Vision from the Top 2013: Carson Sweet, CloudPassage
Which of the following current topics will significantly change the market in the next year? And what is the impact? (Business Intelligence/Analytics, Customer Engagement, Mobile, Security, or Social)
Delivery of software products as a service (SaaS) continues to be a massive driver of change for the software industry. At CloudPassage we help software providers, including Fortune 500 software providers, make the transition. We're fortunate to have a unique vantage point in the industry from which we see a broad range of SaaS business strategy.
For your consideration, here trends we're observing and the security and compliance considerations for each. We believe that these trends and issues will be critical topics for software companies who seek relevance in the exploding SaaS market in 2013.
Migrating Traditional Software to SaaS
Traditional software delivery models involve deployment of product on the customer’s equipment and premises. In these models, data protection and compliance are the clear responsibility of the customer. Traditional software companies migrating to SaaS models now assume these responsibilities, squarely placing a new set of technical, operational and sales issues between the provider and market success.
An instinctive reaction is to assume that the security used to protect internal corporate I.T. assets can effectively meet security and compliance requirements for a customer-facing, multi-tenant SaaS offering. This is not the case. SaaS providers must address an extensive range of confidentiality, integrity, and availability issues for customer data and its processing. This is simply a core function of being a SaaS provider, and a core cost of doing business.
Existing and emerging SaaS providers should know that SOC2 is the new ISACA standard for security and compliance attestation, and PCI DSS or ISO 27002 are common benchmarks for reasonable control structures. Standards to be met are also driven by the type of customer data being handled (e.g. HIPAA for healthcare data) and the geographic location of your customers (e.g. European Union data privacy standards).
SaaS Market Entry via Merger & Acquisition
One approach for gaining ready-made SaaS market share is acquiring an existing SaaS provider in your current or a logically adjacent space. We see this happening more and more as large software companies seek to enter the SaaS market. Given that most innovative software startups today use a SaaS delivery model, this is a very logical approach for large enterprises to bootstrap a SaaS market presence and instantly add SaaS DNA to their organization.
Software companies taking this approach need to understand that startups often “get away” with less security and compliance. Their customers are often smaller and less demanding, and may not have the capability to impose and enforce strict compliance requirements. As acquired products are injected into larger marketing and sales engines, larger organizations will place higher security and compliance demands on products.
The section above outlines the standards and requirements typically important to SaaS success. A strategy to assess how much will need to be done to close gaps in an acquired product’s security (and there will be gaps) is critical; so is having a plan in place to quickly gain visibility into an acquired product’s security, addressing major problems quickly, and closing remaining gaps in a scalable manner.
Big-Data Software Components
The combination of big-data / big-analytics technologies and utility access to massive compute resources has opened the door to previously unattainable product functionality. These capabilities are being rapidly developed by innovative startups and large enterprises alike, and in some cases the two are merging synergistically.
Aggregation of many users’ data in a central repository is one of the core architectural side-effects of multi-tenant SaaS models. Analysis of this data (depending on customer usage and licensing agreements) offers the ability for SaaS providers to enrich their products by analyzing raw data into intelligence such as benchmarks or predictive models. However, the integrity of this intelligence must be of the highest integrity in order to drive revenue-generating and/or customer retention value for the SaaS provider. Software companies who seek to extent their products through big-data methodologies have several items to consider.
Customer usage agreements must be closely examined to ensure that the SaaS provider has the right to include customer data in aggregations used for bulk analytic operations. In most cases, SaaS providers should anonymize and sanitize customer data being aggregated to prevent generation of additional copies of potentially sensitive customer information.
Once the SaaS provider has generated an acceptable, safe data set for analysis, protection of the analytics and results is paramount. Controls that assure the integrity of the code and models that actually perform the analytics are required to prevent corrupted intelligence from making it back into a core product. In addition, the models used will typically be a high form of intellectual property, making their protection in all locations (e.g. as implemented on cloud processing environments) a critical concern.
Being a SaaS provider ourselves, we firmly believe that these trends are only the beginning. In any SaaS model, regardless of where the product is hosted, protection of customer data confidentiality and integrity are critical components. And compliance demands from customers and regulatory agencies will not suddenly begin to wane -- you can count on those demands just growing.
So now what?
If you think this article applies to your business, we encourage you to share it with your product management and technology teams. There's no substitute for exploring how concepts apply in your environment, and your organization undoubtedly has its own unique nuances.
Security and compliance is our core competency at CloudPassage. If you have comments, questions or other feedback, we certainly look forward to hearing from you.
This interview was published in SIIA's Vision from the Top, a Software Division publication released at All About the Cloud 2013.