CURRENT ISSUE

MIT 14.5

Issue 14, Volume 5
June 2010

KMI MEDIA GROUP
WEBSITES

SUBSCRIPTION SERVICES

Servings of Software

Written by Peter Buxbaum

Attention: open in a new window. PDFPrintE-mail

MIT 2009 Volume: 13 Issue: 8 (September)

Servings of Software
As Software as a Service Popularity Grows,
Providers Take Innovative Steps to Address
the Military's Security Concerns.

 
Information technology vendors providing software as a service (SaaS) are attracting growing revenues, as well as increasing interest from military organizations such as the Defense Information Systems Agency (DISA) and the Air Force Personnel Center.


The fact that the SaaS market is expanding demonstrates two things, analysts say—that SaaS is a concept that has begun to catch on, and that IT buyers are attracted by its value proposition. At the same time, studies also make clear that SaaS is still attracting only a small sliver of total IT dollars.

SaaS, like the broader and related concept of cloud computing, posits that users can access and run software applications—from enterprise resource planning to customer relationship management and even network security applications—remotely over the network, from someone else’s shared infrastructure. The same applies, under the umbrella of cloud computing, to other IT operations, such as database management and data storage.

Organizations accessing applications from a remote, shared infrastructure enjoy some obvious advantages. They don’t have to invest in their own hardware to run the application nor devote IT resources to hiring personnel to manage it. The software is updated automatically and remotely by the service provider. The overall costs of such an arrangement are much lower than in a traditional, on-premise software implementation.

On the other hand, using a remote infrastructure shared by other users presents some problems. The ability to customize software is gone. More important are the security questions: What assurances are there that an organization’s proprietary data will not be compromised?

These security considerations apply all the more in the military environment, where organizations are legally obligated under statutes and regulations, to say nothing of national security considerations, to lock down their systems and data. For example, military networks must comply with the requirements of the Federal Information System Management Act and National Institute of Standards and Technology guidelines on data encryption and must receive certification and accreditation before they can go live.

SECURITY OBSTACLES

These security considerations represent a major obstacle to the adoption of a SaaS model in both the commercial and government marketplaces. If SaaS has been a hard sell in the commercial world, it has been that much harder within the U.S. government and military. Some inroads have been made, however, and SaaS providers have taken some innovative approaches to address the U.S. military’s security requirements.

“Cloud computing and SaaS provide a way to spill over from your resources and take advantage of the infrastructure provided by a professionally managed service,” said Manoj Apte, director of product management at Zscaler, an SaaS provider of Web security. “It turns IT from a cottage industry, where people have to manage every piece of a critical application themselves, to having professionals take care of the application for you.”

SaaS allows organizations to rapidly launch applications, limit their financial exposure, and inexpensively update software. “There are lower upfront costs with SaaS,” said Donita Prakash, a marketing director with Acumen Solutions, a business and technology consulting firm. “You don’t have to build the infrastructure to run the application or hire the staff to manage it. You can run a pilot and, if it fails, you can simply turn it off and stop paying. That limits an organization’s financial exposure.”

“New innovations come much more rapidly with SaaS,” added Rick Collison, director and solution owner at Ariba Services, a provider of automated procurement solutions. “The typical SaaS upgrade cycle is every six months. Upgrades are free and are included in the subscription price. With the traditional model it may take two or three years to get new features. With SaaS, you’re guaranteed the latest and greatest.”

SaaS can also provide organizations with flexibility in allocating and paying for IT resources. “With traditional software implementations, organizations buy an enterprise license even though they don’t know how many seats they really need,” said Kevin Paschuck, vice president for public sector business at RightNow Technologies, a provider of customer relationship management software. “With SaaS, an organization can pay for 100 seats initially and if in a year from now they need another 50, they can order them and pay for them then.”

“Some organizations have variable or seasonal requirements,” noted Vincent Spies, chief technology officer at Voltage Security, a provider of secure e-mail solutions. “SaaS can be dynamically provisioned to handle extreme requirements without having to build additional capacity within your organization.”
For potential military SaaS customers, the security can be summed up in one word: control. biggest challenge the software community said Spies. “It takes a fundamentally different where data is. Before, you could physically guard location where data is stored. Now it is stored in a people don’t understand anymore.”

Military users like the idea of a commercial offering,” confirmed Apte, “but not the idea of sharing infrastructure such as data centers.”

BEHIND THE FIREWALL

RightNow Technologies set out a year and a overcome the security objections among military SaaS customers. “They need to know their data is secure,” said Paschuck. “Some systems need to run on a dot-mil network.”

The answer for RightNow was to partner with DISA to run its SaaS offering behind the Department of Defense firewall. “We fit our platform right on top of DISA’s,” said Paschuck. “It takes the software out of the commercial environment, where it might be sitting next to Nike’s or Best Buy’s or Sony’s and would create a whole bunch of issues as far as FISMA is concerned.”

The Air Force Personnel Center is planning on going live with a self-service personnel Website based on RightNow’s SaaS offering later this year. “It is risky, and that is why this has been a project that we’ve been looking at for the past two years,” said Colonel Glenn Rotelle, the center’s IT director. “We had to overcome a lot of security challenges.”

Rotelle was convinced that AFPC should no longer own and host its own Website, even though “we were very good at it,” because that “was not the way industry was going.” The key SaaS benefits, for Rotelle, were guaranteed Website uptime of over 99 percent and automatic failover of the system to an alternate side if DISA’s primary hosting site in Oklahoma City were compromised.

“That is critical to us because of all of the services that we provide our airmen,” said Rotelle. “The Website has to be up at all times so that they can perform their HR functions.”

DISA is “going to be the facility that actually hosts the Web servers,” he added. “They’ll make sure that all the equipment is up and running. The software application will be RightNow. It’s a hardware/software partnership between DISA and RightNow.”

Apte noted that one challenge for SaaS providers is to “create applications in a totally different way.

“We know that thousands of organizations are going to be using that infrastructure,” he explained. “We needed to figure out how to make sure we get economies of scale without allowing data to intermingle. This has become the challenge for all cloud providers.”

At the same time, Apte acknowledged that the security considerations involved in moving to a professionally managed service within a commercial environment can be overwhelming. “Defense organizations shy away from it,” sad Apte. “When you go into a shared infrastructure there is always the possibility of some sort of leak.”

ISOLATED CLOUDS

In response to these concerns, Zscaler developed the capability to create small isolated clouds that can be dedicated to military organizations. Zscaler provides Web security applications that scan requested Websites and block access to those that are potentially dangerous, and maintains separate log management and policy management for these separate, dedicated clouds. On the other hand, Apte noted, when new threat data becomes available, the entire cloud infrastructure, including the isolated military clouds, is automatically updated.

“It runs like a one-way street,” he said. “If we see a threat evolving we notify the whole cloud about it and proactively block access. But nothing inside comes out. The ability to create an isolated cloud makes it possible for military organizations to look at SaaS and cloud computing as a feasible way to run some of their IT operations.”

Apte also argued that the type of application Zscaler provides, blocking access to potentially dangerous Web content, is more appropriately handled outside the military firewall, adding an additional layer of security to the most sensitive and critical systems.

The same argument applies with respect to the provision of public key infrastructure (PKI) access authentication, according to Terence Spies of Voltage Security. PKI safeguards sensitive data by ensuring the authentication of the identities of application users.

“The military has a large PKI that allows them to send secure messages within its own system,” said Spies. “But in situations such as homeland security operations, military units may want to send secure messages to local police or fire department personnel, but those people are not on the military PKI.”

Voltage has performed trials with the U.S. military and the U.S. and Canadian border patrols that show that internal security applications are properly managed tightly within the confines of an organization, Spies said. But when cross-organizational interchanges are needed, it is useful to outsource PKI.

“This allows the military organization to exchange secure messages without having to enroll the non-military users on the military PKI,” he said. “It all starts with your security model. If you have a policy that says you only want members of your organization to have access to data or an application, you should have an internal key management system. But if your model is to exchange data then SaaS can work pretty well.”

The key elements to making such an arrangement work, Spies added, is to employ a trusted, auditable third party who understands the separation of duties involved with the internal and external security mechanisms. “There are also a lot of regulations to be complied with,” he said. “A number of service organizations have earned regulatory compliance certificates to perform these kinds of operations.”

VALUE PROPOSITION

In the case of commercial SaaS offerings, users share a common infrastructure that contributes to the SaaS value proposition, a reduction in the total cost of ownership, according to Paschuck, of some 80 percent when compared to a traditional, on-premise software implementation.

Apte argued that the SaaS value proposition holds true for the kind of isolated cloud infrastructure that Zscaler has developed. “As long as it has been architected properly, it doesn’t take away from the value of SaaS,” he said. “The value is in the ability to spill over into the cloud infrastructure and to be able to scale at the rate required without having to add hardware and software inside of your network. The hybrid model that we have devised gives the opportunity to organizations to take advantage of this evolving mechanism. The cost savings are comparable.”

But Paschuck said that the kind of SaaS partnership that Right- Now has forged with DISA, which is operated on military hardware inside the DoD firewall, shaves 50 percent off the cost savings of a comparable commercial, shared-infrastructure implementation. “They are still saving 40 percent on costs, and they also have the same speed of implementation as for a commercial installation,” he said.

“DISA has set up a private DoD cloud based on our architecture,” Paschuck added. “All of the hardware bought and installed has been according to NIST and FISMA guidelines. If they wanted to run the software in a commercial facility they could have avoided those costs, but that is not good enough for most DoD customers, especially those running mission critical, personnel or financial applications.”

For all of the obstacles facing SaaS, Paschuck has noticed that “once people get educated, their reluctance to adopt this model goes down tremendously. Ten years from now, I doubt that any application on military systems, outside of weapons and intelligence systems, will not be in some form of cloud computing,” he said. Prakash was even more optimistic, saying that “in the next five years most commercial and government applications will be moving to the cloud.”

But Apte added, “I don’t see the military adopting cloud computing for commercial data centers any time soon.” There are, however, reasons to believe that SaaS and cloud computing will grow among military users in coming years. Spies said that the concept of proof of retrievability, which is currently being developed, will provide assurances that encrypted data being stored in the cloud can be retrieved. “If I give my data to the cloud I need a way to make sure the service keeps all the data and allows it to be retrieved,” he said.

Advances in “searchable encryption,” which allows authorized users to search encrypted, cloud-stored data, will also be important in encouraging users to move data to the cloud, according to Spies. “This is important to doing productive research,” he said. “By making data more secure, users can be provided with more functionality.”

Apte sees SaaS growth in the increasing popularity, especially among young people in the armed services, of social networking, so-called Web 2.0, content such as YouTube, Facebook, and Myspace. “In the past, networks could secure themselves against vulnerabilities simply by denying access to those kinds of sites,” he said. “But as these sites become more popular, that approach is going to become more difficult. The more restrictions are placed in accessing them, the more ways will be found around them, and that increases risk. I believe the military will have to allow access to Web 2.0 sites while applying a security layer to them to mitigate risk.”

That security layer, in turn, Apte believes, will be supplied increasingly by SaaS providers.

All of which present enormous challenges to SaaS vendors. “SaaS is about managing success,” said Collison. “Traditional software implementations are project-oriented. An organization needs a fix. The vendor and consultants implement software to try and solve the problem and then go on their way.

“SaaS has a different idea of success, which is tied to renewals,” he continued. “A vendor’s revenue stream is dependent on the customer’s success at every phase and milestone and on a continual basis. That means vendors must get much more involved with projects, whether that involves providing project management expertise or discussing security certifications. They need to be involved every step along the way to earn the renewal and the future business.” ♦

Back to Top