Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

SaaS Translation: What your Service Provider REALLY Means

by Jay Heiser  |  May 23, 2011  |  1 Comment

After 25 years in high tech, I’ve seen a lot of hype, but some of the misleading verbiage that I’m reading these days still disappoints me.  Its not surprising that as a technology approaches the top of the Hype Cycle, some of the vendors turn their Spin Cycle up to 11. I spend a lot of time reading between the lines of Cloud Service Provider (CSP) blogs, web brochures, and contracts, where SLA dissembling has become a core marketing competency. Hyperbole is par for the course in commercial communication, but I find it somewhat disconcerting that so many misleading messages are actually being believed.

Your data is encrypted: This usually translates to ”we use SSL to encrypt it in transit, but its still in clear text on the server where it can easily be seen by of our rogue admins or undetected hackers.”

Your data is encrypted on our server: In at least one recent case, security researchers have shown that this can mean “yeah, its encrypted, but we keep the keys on our servers, and we don’t protect them very carefully.”

We have a Recovery Time Objective of zero: I cannot translate this statement, because it is meaningless.

Our data center is SAS70-certified:  This usually indicates “we don’t understand what a SAS70 attestation is,” but a useful  working translation in a wide variety of instances would be “The company we sublet space from has shown an accountant that they keep the doors locked, the HVAC is reliable, fire suppression is in place, and there is plenty of Diesel oil in the generator fuel tank.” 

Dereferenced data will be overwritten with other customer data over time: Translation “We don’t actually delete your data.”

We are committed to security: Translation “We want your money.”

Our security guards have Segways: Translation “Even our non-tech employees are cool.”

We use sophisticated proprietary technology: This roughly translates as “You don’t need useful evidence to accept that we are the superior choice.”

We have a robust change management system: This often means “We are constantly tinkering with our code and we’ll never give you any advance warning of when it might affect you.”

We are a leading provider of…..: Translation “we exist (at least for the time being).”

While I still think we’ve got a long ways to go on cloud computing transparency, there are certainly providers that do a better job than others of explaining their level of effort and the form of service you should expect.  Unfortunately, an honest presentation of the realities of data protection can be less compelling than a hyped and obfuscated story.  Until the spin cycle runs its course, there are going to be some disappointed buyers, especially those with high expectations for data encryption, and data recovery.

1 Comment »

Category: Cloud IT Governance risk management security Vendor Contracts     Tags: , , , , , , , , , ,

1 response so far ↓

  • 1 Roger Bottum   May 26, 2011 at 5:11 am

    Jay

    Nice job at knocking down some of the security veneer practiced by some SaaS vendors.

    We just finished a round of presentations on SaaS myths and truths, and the theme on security was that it’s not binary that SaaS security is better or worse, but that you have to a) take the same pragmatic approach you do for any system in terms of defining requirements for controls and measures of the controls performance based on the criticality of the process and information and b) dig into the details so you understand how the vendor addresses those requirements.

    Further since SaaS apps are often driven by the business, IT should be organized and prepared to educate and assist, not issue blanket no’s or ignore the issue.

    So as always back to first principle ….