SaaS to PaaS: The Best Kind of Platform Shift

For cloud security specialists, these are strange times, indeed.

On one hand, software-as-a-service (SaaS) providers with a focus on security are tearing up the transaction market. The most recent one is described as the largest private equity deal in the cybersecurity industry, and the staggering amounts of money involved in this very hot market are raising eyebrows. In the ultimate validation, the category is getting its own spinoffs. That’s why we have security-as-a-service (the cringeworthy acronym is SECaaS), in which providers offer specialties around authenticationintrusion detection, penetration testing and more.

On the other hand, there’s the real world. Despite all the allocations and acquisitions, there’s definitely no shortage of cloud security breaches. The industry at large is so numb to these events that they now generate little attention. Does the Colonial Pipeline episode get more mindshare than SolarWinds, Mimecast and other big disasters from the recent past? If cybersecurity threats define the new normal, are technologies and business practices adapting appropriately? Either way, it seems apparent that every new episode of unauthorized access scares away security chiefs from endorsing greater cloud migration.

So, let’s consider alternatives. The SaaS model may have investors seeing dollar signs, but is it, in fact, the best way to ensure cloud security, and specifically the security of data stored in the cloud?

There’s no denying that organizations in all fields benefit from moving to the cloud. They’re able to store, retain and manage their most confidential and valuable data—think IP, customer PII/patient PHI, trade secrets, competitive research, etc. Now, securing all this data, such as through encryption, in transit and at rest is basically a commoditized function. But gaining access to it and leveraging it on a regular basis is a different issue entirely, one that still gives security chiefs nightmares.

SaaS is more a business model than a technology advancement, and it shows. Many current offerings, such as those in enterprise information archiving, originated as on-premises tools, then got ported to the cloud as SaaS offerings. This is the essence of commoditization, and it brings serious potential pitfalls.

Consider how the threat matrix is always evolving. There are new strains of new viruses, phishing tactics and ransomware emerging constantly and existing defenses will have to be bolstered to keep the network, data and applications safe. However, many SaaS offerings have the neither the operational agility nor the architectural stability to ward off emerging dangers. In a commoditized arrangement, what you see is what you get, and that’s a dangerously low standard. In fact, third-party SaaS providers continue to rely on shared network infrastructure and resources; in some cases, they even share network security certificates.

On a related front, data privacy is a significant boardroom priority, since standards and expectations continue to evolve rapidly. Many current offerings lack industry-specific compliance capabilities at a time when GDPR in Europe, CCPA in California, other pending state-specific mandates and a host of industry-specific regulations must be strictly observed in all business initiatives.

And of course, the most dynamic aspect of the technology arena can run into a virtual brick wall. There’s a constant flow of new tools and custom deployments, and this will likely be accelerated with developments in artificial intelligence (AI) and machine learning (ML). Within a commoditized SaaS offering, enterprises can’t deploy custom-built AI/ML tools, and that robs them of a major competitive advantage.

None of this means that cloud migration should be avoided. Instead, we need to look for options other than the standard SaaS arrangement. For example, we should have standard software inside an isolated environment—network security, scalability, storage accounts, access controls and more, all configured to meet specific needs.

This entails moving the foundation from software to platform—to go with the nomenclature trend, platform-as-a-service, or PaaS. (That sounds so much better than SECaaS.) This setup offers a much higher level of isolation, enabling each company to deploy the necessary solution within its own dedicated infrastructure. There are no shared network resources, and definitely no shared secrets. Enhanced security is matched with greater flexibility to ensure a customer-specific deployment rather than a one-size-fits-all arrangement. In the ideal cloud arrangement, this makes for a dedicated cloud tenant and specialized software to address specific software needs.

This wouldn’t be the only sign of progress. We can deploy homomorphic encryption, enabling authorized users to search and manage data in the cloud without decrypting it. This even ensures that companies retain full ownership and management of their encryption keys—a major advantage over most SaaS arrangements.

Ultimately, a single technology or business model breakthrough offers a limited benefit for a limited period of time. We need to keep moving forward—and for now, it’s time to consider advancing from software to the platform.

Avatar photo

Tibi Popp

Tibi is co-founder and Chief Technology Officer of Archive360. He has spent more than 15 years building and implementing solutions for enterprise-class email and document messaging, archiving and compliance. His experience includes executive roles at Mimosa Systems, where he helped establish the company as a global leader in enterprise email and content archiving; AXS-One, where he developed a first-to-market Software-as-a-Service message archive platform for financial services conglomerates; and Terra Networks Corp., where he developed the first B2B transportation logistics exchange and the first online self-service real estate multi-listing system.

tibi-popp has 1 posts and counting.See all posts by tibi-popp