Trusting that cloud based providers (SaaS) will protect your data from theft or loss

Carnival Boy

We keep a lot of mission critical, highly confidential data in O365, Google Apps and Dropbox. I don't have a problem with this. Their security is significantly better than anything I can provide on-premise as an SMB. There is risk, but it is acceptable risk. It's not something I feel a need to worry about.

But what about smaller providers? We use Freshdesk as our helpdesk ticketing system. I know very little about them. I don't even know what country they're based in. They're not small, but they''re not massive. We keep a lot of sensitive data in some of our helpdesk tickets (passwords, server details etc etc). I'm trusting that Freshdesk servers have adequate security, but I have no way of knowing. How do I manage this?

Data theft would be terrible. Data loss would also be terrible. We don't pay for Freshdesk. Rightly or wrongly, I always feel more confident using a paid service. If nothing else, expectations of support in case of data loss or theft is going to be higher when you're paying for it.

As well as risk of theft or data loss, there is a risk of the provider simply disappearing without notice. You go to use your software and just get a message "Sorry, we're dead. Everything is gone". Or you get a 30 day notice that the service is closing down - this isn't so bad, because you at least have some time to move your data somewhere else, but it's still terrible.

How do you deal with this? Do you sleep ok at night?

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

But what about smaller providers?

You are right to worry. The size and competence of providers is the same "concern" level across domains. A ten person cloud provider has about the same security skills and potential as a ten person accounting office, insurance agency or doctor's office. Maybe slightly better, just because of the type of business, but same ballpark.

In all cloud (or non-cloud) cases there are two factors to consider: the intent & capability of the vendor; and the size of the vendor. We then have a formula to determine the risk that looks something like this...

Risk = (IntentCapability * Size * SSIC)

Where IntentCapability is shown as a number, Size is a Number in Revenue and SSIC is the "SAM Size IntentCapability Constant" which is a number that modifies the Size variable in a consistent way to make it correctly represent its impact on the IntentCapability.

Do we know these numbers? No, but this shows us the relationship. The SSIC is a constant, so we can ignore it for relativistic determinations. So what we have is that we take the IC and apply a Size factor to it and this directly influences our risk. If the Intent to be safe approach (or drops below) zero, the size of a business makes no difference, our risk is high. If the IC is low but the size is very large, we can still be decently safe.

The difficult thing is that we cannot easily determine the IC number.

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

How do you deal with this?

Primarily we work with large vendors for critical systems. Something like monitoring, there isn't much to worry about, if the vendor fails we just move on to another. But things like storing critical data, we either keep in only very well known vendor systems (Microsoft, Google, Amazon and so forth) or do so in a hybrid fashion (ex. our main storage system of NextCloud is hosted on Vultr and backed up to BackBlaze.)

SaaS, like FreshDesk, carries more risk because you, more or less, have to trust them with all security and nearly all protection from dataloss. That means you have to trust them, a lot. For something like our NextCloud system, we need only really trust Vultr for uptime and some light security, we don't require that they have loads of expertise, because they are an IaaS provider only. SaaS requires the most trust, PaaS a bit less and IaaS the least in the cloud computing model.

For small providers, you really have to evaluate each one individually and there are many factors like: their size, their focus, their motivation, their goals, their location, their track record, their transparency and so forth and combine that with the data in question - is it business critical, security sensitive, trivial, etc.

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

Do you sleep ok at night?

Ha ha

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

I'm trusting that Freshdesk servers have adequate security, but I have no way of knowing. How do I manage this?

This is tough, and really you have no way of knowing, especially for most smaller players. But, in many ways, this is an IT hat that you are wearing rather than a business one. Put on the business hat and ask the same question of internal IT. How does the CEO, CFO, BoD or whatever know that internal IT systems are secure? They can't, not effectively. They mostly just have to trust that their IT team is doing an adequate job, is provided adequate resources and so forth - which means that they also have to trust that they are conveying security needs to IT and never balking when security budgeting is requested.

From a business perspective, both carry the same risk and sleepless nights. From the IT perspective, SaaS means you need not worry about it, it's offloaded. Data loss or breaches would not fall to you as you aren't the administrator for it. So the hats you wear really determine how it is perceived.

Carnival Boy

@scottalanmiller said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

How does the CEO, CFO, BoD or whatever know that internal IT systems are secure? They can't, not effectively. They mostly just have to trust that their IT team is doing an adequate job

If I was CEO I wouldn't trust my IT team. I'd get them externally audited (eg penetration testing etc etc). My department (IT) is the only department in our company that doesn't get externally audited to some extent.

Well, technically, we do get audited as part of other audits (finance, ISO certification, insurance providers etc etc), but in practice, those auditors don't understand anything about IT, so it's little more than a box ticking exercise and not a robust audit ("Do you keep external backups?" Tick).

I think all IT departments should get properly audited annually by external experts.

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

If I was CEO I wouldn't trust my IT team. I'd get them externally audited (eg penetration testing etc etc). My department (IT) is the only department in our company that doesn't get externally audited to some extent.

Great thinking. Much harder to do than it seems, though. External auditors are one of the weakest links in IT. If you think that MSPs are often bad, auditors are another order of magnitude worse. Even in the Fortune 100 they struggle to find real auditors. Because they do no work, there is nearly no way to validate an audit. It doesn't have to "work". I've often seen auditors directly create massive security holes or bring systems down because they were given the right to make demands or told people that systems had been secured that were not touched so the IT team all believed that "someone else" had secured them.

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

I think all IT departments should get properly audited annually by external experts.

I do that kind of auditing, so I definitely agree In theory, most good cloud providers get this as well. Problem is, the more auditing and oversight you have, the more costly, more constrained the system becomes and the more people from more companies that you have to trust with access and knowledge.

Carnival Boy

@scottalanmiller said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

You are right to worry. The size and competence of providers is the same "concern" level across domains. A ten person cloud provider has about the same security skills and potential as a ten person accounting office, insurance agency or doctor's office. Maybe slightly better, just because of the type of business, but same ballpark.

Oh sure. By "small" I'm talking relative terms, not absolute. I'm not trusting my data to a bunch of college grads working out of their parents' garage. But how to judge size? Many of these providers are well funded, but may not have much revenue, due to the nature of startups. Freshdesk has just got $50m funding, which seems a lot to me, but is peanuts in US startup terms. They have 1000 employees, but the definition of "employee" can be confusing in the startup world.

We also rely on Trello. They've just been purchased for $500m. Does that make them big enough to trust? I think so, but I really don't know. These are all startups and I'm old and struggle to see beyond my understanding of traditional firms.

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

Oh sure. By "small" I'm talking relative terms, not absolute. I'm not trusting my data to a bunch of college grads working out of their parents' garage. But how to judge size? Many of these providers are well funded, but may not have much revenue, due to the nature of startups. Freshdesk has just got $50m funding, which seems a lot to me, but is peanuts in US startup terms. They have 1000 employees, but the definition of "employee" can be confusing in the startup world.

Large funding is good. Large number of employees is bad (relative to the mount of funding.) $50m doesn't go very far with 1,000 employees. What does a vendor like Freshdesk need with more than, say, 50 employees? That's enough for sales, support and development. What do the other 950 do?

$50m USD = Number of FreshDesk Employees x Average US Salary x 1 Year

That funding is just enough for a one year run rate. Just ONE YEAR. That's scary. If their revenue is high already, say $40m / year, and the $50M is on top of that, then great. But if they are not making enough money to run the company without that funding, that sounds really precarious. You think it sounds like a lot but not so much for the US, we feel the opposite, that it's small for the US but nothing for the UK where the salaries and costs are so much higher.

And that's assuming that the people working at the company are "average." Any software developers will be 200% - 300% the US average income. And if the company has offices in say NY or San Francisco, then they are only getting a few months of salary in that round of funding! And if they have physical offices, that can easily hit 100% the cost of the people.

It's theoretical that with 1,000 US workers in Silicon Valley or Northern NJ that $50M could represent as little as one month of operational costs!

scottalanmiller

@Carnival-Boy said in Trusting that cloud based providers (SaaS) will protect your data from theft or loss:

We also rely on Trello. They've just been purchased for $500m. Does that make them big enough to trust? I think so, but I really don't know. These are all startups and I'm old and struggle to see beyond my understanding of traditional firms.

In the case of an acquisition like that, you have totally different factors to consider. One is how big the buyer is, not the buyee. And you have to worry about the goals of the buyer. Did they buy them to develop the product, or to make a competitor go out of business?

Carnival Boy

True, but that's not a problem specific to SaaS. Traditional, on-premise software can become effectively unusable if the software company decides to no longer support it.

scottalanmiller

I just happened stumbled upon Trello having been purchased by Atlassian. I had no idea.