WYSIWYG

Security column February 2017

Since I’m a fourthly something Dutch guy, the first word processor I started to use after the typewriter was Word Perfect. This is the Word Processor I used in school and wrote my graduate thesis on. One of the “features” of word perfect was, what the Dutch called, the underwater screen.

The underwater screen, allowed a user to actually see what special characters Word Perfect was using as an internal representation of the document as it would be formatted on the printer. When later versions of Word Perfect started to provide a What You See Is What You Get or WYSIWYG interface, the underwater screen remained present Word Perfect, because the typical Word Perfect user was so used to it.

When I was nearing the end of of my studies and had to write my Thesis, one of my co-students was already working for Microsoft Netherlands and he was trying hard to convert me from a Word Perfect user to a Microsoft Word user. We had countless discussion about this and usually these discussion would turn into an argument where I stated that I couldn’t use Word because it lacked the underwater screen and he countered that the fact that I needed the underwater screen was actually a sign that the WYSIWYG editor of Word Perfect was flawed in the first place.

In 20/20 hindsight, he was right. As I started to work in the real world and had to, grudgingly at first, work with Word more and more I started to understand that if the editor worked right, I didn’t need to understand what happened under the hood. Although I must say that earlier versions of Words could do “interesting stuff” to your document every now and then.

The underwater screen was a way for users to see what happened under the hood and thus to help a user determine what he had to fix his document in a not 100% perfect WYSIWYG editor.

In a sense the switch from software running on premise servers to Software as a Service running in a cloud somewhere resembles the switch from Word Perfect to Word. Sure, the Word Perfect interface wasn’t perfect, but it provided users with a tool to see and understand what happened under the hood and thus gave the user the confidence that problems could be spotted and fixed or even avoided. Word in the end turned out to be the better word processor, but did not provide users insight in what happened under the hood.

Today, SaaS solutions often provide more features against a lower price then running the software on a local server, especially if the costs of maintaining the server and software lifecycle management are included in the business case, but SaaS providers cannot provide an underwater screen that allows the user to view what is really happening under the hood.

As with Word, user will have to trust that if the service/document looks good on the screen, it is actually technical sound as well and the end result/printout will be as you expect. I have no doubt that this is the intention of most, if not all, SaaS providers, but accidents do happen as e.g. the recent incident at GitLab shows .

While many companies may be better off using modern day SaaS services instead of running their own infrastructures, it remains very hard for the consumers of these services to actually determine the quality of the underlying technology and operations. Switching for on premise to SaaS is often a leap of faith.

Luckily this does not have to be a blind leap of faith. Frameworks like the Cloud Control Matrix of the Cloud Security Alliance (CSA CCM) provide consumers of cloud services with a list of controls to look into when consuming cloud services.

Additionally, Assurance Statements like an ISAE3000 or ISAE3402 statement are intended to provide a statement of an independent third party on the suitability of design and existence (and in case of a type 2 statement also on the operational effectiveness) of the controls described in the statement.

In a sense a ISAE3000 type 2 statement is like my friend telling me that I don’t need the underwater screen because the WYSIWYG editor of Word is working well.

I remember having to switch from Word Perfect to Word caused me some anxiety at the time, especially as I was used to being able to see what was going on in the underwater screen in Word perfect so much. As a security officer working for a company that is good at running software on servers we setup and host ourselves I’m very used to being able to see all the parts move. As SaaS solutions are becoming increasingly prevalent also for our customers I will have to get used to the reduced visibility in this scenario and learn to trust the WYSIWYG editor, supported by my friend the ISEA3000 statement.

Is what you see, what you get with SaaS solutions and is it really better in the long run? Only time will tell, but he, I am typing this column in Word, not Word Perfect.

Frank Breedijk
February 2017

P.S. my first word processor was actually Easy Script on my Commodore 64. But, as the Americans say, that is the same difference.

Originally published at cupfighter.net.