This blog post is written based on an interview with Carsten Lillelund Pedersen, Thinking as a Service, in the podcast Regnskabets Time, season 2 episode 3
We talked to one of the Danish pioneers in cloud infrastructure and data security, Carsten Lillelund Pedersen from Thinking as a Service, to get some more perspective on what initiatives companies should take and what they should expect from suppliers of SaaS. We also discussed why the old-fashioned adage “if it ain’t broke, don’t fix it” is not a good approach to IT systems and data security any more.
Interviewer: Welcome Carsten. Can you tell us about Thinking as a Service?
Carsten: Since people started working professionally with IT some 30-40 years ago, there have been different trends in regards to how IT is supposed to be viewed and used. In the beginning, IT was considered to be delivering technical services. This could be in the form of support or setting up local networks or servers. Today, we view IT as being a service that gets delivered. That is why cloud services like Software as a Service, Platform as a Service, Infrastructure as a Service, and Back up as a Service are the standard today and the norm in regards to what gets delivered when we are talking IT. It is the architecture behind those concepts and the counseling that we deal with in Thinking as a Service.
Interviewer: Carsten, you have spent the past 25 years working with data security. I was wondering if you could tell us something about the development in data security and cyber criminality?
Carsten: Yes. The development has followed the same wave as I mentioned before: IT has become more service-oriented. 25 years ago cyber criminality was considered by some guys sitting in a basement where they tried to hack their way into all kinds of places that were not protected. This has of course evolved into something more sophisticated. The newest trend of cyber criminality is actually that it has now also become a service. This means that just as there are tools to protect a company’s data, criminals now use IT tools to pull money out of companies that do not have 100% control over their security. It has become possible to offer such a service due to the rise of untraceable cryptocurrencies.
Interviewer: When we were preparing for this interview, you mentioned something that took me by surprise. You said that it is not always a good idea to store data in a cloud solution. Can you elaborate on that?
Carsten: It may be surprising for some, but a cloud solution is not always the best solution when it comes to storing data. However, it is important to understand the context. In the beginning, companies had data and networks in server rooms in the basement. And with quite a few people and resources, the company then had to try to provide all the IT tools it needed. This means that the IT department should provide web servers, mail systems, financial systems, file systems, administration systems, etc. When you have so many services to provide, and at the same time it is not the company’s core service, none of the services will turn out as good.
That is not an option anymore. That is why I recommend companies to go look for a cloud solution that gets delivered as SaaS. But if, on the other hand, it is the company’s core service – it could be a provider of Expense Management e.g. – then it must be on-premise. Then the company itself is responsible for operation, development, and maintenance. But the provider of the service in question must also have 100% control over its core service, which is why it is a good idea to host the solution on-premise. Anything other than the core service needs to be outsourced.
Interviewer: As a result of this development, many services are purchased as cloud solutions in Danish companies. I wonder if there are not some things that one should be aware of in relation to who is responsible for security?
In the first 20 years I spent working in IT, there was a saying: If it ain’t broke, don’t fix it”. This was because every time something was updated, mistakes followed. It was easier to leave things be until they did not work anymore. That is of course dangerous. The criminals do not refrain from updating their methods. This is precisely why you need to outsource everything that is not the company’s core service. This is because it is the SaaS suppliers in question who must maintain the applications and tools that you use yourself. This transfers the responsibility to your SaaS supplier. There are several factors that one can use to assess how good the SaaS provider is at protecting your data. A good way to assess this is by going to the App Store or Google Play and looking at how often the application is updated. The more, the better. It does not necessarily tell you everything about security, but it does give a nice hint.
It is therefore a good idea to make sure that someone is keeping an eye on your SaaS suppliers. It is not necessarily true that it is much easier to manage solutions and services if you outsource them. However, the data will be more secure. You cannot solve all problems yourself. That must be made clear.