“There’s nothing to see here folks, move along. Nothing to see here.”
That’s what police usually say when a crowd gathers to watch something new, unusual or just plain interesting.
Reminds me of an article I recently ran across declaring that Software as a Service (SaaS) technology was indeed configurable. The jist of it was that NetSuite CEO Zach Nelson was attempting to shatter some of the common misperceptions about SaaS during his keynote address at a company’s partner conference in San Francisco last week.
The WebCPA article covering Zach’s speech went on, “Addressing claims that most SaaS solutions are not customizable, Nelson claimed that there are currently 6,600 users utilizing NetSuite’s enterprise resource planning functions, the majority of which are customizable features.”
Extra! Extra! Read all about it: SaaS is configurable, says Zach. And we’ve blogged about this before, too.
But is this news to anyone?
Apparently it is in some circles. So why has SaaS gotten a bad rap as inflexible?
Blame it on the early days of SaaS, when some providers offered more rigid, “pigeon-holed” solutions, says AssurX Operations Manager Karl Kleinkauf, who’s been in this business nearly twenty years. “In the old days there was something of a ‘take it or leave it’ attitude,” Karl adds.
But that’s all changed in recent years, Karl notes. For starters, the technology has improved and ample bandwidth is more widely available today. Both factors help make SaaS more configurable. But consumer demand also helped make it happen, Karl notes.
In fact, as his own customers get more adept using SaaS for regulatory compliance, they often see other uses for it. “I’ve helped many use our SaaS system for document control and customer complaint handling after they’ve gotten comfortable with it on the compliance side,” Karl says.
So let’s recap: SaaS is flexible, multi-faceted and configurable.
Remember, you didn’t read it here first.
In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control. Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password? And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.
With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service. The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML. This makes life much easier for all parties. From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity only a web address and a password. From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true. Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.
Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems. Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found. And then we get to CATSWeb itself.
Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe. First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted. System access is automatically logged for easy review, including the IP address from where the traffic originated.
The rest we leave up to users. I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible. The “user access pendulum” we leave to the users of CATSWeb. An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more. This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.
