Cloud Computing: Is It Safe?

If there's one tried-and-true way to tackle a problem, it's to make it someone else's problem. It's the strategy that's given us plumbers, fluff-and-fold laundry and lawn services. Yet for a long time, corporate computing didn't really lend itself to the pass-the-predicament model. Sure, you could hire consultants to troubleshoot your hardware, patch your software and get all the PCs and servers talking to one another. But at the end of the day, it was your system -- and your headache.

Delegators take note: The times are changing. An increasingly popular software model tries to make things simple by -- get this -- literally making things simple. Known as Software as a Service or cloud computing, the idea boils down to this: Instead of running an application yourself, using your own equipment and IT staff (not to mention exhausting most of your patience), you let the vendor host it and deal with the nuisance of keeping the whole thing running. Programs are accessed over the Internet, so you can use them on any PC, from any location. No matter that you're in a Boston airport and your data is in a Nebraska bunker. You're good to go -- and work.


SaaS also offers a whole new -- and, for a lot of users, welcome -- pricing model. Instead of paying up-front, often hefty software licensing fees, you pay a monthly subscription fee, so costs are spread out and predictable. The fee is generally based on the number of users, but sometimes it's pegged to how, or how much, you use the system. Because SaaS applications run on someone else's hardware, you're spared the expense of acquiring your own servers, storage and backup systems -- and of hiring more IT staffers to keep it all humming. And adding new users is usually as easy as making a phone call or clicking a mouse button, so scalability isn't something you need to sweat over, either.

Sound promising? A growing number of software providers sure hope so. SaaS solutions are popping up in a host of areas, among them customer relationship management (the space where this model really got off the ground, thanks to companies like, human resources, payroll, billing, help desk management, videoconferencing and even word processing (think Google Docs).

Gradually, they're emerging -- and catching on -- in the legal realm as well. CPA Software Solutions's FoundationIP, a Web-based intellectual property management solution, is the company's fastest-growing product "by far," says Steve Schley, CPA's vice president for sales, with revenues increasing by some 20 percent annually. FoundationIP -- an SaaS veteran, having been introduced six years ago -- bases its fees on the amount of data you need to process. A large company, typically with 5,000 to 10,000 files, would pay a few thousand dollars each month, according to Schley.

Yet companies that scan the bulleted list of SaaS benefits and jump to embrace the model may be in for some not-so-welcome surprises. Like virtually all other technologies, SaaS is not quite the panacea its fans (and a lot of marketing departments) would have you believe. For example, even though hardware costs may be lower, software can actually work out to be pricier in the end. One reason is that you're no longer able to sit out an upgrade round or two -- automatic upgrades are rolled into the subscription fee.


When used wisely, SaaS applications make a lot of sense. But using SaaS wisely starts with asking the right questions of vendors, and of yourself. Here are the big ones to keep in mind:

Just where is my data -- and how secure is it? For all the advantages SaaS solutions can bring, they take away something we're not always happy to give up: control. Chances are, your worries are unfounded. SaaS vendors have plenty of incentive to keep things safe: If they fall short, there goes their business. Keep in mind, too, that dispatching data from the corporate campus is something businesses do each day, via e-mail attachments, CD-ROMs and -- perhaps most perilous of all -- leather briefcases. Savvy companies like yours will want proof that all concerns are being addressed. Be sure to ask your vendor about its security measures. Demand documentation and, if you've got the resources, the right to audit security controls and have a third party come in to certify them. Also, be sure to ask who actually hosts your data. While you may think it's the same vendor that's selling you the subscription (and cashing your checks), software developers often outsource the technical nitty-gritty of running their application. Don't be put off by this. It's a smart and often reassuring move, as your vendor may have a lot of experience writing code but very little when it comes to running a mission-critical data center.

In fact, many hosting companies see their security plans as a competitive advantage and are only too happy to talk about them. "If the firm does not bring it up, we will -- we know it's in the back of their mind," says Edward Grubb, general manager of legal managed services at MindShift Technologies, Inc., which hosts a variety of document management applications. Among MindShifts's security procedures: encrypting everything that passes across the Internet, segmenting each user's data so Company A cannot access Company B's work-product, and performing background checks on every MindShift employee.

What happens when disaster strikes? Here's the real pitfall of having someone else host your software: When its systems are down, you're down. And because you didn't buy all those servers and other hardware to run the application yourself, you have no local systems to fall back on. This raises a couple of points. First, your provider had better come up with some significantly robust business continuity plans. Second, anything that knocks your host offline -- even a minor outage -- is potentially disastrous.

Not surprisingly, SaaS providers have given a lot of thought to disaster recovery. MindShift, for example, replicates data so it's stored in multiple locations, any one of which can take up the slack when another facility goes down. But you'll want to give thought to this, too, and ask questions, particularly since some vendors, like CPA Software, will offer different levels of service -- for different prices.

SaaS customers should also insist on a service level agreement, or SLA, which contractually obligates the provider to meet a certain standard of reliability -- say, 99.5 percent availability. Still, there will always be applications that a business cannot afford to be without; potential SaaS users need to think hard about what they can and cannot live without.

Who owns the data -- and how do I get it back? It's technology's version of the messy divorce: You and your SaaS provider part ways. Who gets custody of the data? You'd think this would be a no-brainer: After all, it's your business information. But it's sitting on someone else's server, in someone else's facility. Avoid the court fight. Make sure you have rights to the data in the event the provider goes out of business or you simply want to switch to another one. And get it all in writing.

How much customization will I need? Although some SaaS applications may let you customize the interface and even some features, the underlying code is the same for all users. That means you shouldn't turn to SaaS for anything you're going to want to tweak heavily. SaaS offers a lot of potential. But don't be lulled by the buzz and the hype. Vet it carefully before signing on -- or you may get stuck with that headache yet.

Alan Cohen is a New York-based writer who reports frequently on technology and the law.