With a continued interest in software-as-a-service (SaaS) as a cloud model, concerns about SaaS security are also growing. Total cost of ownership (TCO) used to be the most frequently cited roadblock among potential SaaS customers. But as cloud networks become more frequently used for strategic and mission-critical business applications, security now comes at the top of the list. According to a previous CapGemini study, fear of security breaches had been a significant factor holding back cloud adoption. However, the cloud also retains a spot on CIO priority lists because it offers the promise of reduced cost, faster time to market and operational efficiency. So, is fear of security breaches really now holding back cloud adoption? No, I believe it is more about poor planning and a lack of understanding of how a cloud model like SaaS should be used. Security planning and infrastructure knowledge are both obstacles to implementing secure cloud initiatives. SaaS as a cloud model is focused on managing access to applications. The first step to better SaaS security is gaining visibility into what cloud services are in use across the organization and their associated risk. The point is not to replicate your organization in the cloud, but to extend it to the edge of the network to better enable your employees, your customers and your ecosystem. As the first step in enterprise-grade cloud security, enterprises need to analyze the use of all cloud services to identify opportunities to enable employees by subscribing to specific services, to reduce risk and costs by consolidating and better managing subscriptions, and to highlight atypical behavior that may indicate a security breach, data leak, or compliance violation.
What has to change in an enterprise’s approach to create a more secure SaaS model?
Focus on the following items:
Internal identity and access management (IAM)
IAM in the cloud has improved, but still has some way to go. My point is that identity management in the cloud should not take priority over what is done within the enterprise firewall. There are some third-party technologies that let IT extend role-based access controls into the cloud with single sign-on; or firms can be using a security platform that has IAM already well-structured in place. There is also the problem of employees accessing SaaS products without knowledge of the enterprise and its IT policy. The keys to preventing this are educating employees and using various network monitoring and Web filtering technologies.
Greater focus on endpoint security
A major benefit of SaaS is that business applications can be accessed wherever there is Internet connectivity but this also poses new risks. Coupled with the proliferation of laptops and mobile devices, SaaS makes it even more important for IT shops to secure endpoints. Enterprises that make use of SaaS need to implement policies to control connectivity. They should be able to enforce SaaS security policies for mobile-to-cloud access to approved cloud services without requiring an agent on device or VPN to backhaul traffic through the network. Investment here at present is important. Access can also be regulated by using secure Web gateway appliances from vendors, such as Cisco or Blue Coat, which broker the connection between a customer and cloud services.
Better integration between enterprise data and third party apps
Google has a Secure Data Connector that forms an encrypted connection between a customer's data and Google's business applications, while letting the customer control which employees may access Google Apps resources. Salesforce provides a similar tool. But this approach becomes cumbersome because customers that use numerous SaaS applications could find themselves dealing with many different security tools. Using third-party products, at least, offers the advantage of connecting to many different types of SaaS applications to reduce complexity.
Focus on cloud standards
Standards bodies are also developing their own guidelines for cloud standards, which include coverage of security. The largest and arguably most comprehensive player in cloud security standards is the Cloud Security Alliance (CSA). With corporate members, including Amazon Web Services, Microsoft, Oracle and Salesforce, most blue chip industry cloud services have a stake in the CSA. Customers evaluating cloud providers are warned against placing too much attention on SAS 70 certification as SAS 70 has been criticized for representing a snapshot in time which may not reflect a service provider’s ongoing performance.
Ask for cloud vendor security process transparency
In the past, SaaS vendors have been rather secretive about their security processes. If this is a concern, then enterprises need to be more demanding on details about how data centers are secured and how vendors segregate data in multi-tenant systems. You also need to know where your data sits. For data, location matters due to regulatory compliance and privacy concerns. If you've got any other suggestions, please feel free to add those in the comments section below. To learn more about staying secure in the cloud, find out what 18 experts advise for effective and secure cloud migration, here.
About the Author: Dr. Alea Fairchild is an Entrepreneur-in-Residence at Blue Hill Research. As a technology commentator, she has a broad presence both in the traditional media and online. Alea covers the convergence of technology in the cloud, mobile, and social spaces, and helps global enterprises understand the competitive marketplace and to profit from digital process redesign. She has expertise in the following industries: industrial automation, computer/networking, telecom, financial services, media, transport logistics, and manufacturing. Her clients are both commercial, government / public sector, NGO and trade associations. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
