Archive for July 10, 2021

SaaS Is Dead…. And Companies Need To Accept It And Move Back To Doing Things On Premise

Posted in Commentary with tags on July 10, 2021 by itnerd

SaaS or Software As A Service has been a thing for years. The promise is that you don’t have to install anything and you don’t have to invest in hardware. You simply use some sort of online service to get what you want. And that saves you money as a result. But here’s the problem with that model. We’ve had two high profile hacks of two very high profile SaaS products that are used widely. SolarWinds and Kaseya. These hacks are what are called Supply chain Attacks because of the fact that hacking the SaaS companies in question results in being able to hack anyone who uses their products. In the case of SolarWinds and Kaseya, thousands of companies are affected.

That to me means only one thing. SaaS is dead. Why? I guarantee you that these will not be the last SaaS companies (and by extension their customers) to be pwned by hackers. It’s only a matter of time before big name SaaS companies with names that you would recognize get pwned by hackers. Which means that a whole lot more customers will suffer as a result. And there will be a whole lot of bad press to go around. Not to mention angry customers who’s info is out there on the Dark Web. Not to mention angry shareholders of companies who got pwned.

Now, I suppose that companies who really want to go the SaaS route could require SaaS companies to prove it via an audit of their software supply chains. And sure, that’s a good idea. But keep in mind that an audit is only a snapshot in time. And it’s not going to catch every issue that may exist (and by extension, hackers could exploit). So all that does is really create a false sense of security. There’s one other point that I should bring up, realistically SaaS companies should be required by law to prove they are secure. But I’m a realist and I know that those laws aren’t coming anytime soon. Thus that’s not a solution to this problem either.

The real solution to this problem is that companies have to go back to an on premise setup. Yes it’s going to cost more. Yes it’s a lot more work. And yes, you are fully responsible for securing yourself against getting pwned. But you’re better off in the long run because you are in complete control. You are not at the mercy fo a SaaS vendor who may or may not be doing things right from a security standpoint. And there’s the side effect that you are in complete control of your data which is important in the age of GDPR and laws like it. Thus clearly going back to on premise is the way to go. Now I will admit that the resources for a small or medium sized company to go on premise aren’t trivial. I’n not just thinking of hardware and software, but the IT security expertise that is needed to not get pwned. But if you want to avoid getting pwned in the next supply chain attack, this is the only way to go. And I do not think companies have a choice any longer.