The New Relic Modern Software Podcast is back! For the first episode of 2018, I’m joined by my co-host, New Relic Developer/Evangelist Tori Wieldt, along with Lee Atchison, Senior Director of Strategic Architecture, to discuss the hot-button issue of SaaS security. Specifically, the heretical idea that your precious data may actually be safer with a Software-as-a-Service provider in the cloud than in your own data center.
You can listen to the episode below, subscribe to the New Relic Modern Software Podcast on iTunes, or read on for a transcript of the entire episode, edited for clarity:
New Relic was the host of the attached forum presented in the embedded podcast. However, the content and views expressed are those of the participants and do not necessarily reflect the views of New Relic. By hosting the podcast, New Relic does not necessarily adopt, guarantee, approve or endorse the information, views or products referenced therein.
Fredric: Lee, earlier this year, you wrote a post in Diginomica, claiming that “Your Data Is More Secure with SaaS Companies Than It Is with You.”
Tori: How dare you!
Fredric: That’s a kind of a heresy right there, I think. So let’s dig into that a little bit. Maybe let’s attack the first premise: Why do companies think their data is more secure in their own data centers in the first place? Is it just legacy thinking?
Lee: It really is. Every company has data that is critical to their business. And if you want to make sure that data is secure, the easiest way to think about keeping it secure is to just keep it in your own data center, build high walls around it—firewalls all over the place—and it’s all in your control. Data in your control is safe. Data out of your control is not safe. That’s really the thinking that most companies go through, traditionally.
Fredric: Right. But maybe that thinking isn’t as relevant now?
Lee: Exactly. That was actually a problem in the early days of SaaS, because companies would say, “I like what you offer, but I can’t give you my data. I can’t put my data there, because putting my data in a SaaS provider means I’m putting it out on the internet for everyone to see.” That was kind of the mindset. Why would I send my data out over the internet when I can keep it in my own data center?
Now, though, what we’re seeing more and more is, when you talk about a high-quality SaaS provider, they really have the same level, and in many cases, a greater level of concern about data and data security than you do in your own company.
Fredric: Well, they certainly have more experience. We were recently at AWS re:Invent in Las Vegas, and I believe someone from PG&E made the comment that AWS basically spins up the equivalent of a new data center every day. And no matter how big you are, that’s a bigger level of experience in data centers and everything that goes with it, including security, than you have internally.
Lee: Absolutely. And the same thing can be applied at the Software-as-a-Service layer as well. With AWS, we’re talking about Infrastructure-as-a-Service. But even at the SaaS level, the same thing applies. If you look at a high-quality SaaS provider, their bread-and-butter business is managing other people’s data. If they don’t get that right, they’re out of business. It’s so critical for them to be good at security that they’ll often invest more in keeping your data secure than you invest yourself.
Fredric: It’s interesting that you say that, Lee, because on the one hand, you hear a lot about hacks and breaches at major companies around the world. And we haven’t heard as much about that happening to SaaS providers or cloud providers in general, and it seems that they might even be bigger targets in some ways. What do you think is going on there?
Lee: Well, I think what it really boils down to is companies often will get lax. They’ll say, “We’re secure. We won’t necessarily keep up-to-date on patches.” They won’t be aware of all the vulnerabilities going on in the world because they don’t have quite the focus on security as someone that’s dedicated to providing security has. And so, they’ll become lax; they’ll become out-of-date and they’ll become easy targets. And I think these companies are getting hit not necessarily because they are being targeted, but because they’re easy targets.
Tori: SaaS companies typically look at security a little bit differently in terms of making it baked in. One of the principles of good DevOps is moving security up and to the left.
That means it’s earlier in the development process. It’s not waterfall, develop, develop, develop, and then at the end you’re doing some sort of QA, and then at the end you’re doing some security. And if that happens, that’s great, but organizations sometime say, “Maybe we’ll have to push it out and get to it later.”
The alternative is to make security a part of what you’re doing. I have seen New Relic do that, where security is just baked in to the way we are thinking about data. We have to think about what it’s going to be, who has access to it, what are the right processes around it. That it doesn’t just get tacked on at the end.
Lee: I absolutely agree. And, you know, for a major SaaS provider, whether its New Relic or someone else, security is so central that it is something that’s thought about from the very beginning of the process. But for a company that’s not directly in the security business, it may not be thought of that way.
Fredric: Well, I think some companies do and some companies don’t; it’s probably variable from company to company. And probably every company thinks they’re the ones who are the best at it—at least until something bad happens. I think that’s just human nature. Everyone thinks that way.
But that brings me to my next question: Why do people still think that their own data center is by far the safest place for this? Is it just a modern evolution of the old “I want to have my servers” kind of feeling, or is there something else going on?
Lee: I think it’s absolutely that. It’s easier to wrap your mind around the fact that it’s secure if you have it in your possession. And if it’s out of your possession, in someone else’s hands, it’s out of your control. Out of control means not safe. And I think that’s really what it boils down to.
Fredric: So, it’s sort of like the old “flying versus driving” analogy that people used to make: “I don’t feel secure in an airplane because I’m not in control and anything can happen. But when I’m driving, I know it’s up to me and I can solve any problem.” And yet the numbers show …
Lee: The exact opposite.
Fredric: … that you’re a lot safer in the middle seat than you are in the driver’s seat.
Tori: Your drive to the airport is the most dangerous part of your trip.
Fredric: And that’s a good metaphor, don’t you think?
Lee: Oh, absolutely. And I think as we are getting into self-driving cars, we’re gonna have that same argument all over again.
Fredric: Are all SaaS companies the same, and if not, how do you tell which ones are better than others?
Lee: In fact, no, they’re not the same. The real key to finding a SaaS provider that you know is secure is to look within the organization and find out what the security team looks like. If you can’t find out what the security team looks like, that’s evidence number one.
Tori: That’s a sign.
Lee: That’s not a SaaS provider you want to deal with. Once you look at the security team, how large is the team? What are they focused on? How connected are they with the security industry? Are they giving talks at conferences? Are they on panel discussions? Are they involved in the community in helping to grow the security environment in general? And, if they are, that’s an example of a high-quality provider.
Tori: Then I would say, auditing, right? There are a certain number of logos that you should look for, some sort of compliance and whatever the latest thing is. Make sure that the company that you’re dealing with has those things, and, if not, ask them why.
Lee: I think that’s a good point. That’s a necessary but not sufficient criteria, because some of those aren’t necessarily as evident of high security as you would want them to be, or don’t necessarily indicate everything that you need from a secure environment. But they do provide a level of assurance that the company cares about security.
Tori: Right. And has an awareness of regional differences—that’s a huge one.
Fredric: There’s a couple of things going on here. The process you’re talking about seems like it requires a certain amount of work. On the other hand, if you’re not willing to put in the work to choose a safe SaaS provider, you’re probably not putting in the work to properly secure your own data center, either.
Lee: That’s a great point.
Tori: Over time, it becomes a budget issue, right? You haven’t had anything happen for four years, so therefore you must be safe. So why are you paying for these people? “We have higher priorities until we get bitten by it.”
Lee: “I passed all the tests last year, why should I think we won’t pass them now?”
Fredric: Right. But if it’s your business and part of your value proposition to your customers, then that is incentive to maintain those high standards.
Lee: Right. The one thing about security versus anything else within your business environment is that you always have to be moving forward. You always have to be advancing. Because the enemy is doing the same thing, and if you don’t stay ahead of them, you’re behind them. And unless you can afford to keep up and to invest in security at the same level as the SaaS providers are doing, you’re going to fall behind.
Fredric: And because this is an interconnected world, if you’re behind, then you are an easier target—and the attacks will naturally seek the easiest targets that they can find.
Fredric: I think the points that you’ve been making, Lee and Tori, are really good here, but are there any numbers around it? Is there any outside validation as to who is really at risk, and why and how?
Lee: You know, that’s a good question. I think the answer is probably no. The state of the art in security is changing so quickly, I don’t know of any numbers that really can tell you how safe you are, or how many companies are safe, and which ones are safe, etc. I think it really is something that requires individual research and ongoing research.
The security labels that many companies get for their own purposes, those are all great, but they are a very minimal standard. They have to be, because they’re so generalized and cover such a large area. And they’re also very static; they don’t change that much over time.
Tori: So, it’s a trailing indicator.
Fredric: They are a necessary, but not sufficient, condition. If you don’t see them, it’s a red flag, but them alone, it’s not enough.
Lee: Exactly. If you don’t see the security team in the company you’re working with, that’s a problem. But once you see them, that’s still not sufficient, either.
Note: The intro music for the Modern Software Podcast is courtesy of Audionautix.