Software as a service needs foundation of strong security

Underneath the software-as-a-service hype, large organizations have a real concern. Yup, security jitters again. Just as security slowed down the Web services train, it appears to be putting the old kibosh on SaaS deals.

Why the concern about security? It isn't about basic safeguards like firewalls, desktop antivirus, or intrusion detection systems. It's about end-to-end security from user authentication to data privacy to physical security in data centers to off-site transport and storage of backup tapes.

Before outsourcing my HR applications, you can certain that chief security officers will put service providers through the security "white glove" treatment and demand on-going auditing of security henceforth.

What does this all mean?

1. SaaS vendors must become security beacons to succeed. These demands go beyond information and physical security; service providers will have to be familiar with their customers' business processes in order to understand where their services are most vulnerable. In my mind, "business process security" is the new frontier and SaaS vendors must blaze the trail.

2. Data privacy is tantamount. Strong authentication, proactive auditing, and encryption must be a part of the SaaS design in order to restrict access to private and confidential data. The SaaS providers must assume liability for the cost and damages associated with any data breaches.

3. SaaS vendors find security partners from the get-go. Managed service providers like IBM, VeriSign, and Symantec have a huge opportunity to be the Good Housekeeping seal of approval on SaaS offerings. As part of these big deals, SaaS vendors must transfer risk to security experts, use these partnerships for marketing advantage, and maintain their focus on solving business problems.