “To me, this means the following: SaaS solutions are more secure than perceived by many, since once SaaS applications are deployed and used, the security concerns decrease.” Apparently, SaaS technology performs so well that it has to be experienced to be believed.

Analyst Krishnan Subramanian, an independent researcher, feels that the security concerns related to the SaaS technology itself have been overworked. He said that the real issue related to this application has more to do with people. Regarding these concerns, Subramanian had this to say: “It is the responsibility of the SaaS vendors to educate users about their people-centric security practices. It is the responsibility of the SaaS users to get to know these details from the vendors.”

Moving away from concerns about the security of SaaS technology and turning attention instead to security concerns related to the technology's providers and users is a measure of the maturing of this technology. It's a sign that SaaS is ultimately coming into its own.

The growth of the sector itself testifies to this belief. There has been rapid expansion of SaaS solutions with Enterprise Resource Planning (ERP) software functions. Additionally, there is growing use of the ERP system by both small and mid-sized manufacturers. The manufacturing software is also used more frequently by industry distributors and in job shops.

Small companies who are part of large supply chains, along with the supply chain members they deal with, are all discovering significant benefits and greater functionality in SaaS-based ERP when employed as a comprehensive manufacturing software solution. Home-grown and standalone applications fall short by comparison, making SaaS both the wave of the future and an increasingly intelligent choice.

Thursday, December 01, 2011

The Black Swan Event in SaaS Operations

 "I find that the harder I work the more luck I seem to have."  - Thomas Jefferson

Nassim Taleb’s eye-opening books 'Black Swan' and (to a lesser extent) 'Fooled by Randomness' discuss the rare, unexpected and almost impossible to predict events that have a major impact (and usually tend to be disastrous). He calls these events Black Swan events, and gives samples such as World War I, stock market crashes,  the PC, the Internet, and 9/11.
Interestingly enough, all the Black Swan events are easily rationalized after the event, by hindsight.

The Black Swan analogy is borrowed from the notion that while one can induce a hypothesis from observational data - e.g. all swans are white - one cannot prove that hypothesis, since after observing numerous white swans, it takes only a single black swan to refute it. Karl Popper, the science philosopher, made that notion popular in his discussion of the Scientific Method (The Logic of Scientific Discovery).

SaaS and the Black Swan
Have you ever lost your database only to find out that the backup files were deleted the previous day? Have you ever hit a major problem with a component in the system, only to find out that the support contract expired last month?

My own experience and the experience of the numerous companies I have worked with, have taught me that the next Black Swan is just around the corner, lurking in the dark and will hit you when you least expect it to. Heck, that’s the nature of a Black Swan.

The systems we deal with are so complex and interdependent that one could never analyze (let alone predict) the interconnections that govern the behavior of the services we offer. Luckily, statistics are on our side, so that most SaaS applications are stable most of the time and on average, we can predict the behavior over time. But that is just what creates a Black Swan – we observe a certain behavior for so long, that we tend to accept it as a scientific fact; until it bites us in the behind.

Running a complex SaaS operation with dozens (or hundreds) of servers, network boxes, configuration files, erratic software and all the dependencies we have on our infrastructure providers (power, internet, hardware, communications) is like driving a high speed car on a congested highway, blindfolded. We have no appreciation of how much Lady Luck is involved.

Keep in mind that the longer good things happen, the harder is the effect of the Black Swan event - remember the and the real-estate bubbles; most of us are still licking the wounds.

The Butterfly Effect
All it takes is an overflowing log file, that incapacitates the disk, that will bring the system down. Or a minor, forgotten gadget installed on one of the servers whose license has expired. A pipeline of requests starts filling up and there goes the system.
How about setting up an image of a new VM, whose IP and the DNS IP were reversed by mistake. Put it in production and slowly the wrong DNS IP starts propagating in the system. After a while the servers are not communicating with each other and the system freezes.
These tend to be catastrophic events, since they are so hard to detect and resolve. Many times, restarting the whole system is the chosen quick solution, praying that the problem will resolve itself. But in these cases, the system will behave just as badly, and by the time one realizes what is happening, major damage to the customers and your brand has been done.

Words of Wisdom

Do not despair. I am not suggesting that since a Black Swan event is unpredictable, there’s nothing you can do about it. The opposite is true.
The first step is to internalize the fact that it will occur, as the famous quote goes “s**t happens”.

Prepare for Failure” is my motto. Take into account that at any given moment something might break.

A number of practices should be implemented early on:
Change Management: To ensure that the events are indeed rare and that one may recover quickly with the knowledge of what went wrong.

Event Management: To be able to detect early on, what is hitting the fan, and respond to it.

Availability Management: Analyze your Single Points of Failure and impact of component failure. Build your backups, your DRP and practice recovery.

Incident Management: Make sure you cover these practices: Detection, Recording, Classification, Notification, Escalation, Investigation, Diagnosis, Restoration and Closure.

The Wise and the Smart ones
I was approached by a few (emphasis on few) CEOs and COOs that felt uncomfortable about the fact everything was going smoothly. Some were on the verge of fast growth and wanted to assure themselves that they were better prepared to hit the highway. Others had a feeling in their bones that “too good for too long” was a recipe for disaster, even if they did not read Nasssim Taleb’s book.

But many potential customers I spoke with assured me that they really do not need my services since they are doing very well, thank you. Some are still doing very well and others had a large hat to eat and many letters of regret to write their customers.