Saturday 10 February 2018

SaaS is a big boys game now.

With the release of Chrome V68 planned for July this year all external websites not using HTTPS will be marked as “not secure” by default. I expect this event to be followed by protests that this will ‘break’ a number of important web sites that education relies on.

Perhaps a more measured response would be to question why these important web services are still transmitting data relating to staff and students across a public network without encryption.

Analysis of the traffic shows that over 78% of all traffic on Chrome OS already uses HTTPS. The technology is simple to implement and is well understood and so, after many years of cajoling, Google have decided to call time on the remaining traffic. There can be no complaints.

While we’re on the subject lets add a few more things that need to be shown the exit.


Adobe Flash.
No more Adobe Flash, the software is inherently insecure, it can’t be fixed and it has no place in an modern web app. With the release of V56 of Chrome, Google started blocking flash by default and although there are workarounds to re enable the plug-in, vendors should see this is a clear warning that the days of Flash are numbered. Adobe has announced that support for Flash will end in 2020 giving a fixed date for it’s final demise which is only 20 months away. Ask your vendor when you can expect to see a Flash free version of the site. If you get no response then you need to start looking for an alternative.

Local user databases.
SaaS services should have the option to use the authentication services and directories provided by Google and Microsoft. Nobody should expect to maintain a separate user database with passwords any more, especially within education.

Lack of a data policy.
In the European region new data protection regulations under the banner of GDPR are now in place and from May 25th it will have will have a global reach. While the SaaS application might be based in a non-EU location so long as the subscribers that use the service are located in the EU the publisher must comply with the regulations.

Other than having a clear policy as to why data is being stored and how it’s being used, the rules cover a whole range of requirements including physical security and the Right to Erasure (“Right to be Forgotten”).  While the big players such as Google G Suite and MS Office 365 have moved quickly to fulfil these requirements other SaaS providers have still to make their position clear. In the past these policies were simply considered good practice but in the future the legal team could get involved and that's not a good place to be. So ask the question of your SaaS vendor “Do you comply with local data protection standards” ?



SaaS is maturing into a powerful  platform for delivering software to all sectors of the economy and the days of the enthusiast website are over. Individuals and small teams can still create amazing services using the development tools provided by the public cloud. In fact the time has never been better to make that pitch - but you have to get it right from the start.

For those services that were launched a decade ago that are still running Flash over HTTP with a local user account database I’m afraid those days are numbered because Google, Microsoft and the regulation authorities are pulling the shutters down. Not before time.

SaaS is a ‘big boys’ game now and that includes HTTPS.