Tag Archive security

There was a good article on techtarget this week about the hesitancy of IT pros to adopt SaaS. The main gist of the article was that SaaS is coming, even into the IT space. Which we here at LogicMonitor heartily agree with. We’ve seen much greater acceptance to SaaS as a delivery mechanism for a monitoring service over the last few years.

Of course, the IT professionals in the article still had issues. Some of the arguements against SaaS seem upside down, at least as regards to SaaS based datacenter monitoring.cc lisense by Christian Haugen

“That outsourcing a lot of computing functionality to hosted services often leads to downsizing of the IT staff itself”.

This may be true in some cases, but even in the recent economic downturn, we haven’t seen that at LogicMonitor.  What we’ve seen is that for companies that are growing, their IT staff is expected to accomplish more.  Pushing out responsibilities for things that are not part of their core focus (such as server and network monitoring) allows them to deliver better service in other areas, by freeing up staff time.  We’ve had customers with LogicMonitor deployments where they have freed up the time of a whole staff person – not resulting in layoffs, but allowing that person to address other issues in the IT backlog.

Ever heard of an IT department without a backlog?

“The fear is that if the Internet goes down, you won’t be able to do your job because the tools won’t work”.

True, but if your Internet connection goes down, you’ll be notified by your monitoring. Yes, you’ll be in the dark about the status of systems while that outage is going on, but you’ll know there is an issue, and it can be addressed. (And with LogicMonitor, the data for all systems will appear once connectivity is restored).  A far more likely scenario is that your premise based monitoring server goes down.  And you don’t know about it, as you dont have anything monitoring the monitoring server – so it could be down for hours before you even notice.  Or, your internet goes down at night, and the notification messages from your premise based monitoring can’t get out, so you arrive to work in the morning to an outage you didn’t know about and a mass of angry users.

Or you lose one of your datacenters. Power fails, you lose a core network switch, or what have you. With monitoring as a service, you’ll be notified (which you may not be if your premise based monitoring was in that datacenter.) You’ll know if your other datacenters are OK, and if services failed over to other datacenters. (Again, not something you’d know with a premise based system.)  This will give you some breathing room to focus on the failed site, knowing all is well elsewhere (assuming you have DR setup.)

And when you restore power or what have you to the failed datacenter, you’ll know immediately what hosts recovered, what databases started automatically, what storage clusters failed over – or not – without having to first recover your monitoring node and wait for all its services to start.


This wasn’t mentioned in the article, but an objection we hear (although much less than we used to.)

Again, this is probably an objection that is upside down. I’ve yet to meet any enterprise that restricts physical access to its premise based monitoring servers by keeping them in locked cages with biometric access, 24 hour armed guards; tightly restricts who can log in to their monitoring servers; encrypts all data in the database, so even gaining root access to the database is of no use; and regularly conducts vulnerability assessments against their monitoring.

Most likely their monitoring is running in a server room which many people can access; all IT admins can usually log in as root; and they have no idea about the protection of data within the monitoring server.

We’ve even heard security raised as an objection against hosted monitoring from companies using Salesforce.com to manage their customer relationships.  As if CPU load and disk latency metrics were more valuable to the enterprise than customer and prospect data.  There are valid cases for not adopting SaaS (some finance or government applications), but in general security is raised by IT people taking a fiefdom view of SaaS, rather than really considering information risk and benefits and that accrue to the company.

So what do you think?

Is SaaS coming to IT?



Having worked in SaaS companies for a long time (going back to when they were called ASPs), I’ve heard a lot of companies not adopt SaaS solutions due to “security concerns”.  This attitude has generated a quite a few blog posts recently, so thought I’d add my 2 cents.

The people involved in SaaS think security is often better in SaaS systems that premise based systems.
Justin Pirie at “The Week in SaaS” (an essential blog for those in SaaS, I think), put it this way:

something struck me- 46% of people surveyed were not moving to the cloud because of security.
This is bonkers! Just because it’s behind your firewall does not make it secure.

Reuvan Cohen at Elastic Vapor summarizes his view:

the new reality is that cloud computing is in a lot of ways more secure simply because people are actually spending time looking at the potential problems beforehand.

So what’s my opinion? Having managed IT operations for a variety of companies, and worked in SaaS companies, I think I can share a realistic view.
There are (simplistically) two aspects to application security – physical security and application level security.

If you are a small company, and have premise based applications, you probably don’t care much about application level security. The company is small, and everyone will be trusted to some degree. The fact that the application is behind a firewall, with no access from outside, does provide fairly good security. The SaaS advantage here is that small companies do not usually have physically secure premise based servers. They are typically in a small server room (or closet), without much in the way of alarms, 24 hour guards, and all the other touted features of datacenters. And if you can physically access a server, you can get to the data on the server. As a friend of mine, the head of sales at a SaaS property management software company, puts it “No Fortune 500 company would consider putting their servers in your SMB server room. Yet they do have them in the same datacenter as our SaaS servers.”

As a company grows, they will typically get on top of physical security, but then application security raises it’s head, as security sensitive applications will now be restricted to a subset of employees. Many premise based applications (especially open source ones or internally developed ones, it seems) are written without any access control designed in. And once a company reaches any size, the premise based application will need to be accessed by people outside the firewall (remote offices, teleworkers, etc). How is that access to be granted securely, without undermining the whole security premise of “Well, it doesn’t matter if it’s not terribly secure, as no one can access it.”

Yes, you can put reverse proxy firewalls or SSL VPNs to provide some sort of remote access, but now the “simple” choice of premise based software for security is getting more and more complicated (and expensive).

So I think the consensus above is correct – in a company of any size, you are more likely to have less security issues and expense with a SaaS solution than premise based software.
(FYI – LogicMonitor has its servers in Equinix datacenters.)

What are your thoughts?


Popular Posts
Subscribe to our blog.