I’ve spent a lot of the last 2 years researching the problem of making business decisions about the relative levels of risk associated with partners and service providers. Externally provisioned services, such as Cloud Computing (whatever the service) and SaaS (whatever the computing model) are problematic. We’ve learned a lot about security risk management over the last 4 decades, but it is difficult or impossible to apply those lessons learned to alternative delivery models.
A brand new Gartner survey supports this, with 28% responding that their organization does not allow use Software as a Service for sensitive data or services (curiously, 41% answered the same in regards to traditional outsourcing).
Its anybodies guess exactly what will happen, but can only envision 4 possibilities:
- At least 1/3 of potential buyers continue to avoid something that potentially offers business value.
- The infosec community develops a convenient method of assessing and expressing SaaS and public cloud risks.
- Everybody decides to use the things anyway, assuming that they are appropriately secure without defensible evidence.
- Everybody decides to use the things anyway, recognizing that security cannot be demonstrated.