Rational Security: On-Demand SaaS Vendors Able to Secure Assets Better than Customers?
An interesting post from Hoff on whether having data with SaaS vendors may leave you more or less secure overall.
I've had a couple of experiences of this over the years and I'll say that generally where I'm seeing data hosted out of the company using SaaS I tend to get less of a feeling of security rather than more.
A couple of reasons for this. Using SaaS adds complexity to areas like leavers/movers/starters procedures as there's another notification point for these, and as we know most companies aren't perfect at leavers policies, so you can introduce risks that people who have left can still get access to company data.
Also there's no really good way to easily assure the 3rd parties security. As Hoff alludes to, a lot of companies think SAS70 == Security, which just ain't the case (although it can be useful for getting assurance over the performance of some security related procedures). So you're left with either engaging in a lengthy assurance process which probably isn't practical if you have a lot of SaaS vendors, or relying on a combination of Pen Test/SAS 70/contract.
Of course, this is complicated even more where the SaaS vendor outsources some of their functions like site hosting, as then you have hierarchies of trust with each agent having similar difficulties in trying to assure the security of the companies they rely on.