Portal Home > Knowledgebase > Articles Database > SaaS, your toughts on these options...
SaaS, your toughts on these options...
| Posted by jagarco, 03-09-2011, 06:58 PM |
| Hi
I'm planning to develop a Software as a Service project.
The idea of the service is going to be through a website, all accounts(businesses) and their work info will be stored in a server.
Problem here is, if the server or the script is hacked, then ALL will be affected.
In fact, I already can see businesses not wanting to have their info on a "website" not of their own.
So, we can say there are 3 options to offer a software solution
A) Centralized, one domain, one location.
- Pros
-- All businesses communicating, sharing and working efficiently
-- Efficient management communication, updates and upgrades
-- Our brand will get stronger and more business will accept it
- Cons
- If is hacked, could mean the end of our brand.
B) Customer hosts software
- Pros
-- If is hacked, is just one customer.
- Cons
-- Updates and upgrades
-- If the sofware is exploited then we'll have to patch lots of installations
C) Local on customer computer
- Pros
-- Security
- Cons
-- Everything
Soooo....
Is there a way to have the option A) hosted on one domain but in a way to isolate an intruder?, like, just a certaing group of accounts may be compromised but could take longer to get the rest and such.
Like, for example, if option B, the intruder would need to hack one server for each customer, but in option A he would need to hack just one to get all accounts.
What options would there be for option A to be more secure, that is, having just one main domain to use the service but not the same risk as like having all the eggs in one basket?
|
| Posted by phpcoder, 03-09-2011, 07:11 PM |
| What type of application do you intend to build and what customer data will be stored? Who is your client base? What language will the application be built in?
Without more specific detail we're only going to be able to give you a shot in the dark answer
|
| Posted by jagarco, 03-09-2011, 07:49 PM |
| tnks
PHP/MySQL
Business tools like Docs, Products, Photo galleries, Support tickets, calendars, WebBuilder(WebSite), DataBase, etc. etc.
Hmm.., like in the nature of wordpress.com(not the script) or zoho
They are going to be from small companies(1 to 10 employees) using particular tools to very few medium companies using other particular tools.
|
| Posted by phpcoder, 03-10-2011, 11:45 AM |
| More questions aka food for though!
Think of your target market when deciding the best platform:
* Will they pay extra to have it hosted with you?
* Do they have the IT knowledge / infrastructure to host themselves?
* Will you be able/want to provide support if they host themselves?
* What is the probability the data will be hacked (ie. targeted)
|
| Posted by tchen, 03-10-2011, 12:03 PM |
| It has to be A.
B is a non-starter for SaaS since for you to be able to login to another host would entail both you and the customer have root access. Nothing good can ever come out of that.
Caveat is, you need to have a strong IT security team. You cannot have all that software on one box. Encrypt the storage per customer and assume that your frontends will be hacked. Backup religiously, online and offline. And get a lawyer.
|
| Posted by jagarco, 03-10-2011, 06:54 PM |
| Hi tnks
I kind of already know which market or the strategy to use to get to it.
I already decided Option A has to be the one even before posting this thread, I put the other options just to have it in perspective.
The thing I'm interested is how is usually this method(A) done in the backend in relation to security.
I thought there could be more than just securing the one single physical server and the software..., like maybe some kind of several servers each serving some part of the service or data etc.
|
| Posted by Squidix - SamBarrow, 03-10-2011, 06:57 PM |
| You should really try to offer both. Option A is good for 90% of situations, but depending on the sensitivity of the data being stored, some companies will prefer to host on their own servers.
|
| Posted by jagarco, 03-10-2011, 07:04 PM |
| Interesting...
- Having the software in several boxes, that I wasn't aware of it, seems interesting, I guess when the customers use the SaaS the data and interface could be pulled from several locations.
- Encrypting, I was thinking about that in maybe the names and emails fields and such, not sure if it affects performance.
- Backups and offline backups are checked. They will at least provide the data in case is lost in the main location, it won't stop the hacking once restored of course but at least we will not lose data.
I guess it could mean most of the security issues will be focused in the server and software possible holes.
|
| Posted by tchen, 03-11-2011, 01:40 AM |
| It's basic security by layers. Assuming your UI is ajax driven, you can strictly control the API between the browser and a proxy controller. That minimizes the exposure you have. On the backend, facing each of the services, you again have another authenticated api system. The proxy controller does almost no processing and handles none of the uploads since they're the most vulnerable - they're the key handlers for the encryption.
Uploads should be shunted to another box and treated as though in a DMZ.
And again, a separate authentication server provides the account and verification.
I could kiss you for that one
|
Add to Favourites 
Print this Article
Also Read
