Comments on: Salesforce.com and the debate over SaaS security, email confidentiality http://itknowledgeexchange.techtarget.com/security-bytes/salesforcecom-and-the-debate-over-saas-security-email-confidentiality/ A SearchSecurity.com blog Sat, 28 Nov 2009 20:01:11 +0000 http://wordpress.org/?v=2.6.2 By: low_profile http://itknowledgeexchange.techtarget.com/security-bytes/salesforcecom-and-the-debate-over-saas-security-email-confidentiality/#comment-426 low_profile Tue, 13 Nov 2007 19:19:05 +0000 http://security.blogs.techtarget.com/2007/11/02/salesforcecom-and-the-debate-over-saas-security-email-confidentiality/#comment-426 It's not "whether or not a SaaS vendor can secure those Web applications better than its clients could on their own." It's "will the SaaS vendor secure those apps appropriately for all clients." The decision of how much security is good enough will be made by the SaaS vendor, based on their financial model and risk tolerance, and most of their clients will never realize that their own risk model isn't considered except very indirectly. Likewise, notification of email address exposure shouldn't be left to the discretion of the compromised (and thus embarassed) vendor. Clients of SaaS vendors should include contractual requirements for notification of any breach or compromise, regardless of extent. It's part of the information required to properly evaluate SaaS vendor quality of service. It’s not “whether or not a SaaS vendor can secure those Web applications better than its clients could on their own.”

It’s “will the SaaS vendor secure those apps appropriately for all clients.”

The decision of how much security is good enough will be made by the SaaS vendor, based on their financial model and risk tolerance, and most of their clients will never realize that their own risk model isn’t considered except very indirectly.

Likewise, notification of email address exposure shouldn’t be left to the discretion of the compromised (and thus embarassed) vendor. Clients of SaaS vendors should include contractual requirements for notification of any breach or compromise, regardless of extent. It’s part of the information required to properly evaluate SaaS vendor quality of service.

]]> By: arieanna http://itknowledgeexchange.techtarget.com/security-bytes/salesforcecom-and-the-debate-over-saas-security-email-confidentiality/#comment-425 arieanna Fri, 02 Nov 2007 17:37:48 +0000 http://security.blogs.techtarget.com/2007/11/02/salesforcecom-and-the-debate-over-saas-security-email-confidentiality/#comment-425 Great article. I agree that perhaps vendors can step in and offer a solution to cover data not currently considered confidential. I think that no matter what type of data is breached, it is a hit to credibility. If that data is being used in creative ways by phishers, there is a greater issue of responsibility, not just compliance. Great article. I agree that perhaps vendors can step in and offer a solution to cover data not currently considered confidential. I think that no matter what type of data is breached, it is a hit to credibility. If that data is being used in creative ways by phishers, there is a greater issue of responsibility, not just compliance.

]]>