SaaS, Cloud Application, and Security

By John Ang, Director of IT & Education Technology, The Learning Lab, Singapore

John Ang, Director of IT & Education Technology, The Learning Lab, Singapore

Software As a service (SaaS) has been around for many years in the market. In recent years, it has been very prevalent in using this service with the notion of putting applications on cloud.

SaaS can be useful for general purpose applications (e.g. Dropbox, OneDrive). If a company can use a standard out of the box application with some minor configuration, SaaS will fit them well as it is relatively competitively priced as it is a shared application. All new features will be dependent on the vendor’s roadmap. All maintenance, patches will be well taken care by vendors.

For systems which are critical to its main company operation, it is unlikely SaaS will take place unless it can be customized to fit the business needs. Most vendors who allow customization will make the company pay more in their future yearly maintenance as those customized plug in or components are taken into account as the over application will still need to be patched and upgraded constantly. It is still considered SaaS with customized option.

It is important for a company to deliberate on dedicated and experienced resources, onsite or offsite to ensure the agreed turnaround time for any change request, bug fixes, and the necessary SLAs. A minimum of two resources is needed and it will depend on the criticality and the complexity of the system.

All applications should consider adhering to the OWASP application security risks, CERT secure coding standards, with proper code analysis and application security testing tool (e.g. Check Marx, Veracode). It may be difficult to adhere to secure coding standards for most software as it may have certain legacy components in them. However, it is important to understand their server architecture, including their middleware to sieve through the vulnerabilities that can be at hand.

There are companies who may want to consider to move its on-premise solution to cloud hosting, instead of the traditional rack hosting options. Cost, Tier X, SOC X are important consideration factors. Cloud hosting may not be a cost effective option as hosting in Singapore is still much higher than other places around the globe.

For SaaS vendors, most are likely to have a negotiated bulk discount deal which give them an edge to compete better.

Most Companies Should Consider Traditional Hosting And Cloud Hosting As A Blended Solution To Achieve Highest ROI For The Company

However, companies are still moving towards cloud facilities. It is similar to outsourcing infrastructure to specialized providers.

There are some key benefits in moving to cloud:

1. Less staff to maintain within a company

2. Reduce in the difficulty to recruit and retain technical staff

3. Reduce technical expertise which can be in a shortage to maintain and upgrade the system – applications, servers, and network

4. High Security investment by cloud provider

5. Quick ramp up of server, network specification when required during peak periods

Key areas to consider for Cloud hosting provider (e.g. AWS, Azure) will be their accreditation and certification that they have (e.g. SOC3, PCI compliant).

For cloud hosting services, we need to consider the ease of administration, which includes data transfer between accounts, key features to be turned on, etc.

IT staff should also be trained in cloud provider administration to administer the respective cloud hosting provider if it is infrastructure as a service.

On prem hosting will be less favourable especially with companies where getting talents in server, infra, operations, and security are tougher with many digital transformations being underway by private and government sectors.

Traditional hosting can also be considered with Tier 3 and Tier 4 options given to customers. Their cost may be more competitive with the introduction of cloud, especially if we need dedicated server hosting option.

Most companies should consider traditional hosting and cloud hosting as a blended solution to achieve highest ROI for the company.

There is another possibility to integrate with key cloud provider (e.g. AWS, Azure) together with a company network to make it a private WAN environment. This can be achievable from various provider (e.g. CATO). This will enforce another layer of security between internal & public hosted providers.

Taking into consideration the challenges of human resources in terms of hiring, retention, and the digital transformation that many are embarking, outsourcing seems to be a must have option. We will still need to have a core IT team within each company to work hand in hand with credible vendor to deliver solutions that meet our business demands.