Feeds

Putting the SaaS into security management

Or at least put it in the contract

  • alert
  • submit to reddit

Boost IT visibility and business value

Hosted apps In all areas of business, security and privacy are built on good policy, properly applied. If you think moving to hosted services or software as a service (SaaS) changes this, then think again. While some aspects of security may be simplified, the cloud raises challenges in other areas.

From the perspective of systems administration, one area of security is much simpler to operate when using hosted and SaaS applications. The routine patching of the operating system, middleware and application becomes the concern of the service provider, thus relieving the in-house IT team of a number of processes. Delaying such tasks, as sometimes happens when resources are stretched, significantly increases the risk of security breaches.

The service provider should implement security patching as rapidly as possible, a matter which should be covered up front in discussions about service level agreements.

"Some vendors of SaaS maintain security policy databases that are not effectively integrated, producing a consistency nightmare."

Moving on to user and service provisioning, the primary requirement is to provide new users with appropriate access and, just as importantly, to remove access to the service, or parts of it, when they change jobs or leave.

One of the great selling points of many SaaS services is the speed with which they can provide access to services. But it is essential that whoever manages service provisioning understands the security and access requirements of the business. Deciding precisely what information and services Joyce in accounts or Brenda in HR can see remains the company’s responsibility.

Clearly, the implementation of access control relies on how well you capture your organisational structure and information management needs. Even more important is how well the tools provided with the service allow these to be translated into access control. This is familiar territory to those who routinely maintain Active Directory, LDAP or an equivalent directory system, but may be completely new to a line manager charged with controlling access to SaaS systems.

It is essential that the provider supplies effective solutions, preferably ones that can integrate with in-house systems. Some vendors of SaaS and hosted services maintain security policy databases that are not effectively integrated, producing a consistency nightmare. As we know, and as readers of the Register have told us, the best way to achieve security is to avoid fragmentation of policy and maintenance.

Defining standards for all areas of security must form part of contractual agreements. Unless the IT department is involved in discussions before things kick off, some security criteria may be compromised.

It is worth remembering that people are often the weakest link in every system. Users must be made aware of all the company’s working practices and expectations on the use of its applications, irrespective of whether systems are run internally or provided by a third party.

Cloud doesn’t make all this stuff go away, and may even aggravate it as users share more easily and access services from any web browser. Thinking about the human element is therefore as critical in any SaaS deployment as it is in traditional IT. ®

Build a business case: developing custom apps

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
PEAK LANDFILL: Why tablet gloom is good news for Windows users
Sinofsky's hybrid strategy looks dafter than ever
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.