SaaS, Security and the OWASP 10

intruderWhen considering a SaaS-based solution, people often wonder whether their data will be safe “in the cloud”.  Security is a major advantage to a SaaS solution.  In most situations, security attacks are caused because of the behaviour of legitimate users. According to a recent Forrester Research Report, 70% of all security breaches are caused by internal sources.  By locating the system outside the organisation, security risks can be significantly reduced.

Software as a Service is provided to a customer as a subscription based service that is delivered over the internet. SaaS can eliminate high upfront establishment costs and IT maintenance and support. Security measures are required to keep unauthorized people out of your system and prevent them from reading your data whilst it transmitting. More importantly, measures are used to protect internal users from vulnerabilities, and control their accessibility to ensure they only access what they’re meant to.

The OWASP Top 10 identifies the most dangerous security risks that occur on the internet. It provides a framework for evaluating a SaaS application’s security. The major security mechanisms in a SaaS application can include TLS & SSL, PGP, User management, Password & Passphrase requirements and storage, SAML and Audit Trails.

If you’re interested in finding out more, please download the free security white paper from


Workflow SaaS (Software as a Service)

Since Kontinuum is a web based product alot of our clients simply subscribe to our service.  There are various factor which determine when it is best to subscribe to a workflow software service or simply to buy the workflow software and host it locally.  Here are a few factors which should be considered.  Furthermore many of these factors can be applied to the Software as a Service adoption whether it be workflow/BPM or not.

What is the level of risk aversion?

With SaaS you don’t have to make a huge initial investment.  You can try before you buy.  You can then buy a little and a little bit more as need be.  

 How dispersed are your users?

With SaaS everything is generally set up so that it can be accessed from anywhere.  This does have alot of benefits but there are some drawbacks when it comes to security

How transaction intensive are the workflow applications in dealing with legacy systems?

With web services you can exchange information with legacy systems via web services.  You can do it.  That doesn’t mean it may be all that worth doing.  If you transaction rate is very high exchanging information over the web gets ugly.

How much data is required to be uploaded / downloaded?

Speed can be an issue with SaaS.  Especially if you need to upload or download 100Mb files.   

How big an issue is security?

Remember SaaS is more likely to be a web based product these days.  There may even be legal requirements for data that the information you have is not available on-line.

How much effort is required to get software installed locally?

Sometimes this can be a major issue.  One of the largest banks in Australia came to us and they wanted a system up and running in under two weeks.  Meanwhile another division within the bank wanted a system to be hosted locally.  The division which wanted a local system had to wait about 4 months to get approval where as the hosted workflow applications were created and deployed in 2 weeks.  So it took 8 times as longer to get something approved as to get something done. 

These factors are just a few off the top of my head but I am sure there are many more