Tony Karrer's eLearning Blog on e-Learning Trends eLearning 2.0 Personal Learning Informal Learning eLearning Design Authoring Tools Rapid e-Learning Tools Blended e-Learning e-Learning Tools Learning Management Systems (LMS) e-Learning ROI and Metrics

Monday, May 22, 2006

Firewalls and Security in Software as a Service

One of the interesting outcomes of my recent course - Collaborative Learning Using Web 2.0 Tools - A Summary - was general consensus around:
  1. Software as a Service is Great for Learning Professionals inside Corporations
  2. Firewall restrictions still pose a problem for SOME services
  3. Security is a concern, but generally should not stop use

The reason that Software as a Service is so attractive is that it is often hard to get Corporate IT to spend time on getting even simple software packages set-up and even harder to get them to agree to support these packages. Thus, while we are excited about wikis, blogs, discussion groups, etc., the practical reality is that, unless they already exist somewhere and we can piggy-back on those implementations, we are not going to be able to get them implemented by Corporate IT. Thus, there is real attraction in being able to sign up for hosted services that provide these tools without Corporate IT being involved.

For us to be successful doing this, we first need to make sure that the system will work with whatever firewall restrictions exist. For example, in our course, we found that Yahoo Groups were restricted in some corporate environments. Elluminate did not work through several firewalls, so we had to switch to WebEx. The Yahoo Toolbar (for MyWeb) couldn’t be installed on locked desktops. Instead, we should have used Del.icio.us. We had no trouble with our PBWiki. The good news is that there are lots of these services in most categories, and thus, the best advice is:

Test any service you are thinking of using in different locations and desktops to make sure that you are able to use the service effectively given firewall restrictions.

Do not believe any vendor claim that "it works through firewalls" because a firewall can be configured to stop anything it wants. That's its job.

The other big hurdle is the question of security. What's your exposure by having your content at a hosted location. The first part of the answer is whether outside parties (not you or the host) can hack into the system and get at your content. Generally, I think you will find that hosts provide fairly reasonable control, but you will want to check into their security approach.

The second part is that there is some set of administrators who provide the hosting who will have the ability to get in and see your content. The host may make it difficult for the administrator to get in there, but often its not that difficult. Really, this is the same situation as what you face in internal software with some set of Corporate IT staff having access to content (likely including email). In the case of hosted solutions, the added "risk" is that the administrators are employees of an outside company. On the other hand, you probably have better recourse against the host provider if the administrator does something wrong than you would against your own employee.

The security issue not new. There are likely lots of content types that get stored externally by your oganization. They might be using Salesforce.com as a CRM. They might be using an email system that handles Spam filtering and archiving. Chances are, the content you are putting up in your learning solution is far less of a risk than what is already getting stored out there. Which brings us to the first defense ... while the risk is probably low that you will actually have information leak out:

Try to limit content to information that would cause little damage to the
company if it were made public.

What if you need to work with content that is confidential and would potentially represent a risk? Well then you are going to need to go through the same protocols you would use internally to vet the system and likely you will again need to involve your IT staff because they are likely the ones who make these determinations. This will slow down your implementation time, but is not nearly the hurdle you have trying to bring software in-house.

Will they derail your process? If you look out at what's happening, you find mixed reviews. In an eWeek article: Security May Dog Software as a Service they provide a mixed answer:

the biggest challenge for companies such as Microsoft that see their future in on-demand software may be getting customers to understand and be comfortable
with the model.

And, the current state of network and application security at most companies is poor enough to make it hard to imagine on-demand deployments being any worse, experts agree.


You are still on the hook according to Software as a Service and Security:
A company must show due diligence in its relationships with third-party providers to ensure that those providers maintain and comply with U.S. and international regulations to which that company is subject. Under such regulations, it is the responsibility of the company—not the software as a service provider—to protect sensitive information.

The advice from an article in CFO Magazine:
Data security. Although SaaS vendors invariably emphasize the resources they devote to security, many customers remain uncomfortable with their employee and customer data flying over the Internet, not to mention potentially residing on the same data-center server as their rivals'. "Look at security. Do the due diligence. Make sure the vendor has the right premises and that protecting your data is its top concern," counsels David Brooks, director of CRM at Magma Design. Juniper Networks CIO Kim Perdikou insists on modifying SaaS contracts so that she has the right to do periodic security audits.

What's the bottom line? Chances are that you are not going to run into much of an issue. Try to keep the content to things where there is low risk. And where you have sensitive data, bring in IT staff to audit the security, bless the vendor(s), and check the protection in the contracts. It's still better than having to install software behind the firewall.

In talking with a lot of different CTOs from software development companies in Southern California it appears this is the way forward.

Keywords: eLearning 2.0, Web 2.0

No comments: