JDPFu.com 2025

As I read more and more of the article, I was surprised as to how much of it I agree with. Then I noticed who the author was – Richard Stallman, RMS as he is known. Mr. Stallman is a lightning rod in the open source world. He is known for his uncompromising positions and both difficult and lack of personal tact. But, in my opinion, he is correct in his concerns for SaaS solutions. Basically, every website that you visit where you can’t download and run your own clone server is a concern for software freedom and protecting your company from the whim of another company.

Worse than proprietary software

There are hundreds, if not thousands, of solution web sites. You use these all the time. Your business may even completely depend on them and they can stop serving your needs at any second. If you aren’t scared about that, you should be. They are a single court order, lawsuit, or IT failure away from going down. When they do go down and even google mail goes down, you don’t have many solutions. Your data is usually locked up in their storage, unavailable. Is that the way to run a business?

With proprietary software, you can at least run the software on your systems. With SaaS solutions, you are completely dependent on

1. your internet connection
2. their internet connection(s)
3. their servers and high availability design
4. their storage and high availability design
5. their disaster recovery plan and implementation
6. their legal team’s ability to fight other companies lawsuits and patent cases
7. their profitability

I’m scared. I’m really scared.

A few web/hosted services you or your company may use, get addicted and should probably be avoided:

1. Gmail / hosted webmail in general
2. Google Docs / hosted document management service providers in general
3. Google Voice / 100% VoIP providers where you can’t take your number with you
4. Salesforce.com / do you have a backup? Can you contact your clients and know all your interactions if it is gone? failed
5. mint.com / any hosted banking or bill paying app
6. Blackberry / their network connectivity is SCARY. Perhaps they have a secondary production data center now, but they didn’t in 2008.

In short, have your chief architect understand the vendors network, system and security architectures fully, document the points of risk and help you write the contract with financial repercussions if there is a failure due to the vendors inadequate total solution. A quick list of must haves:

1. Network redundancy for external and internal connections; multiple ISPs used.
2. Storage redundancy
3. Server redundancy (automatic geographic failover would be nice too). The redundancy is for proxies, web, app, db AND storage tiers.
4. Change management process with scheduled maintenance windows. They shouldn’t let developers login to production servers – EVER, period.
5. Version control used for all aspects of the service – documentation, web templates, AND the code.
6. Automatic processes to deploy updated code, templates, and images onto the production servers. If it is automated, they are less likely to forget a key part of the update at 4am Saturday.
7. Extremely clear security policies. Use of SSL alone doesn’t cut it. How are client passwords managed. How are links between your systems and theirs secured? What prevents other customers from seeing your data due to a bug or inside job? What guaranties do they provide that their people won"t steal your data? Are they bonded and insured? How much insurance?
8. 100% coverage regression testing prior to deployment to production
9. Per client DBs; You don’t want your data mixing with another client’s data inside the same DB.
10. Disaster Recovery RTO and RPO documented AND DR plans tested.
    Get all these things placed into the contract with a clause that any material changes need to be approved by you with 45 day notice. This part protects your, but it also adds a level of responsibility that you probably wanted to avoid.

Mitigation Strategies

Some of those solution providers sell/give excellent solutions. It will be very difficult to stop your marketing department or CEO from demanding you deploy to these services. They probably already have accounts and may have connected feeds from your internal systems without your knowledge too. They don’t know any better. To mitigate their issues, you need to

1. backup 100% of the data the service holds, daily
2. have a way to access that data without an active internet connection
3. have a way to import that data into another system, not connected to the provider

Go ahead and use these SaaS providers, but with the backup and ready-for-failure stance.

RMS proposes a completely different answer – avoid SaaS 100%, always, period. That can work, but it won’t be politically advisable inside most fast-paced companies trying to save money and gain access to services as-needed.

SaaS is Complex

SaaS is complex when you look at the risks involved for your company. If you need help, consulting services are available to help you make the best decisions for your needs. Don’t let the $30/month per account price for many of these services convince you everything will be fine. A very few of these SaaS providers will be truly redundant, but hopefully they will mature and get better and better.

Another security conscious tech guy has some excellent points.