A. About 10 years ago SaaS (Software as a Service) was first mentioned in an article called “Strategic Backgrounder: Software as a Service.” It was published in February 2001 by the Software & Information Industry’s (SIIA) eBusiness Division*. Since then software providers have noticed a definite rise in consumers choosing this option against the more traditional local install.
At Simplisys, we have seen a definite rise in customers choosing the SaaS option with 85% of new customers opting for a managed service.
The SaaS option can offer many benefits such as:
- Recurring subscription fee (pay as you use).
- All upgrades included and provided more frequently than onsite install
- Bug fixes and updates are applied to all customers at once resulting in stable software and lower costs.
- Increasing number of users does not increase the base cost as there is no hardware to maintain
- Licensing costs therefore are directly aligned with usage.
- Does not require server hardware as it is all hosted in our state of the art data centre.
- Uses existing internet connection and web browser.
- SaaS offering provides data centre level security, which is difficult to achieve on-site.
- Often easy application configuration via an Administration console. Also third party product integration using an API (Application Programming Interface) means more control by the client with less input from the vendor.
- SaaS has the scalability to add additional licences or users to the software as quick and as easy as picking up the phone.
Here at Simplisys we are happy to help with any questions you might have, just give us a call on 01275 240500 or email email@example.com.
Security of the platform is supported at every level of the platform architecture from the external connections through to the SaaS infrastructure, application and database. Within the application architecture, there are several levels which all support the security of the application.
All connections to the platform are via a secure connection supported by SSL encryption. This includes all user interface connections and as well as any components which may be installed on the customer network which will connect to the hosted platform. This includes Active Directory synchronisation, Email integration, integration with other systems and any use of the API. All of these integration options may connect to an external interface either directly from the hosted platform or from within the customer network and so any such connections do not have to be exposed to the internet other than via the secure connection back to the hosted platform. This also means that the external interfaces can remain internal to the customer network and do not need to be internet facing.
The security of username and password authentication in Simplisys is supported in a number of ways. Strong password rules force users to use different types of characters in their passwords as well as preventing them from using the same or similar passwords as their username. Passwords may be set to automatically expire after a certain period of time, after which the user must specify a new password. When selecting a new password, a user may not use the same password twice in a row. In addition to the automatically expiring passwords, a user may opt to change their password at any time after login.
A user account will be locked after a set number of failed login attempts. This means that a user password may not be accessed using enumeration techniques. Username enumeration is also not possible due to the way information is presented after a failed login attempt. In addition to this, details of all failed login attempts will be recorded in the database. Database logs of failed login requests will not store details of passwords entered during the failed request.
User passwords will not become visible to any person including any user with administrative permissions to the database nor to any individual which may have access to reporting information or database access. This includes customer personnel, reseller personnel and SimpliSys personnel. Self Service passwords are covered by the same rules as the main application passwords.
When using windows authentication on the hosted platform, a component is required to be installed on the customer network. The windows infrastructure on the customer network will then handle the basic authentication of each user. Specific details of the user which is to access the application is then passed to the hosted application via a secure web connection from the onsite component. The onsite component is then given an authentication key which is then passed back to the client pc to be submitted by the user’s browser. This authentication key is temporary and is invalidated after its first use or after a short time period if it is not used.
Simplisys is a fully roles based application which helps to protect customer data by allowing customers to disclose as little as they choose to each individual user. Roles in the application allow detailed control over the records which may be accessed by an individual user. Based on role settings, a user may be restricted from viewing a certain class of record, only be able to see the records for which they are the assignee, only see records which are assigned to a group which they are members of or to have full access to the record class.
In addition to record classes, permissions may also be set at the level of record type. Record types in Simplisys are definable by administrative users. To give an example, an ‘Incident’ in Simplisys is a record Class. An administrator may split Incidents into two types: ‘Breakdown’ or ‘Advise’. Permissions may then be set differently for ‘Breakdown’ type incidents than they are for ‘Advice’ type incidents.
The database is not available via direct remote connection. Access to the data in the database must go via the application or API and so always includes the application controls on permissions.
The database connection between the application and the database uses a database user account which only has access to the customer database being accessed. The user account does not have any permission for any of the other customer databases available on the hosted platform. This means that if an attacker ever managed to get past the other layers of security and compromise the database from within the web interface to the application, they would still be limited to data from their own database and not any other customer databases.
General Application Security Features
- When error messages are displayed, no technical information about the inner workings of the application is displayed.
- After logout, a user’s session is completely invalidated and removes access to all system resources.
- A user may not bypass the permissions allowed by their role using direct modification of the URL.
- All data entry fields are protected from various types of injection attacks.
General Infrastructure Security Features
- All infrastructure is behind a Cisco ASA firewall.
- Windows Updates are kept up to date.
- Frequent Virus scans with McAfee anti-Virus.
- Annual Server Security Audit.
Data Centre Security
Our data centres operational business infrastructure is compliant to the PCI DSS, which is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). Security features of the data centre include the following:
- 24 hour onsite security personnel
- CCTV security systems
- Cage and entry door access control
- All security systems constantly monitored
Security reviews are to be carried out annually. This will include penetration testing, a review of security related incidents, a review of technical logs and any additional information gained by technical personnel. The aim of the review is to identify any weaknesses in the security of the platform and any potential threat areas and to make recommendations to improve the security of the platform.
Security related processes will also be reviewed annually along with all other processes as part of our ISO 9001 certification requirements.
We provide a number of different courses, User Training, System Administrator Training, Custom Report Writing etc. these can be delivered in various formats as required including ‘one to one’, ‘train the trainer’, ‘product workshops’ and ‘mentoring’. All courses are available on site or in our training room at Portishead, Bristol.
We believe in delivering first class training to address our customers’ specific educational requirements, further more all training is delivered with our customers’ specific skill level in mind to ensure maximum knowledge transfer and retention.
A. There are two different methods of purchasing and installing Simplisys Service Desk; on premise or fully hosted (Software as a Service).
Locally Installed (On premise): Simplisys Service Desk is purchased outright and installed on client’s servers. Installations supplied with an annual Support and Maintenance Contract covering product support and upgrades to future version releases in the conventional way.
Software as a Service (Hosted): SaaS is where the software is installed on Simplisys managed data centre and delivered as a service via the internet. End users rent access to the service on an annual basis.
Both options have advantages and disadvantages, so which choice is right for your business?
SaaS Advantages and Disadvantages
Though there are no disadvantages to SaaS there are reasons why some people are still wary about using this type of installation, these include; weak data protection, unreliability and the feeling of being out of control.
Traditional onsite install Advantages and disadvantages…
What ever software installation option you choose make sure it has the opportunity to grow with you as a business and adapt to your ever changing business environment.
The service desk market has had a definite shift in its view of software as a service, it is no longer thought of as an inferior choice, moreover these days it often the chosen preference of many companies.
A. Support & Maintenance Services supplied by Simplisys are designed to provide customers, who have current product license(s) and an extant Service Contract, with an ongoing high-level quality support to enable them to continue to exploit their investment in Simplisys products and services.
A. Configuration requirements for an Onsite installation of Simplisys Service Desk are outlined in the onsite server requirements document below.
A. Please click on the below link to view the Password Reset Utility document.
Password Reset Utility PDF download