Terms seem to change meaning so often in IT. It used to be that outsourcing conjured up images of Bangalore. For many firms, outsourcing now is synonymous with software-as-a-service from companies such as SalesForce.com, Intuit and ADP, which will -- for a healthy fee -- help an organization trim the fat off its business processes. While software-as-a-service may work miracles for your bottom line, surrendering control of a business process to a partner doesn't mean you also jettison the risk of your data being exposed. In fact, you probably increase the risk.
Software-as-a-service decouples two typically intertwined factors: control of a process and the consequences/liability of that process failing. Service level agreements (SLA) try to transfer some of the risk -- for example, a typical contract might guarantee a minimum uptime; if the provider doesn't meet the terms, it has to cut the customer a fat check. I've never seen a contract describe what these providers do to secure their software, however. How many customers ask software-as-a-service vendors about the security of their code? Is there anything in their SLA about security or breaches? Who's left holding the bag if their security is weak? The answers are: not many; almost certainly not; your company.
Another interesting point to ponder is that attackers' motivations are changing. Breaking into systems is becoming profit driven and organized. Essentially, software-as-a-service providers are an aggregation point for valuable data -- and one juicy target. From a hacker ROI perspective, why would an attacker spend time breaking into a small company when he can set his sights on the drop point for the most valuable data of a whole group of companies? A 30-person outfit in Idaho probably wouldn't even show up on an attacker's radar, but when it lumps its customer data with 1,000 other 30-person companies (and some Fortune 500 firms), you've got some serious risk.
At first it would appear this risk through aggregation is similar to the risk companies take every day (from worms and viruses) by using the same operating system and Web browser. The key difference is that within our own network we can take specific and individual action to reduce risk, such as deploying firewalls, intrusion-detection systems and antivirus software. When our entire system is managed by someone else, the only thing we can do is make sure our provider is thinking hard -- and possibly contractually -- about security.
The bottom line is that companies need to ask their software-as-a-service providers some tough questions about their security practices. Your provider is, by proxy, an extension of your own company, with two exceptions: First, it's a bigger target than you are, and second, you have no real insight into (or control over) how it manages your critical data.
Not to worry, though. I'm sure your time sheets, client contacts, 401(k), or whatever else you may be managing with software-as-a-service is fine -- but it's always good to pack an umbrella when the sky's cloudy.