Of the four areas of SaaS security, the concept of pure Data Security is perhaps the hardest to define. In fact all four blogs in this series were about some aspect of keeping your data secure in a SaaS model, but when I think of "data", I think of two quite different concepts:

1. The actual bits and bytes that exist somewhere on your SaaS vendors servers (these bits and bytes can be transmitted, processed and displayed for the application's purposes).
2. The thoughts, ideas and concepts that make up our "digital life".

So, let's talk about these 2 points.

Obviously, the data you upload and download to and from your SaaS vendor is not stored in the "cloud", it's actually stored on one or more hard disks housed at some physical location somewhere. Your data is usually stored in such a way as to keep it secure from prying eyes and from catastrophic failures. SaaS vendors use the following methods to secure your data:

• Data level encryption -  it's possible for your SaaS vendor to encrypt your data while it is being stored so that only certain parties can read it. Imagine this process as a filing cabinet containing documents written in a language that only you can understand, no one else could read them even if they stole the entire filing cabinet.
• Data segregation - most SaaS vendors operate what's known as a "multi-tenant architecture". Simply put, this means that one platform installation serves the needs of more than one customer. Even though this can be a very secure architecture, you may wish to have the ultimate in assurances that your data will not interact with other client's data. This can be achieved by asking your SaaS vendor to "segregate" your data into a completely differen tplatform installation. This creates a "single tenent" solution and it can be quite expensive. I recommend this only for highly sensitive data.
• Backup and recovery - just like your home computer can go belly up, it's possible for some aspect of your SaaS vendor's hardware, software and networking to do the same. Even with a tremendous amount of redundancy and processes in place. You can ask your SaaS vendor what their backup procedures are, how often they back up the data, how long it takes to restore data, the current state of data storage and failure rates etc. Note that many SaaS vendors don't do actual "tape" backups any more, they simply backup to other storage device(s) at the same location - they do this to keep costs down.
• Security policies around who can see your data - obviously, your SaaS vendor's personnel maintain and ensure the proper running of the SaaS application. This means that they may have access to some or all aspects of your data. Ordinarily this is a completely innocuous fact, the staff are required, either by policy or by some technical "locks" to not view or tamper with your data.

Your digital thoughts and ideas

Your SaaS vendor is often responsible for holding your digitized thoughts and ideas or that of your entire company. This responsibility should not to be taken lightly! One question you must ask your SaaS vendor is "who owns the data once I've placed it into your SaaS application?" If the answer is anything but "you do",  this isn't a vendor I'd recommend.

To summarize the series, worries over SaaS security are certainly legitimate - but can be solved if you have done your homework. Some things you might want to do before entering into the world of SaaS applications:

1. Educated yourself - do's and don'ts
2. Ask the right questions during your due diligence process
3. Work with a neutral 3rd party expert in SaaS applications (help with the vetting process)
4. Walk before you run - do a pilot project, choose an application or solution that you can test first
5. Measure and monitor the service llevels during the pilot phase

The world is moving to SaaS.  Eventually, you'll will too!! Gartner's predictions for 2010: "By 2012, 20 percent of businesses will own no IT assets. But the requirement for IT infrastructure and expertise though, will not go away, rather it will shift to the cloud and SaaS vendors."