Software-as-a-service lets CIOs pay only for what they need, but CIOs need to make sure they get the system performance they've paid for.
Companies are sometimes choosing software-as-a-service over on-premises software because it is inexpensive and flexible, yet recent outages at Google and Workday are reminders that SaaS isn't perfect. SaaS lets CIO pay only for what they need, but how do CIOs make sure they get the performance they've paid for?
Most SaaS vendors only guarantee 99.9% availability or better, depending on the app, because in any IT infrastructure, unplanned outages can and do occur. But a good SaaS vendor, in addition to presenting a solid fail-over plan, is forthright about system performance, and communicates the details of unplanned outages if they occur.
Ray Wang, an analyst with Altimeter Group, published a best-practices document for SaaS earlier this month, titled "Customer Bill Of Rights: Software-as-a-Service." On performance metrics, Wang advises that SaaS customers should expect their vendors to provide a "trust site" for monitoring service levels (such as Trust.salesforce.com or status.netsuite.com), although not all vendors provide such sites. Vendors also should provide a monthly report on key availability and continuity metrics, Wang advises.
Workday, which offers human resources, financial apps, and payroll-as-a-service, is among those that don't offer a trust site. But it's still a small company, with only 100 customers, so it was easy enough to call or e-mail customers with status updates during a 15-hour outage on Sept. 24.
A network-attached storage device that stored operating system files for Workday's production servers self-diagnosed a corrupted mode. But rather than simply logging it, the device took itself offline. When Workday couldn't resolve the problem within a few hours, it began the 12-hour process of moving its systems over to a back-up data center.
These details were provided to customers during the outage. "The communication from Workday was frequent and fairly complete," said Andy Schlei, VP and divisional CIO atSony (NYSE: SNE) Pictures Entertainment. Sony is a new Workday customer for human resources SaaS. Sony is still running it in a test environment, so its HR operations weren't affected by the outage. Still, news of it was "disappointing," said Schlei. "It's not good to have an outage like this. But, there was no data loss, there was a reasonable amount of time for recovery, and they clearly communicated the root cause."
Indeed, transparency is key to successful SaaS relationships, said Wang. At a Workday user conference on Oct. 19 in San Francisco, Wang said he talked to several Workday customers about the outage. "For the most part, customers who got those phone calls from Workday throughout the night were very understanding, because Workday was pretty up front about it," he said.
"It's like waiting in line at the airport when your flight's been cancelled. If the agent's not giving you enough information to make a decision on what you should do next, you become frustrated. It's how you handle crisis management -- do you hide information from customers, or tell them everything you have so that they can make decisions?"
Google (NSDQ: GOOG), meanwhile, had a nearly two-hour outage on Sept. 1 that affected all of its enterprise customers, including Genentech, Hamilton Beach, and Johnson Diversey, and another later in the month that affected a small group of customers.
Still, in the roughly 10 years since hosted Software Services have been available, the average rate of uptime for any given SaaS vendor is likely higher than what typical IT shops experience with comparable applications installed on-premises, Wang said. But when apps are in the cloud, "these providers are going to have to be responsible for a lot more," he said.
Google, which offers an ongoing Apps Status Dashboard on availability, notified all users in a blog, but large enterprise customers were offered one-on-one post-mortem calls with Google executives.
There can be varying levels of vendor responsibility, depending on what arrangements have been made. For example, companies such as Oracle offer to host software in a customer's own data center. If the customer's hardware running the software causes an outage, then the SaaS vendor might not be responsible for it.
Not all SaaS vendors are willing to do service-level agreements, particularly if it's a low-cost service notes Todd McClelland, a Washington, D.C.-based attorney who represents both cloud computing customers and vendors on deals. "If you're not paying a lot, then the vendor is not going to take a whole lot of responsibility," McClelland said. "We're only seeing discussion of SLAs in very large deals."
Still, as interest in SaaS and other types of cloud computing picks up, there's more discussion of how to formalize vendor expectations around both performance and security, McClelland said.
For example, some customers are asking for vendors to show SAS 70 certification, McClelland said. That stands for Statement on Auditing Standards No. 70, Service Organizations, and was established by the American Institute of Certified Public Accountants as a way to assess how well a firm handles sensitive data. But in recent years it's been used by non-accounting firms to audit the quality of security systems, processes and controls. Google, for example, has pointed to its SAS 70 certification as proof that its cloud computing services are secure.
Companies need to "consider whether vendors should be holding and hosting certain types of customer data," said McClelland. "The Amazons and IBMs of the world will implement security measures that are greater than customers would have on their own systems," he said. "But even though large vendors' systems are more protected, there [are] more people who will want to hack into those systems because there's so much more data."
Source:
http://www.informationweek.com/news/services/saas/showArticle.jhtml?articleID=220800123&pgno=1&queryText=&isPrev=
Professional Web Design
Showing posts with label Software as a Service. Show all posts
Showing posts with label Software as a Service. Show all posts
Wednesday, October 21, 2009
Tuesday, October 6, 2009
Gmail and Yahoo Mail Passwords Exposed
BBC reports Gmail, Yahoo Mail, AOL, and others targeted by the same attack that hit Hotmail
Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC.
Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail.
Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC. "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network.
The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. The latter two are major U.S. Internet Service Providers.
"As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them."
Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users.
Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC.
"Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services."
Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their user names and passwords.
Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live Blog.
Source:
http://www.infoworld.com/d/security-central/gmail-and-yahoo-mail-passwords-exposed-737
Chicago Web Design
Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC.
Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail.
Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC. "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network.
The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. The latter two are major U.S. Internet Service Providers.
"As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them."
Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users.
Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC.
"Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services."
Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their user names and passwords.
Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live Blog.
Source:
http://www.infoworld.com/d/security-central/gmail-and-yahoo-mail-passwords-exposed-737
Chicago Web Design
Subscribe to:
Posts (Atom)