Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloud Providers: A Roadmap of What NOT to do to Your Customers

SaaS Providers –  A Roadmap of What NOT to do to Your Customers

I’ve gone on and on about how cloud providers offer services as soon as said services are available. Security isn’t the priority. Feature set is driven by monetary momentum. Development dollars swirl around new features for new money. That’s just part of the joy of capitalism. Cloud providers, this one is for you. I present to you a list of “What Not to Do to Your Customers.”

SaaS Providers –  A Roadmap of What NOT to do to Your Customers

I’ve gone on and on about how cloud providers offer services as soon as said services are available. Security isn’t the priority. Feature set is driven by monetary momentum. Development dollars swirl around new features for new money. That’s just part of the joy of capitalism. Cloud providers, this one is for you. I present to you a list of “What Not to Do to Your Customers.”

How Not to Treat CustomersEveryone loves a good upgrade, especially when that upgrade brings new tools, additional time/resource/development savings, a new feature set and helps customers in some way. But as a cloud provider, when you offer this upgrade, it should never be an over-night switch without a whole host of contingency built in. Customers losing access to the services, losing their data or losing their own customers is a risk. Rather than put yourself in a compromised position with your customers, their data and your bottom dollar, you have some work to do. So no hasty cloud upgrades!

If you are a software-as-a-service provider, whether it be contact management, email, a social media website, or something else entirely, make sure your customers know the upgrade is coming and can take steps to ensure that your upgrade doesn’t leave them treading water while you fix those unforeseen bugs . Customers can’t tread water forever. And you’d hate for your customers to drown because of your negligence. So, keep your customers in the loop. Make sure they understand what changes are happening, how the changes will benefit them, what the time frame is for the upgrade, and what the potential risks are. Don’t just pull the trigger and hope that your customers will be okay with the result.

Customers should have the ability to opt out of the upgrade if necessary. I know it can be a big deal to have a mixed software environment, but losing your customers is a bigger deal. The cloud isn’t a dictatorship.

If the upgrade goes to hell in a hand basket, offer a rollback to the last stable version for your customers. Or do a slow roll out across the customer base so that customer issues can be solved, familiarity with the upgrade problems can be established (lab testing is only so reliable), and resolutions can be found. Real world upgrades seem to always have a gremlin or two hiding in the data. So when doing the upgrade to a new version, or adding features, keep the installation disks of that prior version around. It’s also not a bad idea to offer customers a choice of time frames in which to do the upgrade. Most businesses have a code freeze from December to February because of the Christmas holiday. Hence, it’s a bad idea for you to do the upgrade in that time frame. But not every business is bound by the holiday season. For some, the busy season might be tax season. Or summertime. Or Halloween. Who knows. Best to give the option of upgrade time back to the customers based on their “busy season.”

For your customers, this isn’t a hobby. It’s business. And mitigating any risk possible is a requirement, not an option. So as a cloud provider, whether you’re offering SAAS or PAAS or IAAS, offer your customers a time frame to opt into for the upgrade. Don’t force feed it. Remember, you’re adding value to the software. You’re helping them—if you do it right. If you’re still hell bent on doing the upgrade, make sure the configuration settings of the current platform are kept for the new platform. With SAAS, PAAS or IAAS, customers will customize their tool to meet their needs. This requires man-hour resources, potential head count resources and maybe even development resources. So if you’re going to do the upgrade, make sure that at least the configuration of the software is maintained through the upgrade path to ease the process. Just remember your SLA. Chances are, you’re bound by some legal agreement to your customers. They will take you to the cleaners if you can’t maintain continuity per your contract, and in today’s social media world, bad press can and will stick with you. Best to put your best foot forward at all times, make your customers happy and enjoy the growth of your business as your customers enjoy the growth of theirs. You’re in a partnership. Your job is to make them successful. And as a result, you succeed too.

With upgrades come risk. Risk of losing data, risk of mixed-version environments, risk of security breach. Doing a full set of security testing on the software you plan on rolling out is best practice if you want to protect yourself, your customers and all of the people they do business with.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.