The Security of Cloud Services and SaaS in 2021 – Part 3

Daniel Ayala
Managing Partner
Recently, Secratic Managing Partner, Daniel Ayala, wrote a series of pieces for one of our clients, LabArchives ( on the benefits and challenges of securing SaaS systems in the cloud.
This is an excerpt from the final of a three-part series on the benefits and challenges of securing SaaS and cloud applications on behalf of one of Secratic’s clients, LabArchives.
In Part I and Part II of this series, we discussed the trends toward cloud-based or SaaS (Software as a Service) and away from the long-standing concept of a local data centre and internal network. We’ve reviewed the value and speed of technology advancements that come with cloud service, but today we’re going to dive into the financial implications of utilizing a cloud service over a local data centre.

Financial Implications

Meet the Demands
If you have ever gone through a capital planning exercise, you know that there is a part of the equation that asks, “what is the useful life of this asset.” For capital expenditures such as local data centres (buildings, computers, and more), the longer the life of the asset, the more benefit there is to the organization. However, in technology, the useful life of hardware goes down as processing demands go up. A server bought five years ago will be significantly less productive today. As such, purchasing computing hardware for a data centre may not be the best way for organisations to invest. Cloud services allow the service provider to invest in purpose-built hardware, at a massive scale, to provide and update the systems needed by businesses and institutions more cost-effectively.
Coupling this with the ability to dynamically scale the amount of computing that an organization needs, another huge benefit of cloud computing becomes clear: buy the processing you need only when you need it, and remove other instances when you do not. To accomplish this in an on-premise offering, an organization would have to buy enough hardware to fill the peak need; the rest of the time the hardware would be mostly unused, but still costing the institution to depreciate and run.
By having out-of-use systems running, they increase the organization’s attack surface and create unnecessary risk. The act of powering these systems down until the next peak takes time and effort to execute. And when they are off, systems may not receive security patches, so they also put the systems at risk until updated when turned back on at the next peak usage period.
As I mentioned at the beginning of this series, either on-premise or cloud-hosted environments are nothing if the application is not securely developed, with scalability and redundancy in mind and appropriately operationalized by the support team. But as a CISO with experience in security and privacy in corporate and academic settings, my preference underlying infrastructure environment is increasingly swinging toward cloud-hosted.
With centrally managed SaaS applications built on top of cloud services, whenever features or security updates are released they are installed centrally and across the world, reducing the risk of exposure and ensuring the consistent deployment of fixes. Rather than waiting for internal technology or security staff to patch or update the application, SaaS users are always up-to-date.
Thanks to the significant research and development that goes into securing cloud technology at Amazon Web Services, Google Cloud, and Microsoft Azure, along with the architectural assurance of availability and scale, cloud services are more security-minded than ever before. Information security is based on three tenets: confidentiality, integrity, and availability. Cloud services and SaaS applications exist to support all three of these in robust ways that can benefit your organization.
You can read the complete original series at