There can be many reasons to consider cloud (SaaS) based offerings. However, make sure to consider cyber security differences before making a decision.
Primarily the main difference is that since the IT is outsourced, you may have considerably less visibility into access logs and events.
Following is a short list of items that you may want to inquire about or consider when making the decision to use outsourced offerings:
- The ability to restrict source addresses and countries specifically on your server or service. While not a complete remedy and easy to bypass, it can reduce the noise if you have a more localized service.
- The ability to be notified of brute force logins both for all users as an admin and for just the user themselves. This is important to detect for brute force login attempts and dictionary attacks. Being blind to this means you won't detect the attempts prior to a successful password guess.
- Full access logging of logins and change counts. Basically the ability to detect unusual patterns for access or database changes.
- Audit logging in detail. Self explanatory, but important if there was either a breach or a renegade employee to properly assess the damage done.
- Daily reports of security access events. Important to detect a change in patterns and indication that you're now a target of interest.
- A comprehensive detailed plan for replication across multiple sites during an outage. In reference to the provider. I often see physical security bragged about, but during a DDoS or some local catastrophe, replication is important for quick recovery.
- A clearly stated SLA backed up with clear plans for recoveries. Of course, SLAs are just documents to make people happy. More importantly is the ability to deliver on an SLA.
- Statements about what happens when the US gov (or any other government) makes demands about handing over data. Will you (can you) be told? Will your data be included with others. You might not hear what you want.
- In lieu of above individual personal encryption with salt.
- 24x7 technical personnel access by phone.
- The ability to have a private virtual server instance(s).
- The ability to have or provide your own private virtual firewall instance to augment the concerns above. With that ability you can create your own security policies, logging and notifications for several concerns.
- The ability to your own VPN into your virtual space and optionally add two factor and hence additional security and logging.
- The confirmation and knowledge that the hosting site has DDoS protection that scales during an attack.
Cloud and SaaS offerings are different, but I cannot imagine having any mission critical applications or data hosted by someone else with the additional visibility and controls mentioned above.