Salesforce and Security
Infrastructure as a Service, Platform as a Service and Software as a Service are being embraced broadly in both the public and private sector. In this video I focus primarily on Software as a Service but I’ll cover each a bit here.
Infrastructure as a Service leads to some efficiencies from a cost standpoint, but that it could also perpetuate and even accelerate some organizational problems by making it easier/cheaper to rapidly stand up new server instances, etc. This in turn simply adds to the complexity of what must be managed by the business, security staff, etc. On the other hand it also preserves the organizations ability to maintain much of the precise application profile it currently leverages. This can be a great comfort for organizations that have successful applications supporting capabilities but that are interested in the economics of the cloud.
Platform as a service is sort of the next logical step up from IaaS and helps address some of the complexity issues I mentioned earlier. Finally Software as a service is where I believe organizations have the most potential. There is a much more of a focused value proposition for the business and hopefully a better technology to business mapping. The downside of course is that it involves change and that of course change comes with its own issues. In this video I talk about the above factors and specifically about Software as a Service as embodied by Salesforce.com.
Our experience in getting into the AppExchange and talking to customers has included a lot of learning about how customers think about the cloud and I share some of that as well as our experience in dealing with security questions. One of the big things customers get concerned about with the cloud is the multi-tenancy aspect of it. Essentially your stuff is right next to someone else's stuff, so how secure can it be? I think one of the keys is that essentially Saleforce.com manages a fairly homogenous technical environment. Saleforce.com benefits financially by developing economies of scale around hardware, software and even things like skills/HR, but that all of this lends itself to enhanced security because it reduces complexity and streamlines things like patching, etc.
If you think about the 500+ systems that many cabinet level agencies in the federal government of the thousands of applications many Fortune 500 companies have within their organization you begin to see why this is important for security. Most of these are built to purpose with limited standardization of hardware and software and diverse skill requirements. The level of complexity inherent in securing this is obvious when you look at it from this standpoint even before you think about the additional cost and inefficiency driven by this sort of environment. There is also a heavy incentive for Salesforce.com to align their security interests and that of their partners with their customers. The dangers of the fall out from a serious breach ensure that they are more likely to err on the side of secure.