Feeds

Putting the SaaS into security management

Or at least put it in the contract

  • alert
  • submit to reddit

High performance access to file storage

Hosted apps In all areas of business, security and privacy are built on good policy, properly applied. If you think moving to hosted services or software as a service (SaaS) changes this, then think again. While some aspects of security may be simplified, the cloud raises challenges in other areas.

From the perspective of systems administration, one area of security is much simpler to operate when using hosted and SaaS applications. The routine patching of the operating system, middleware and application becomes the concern of the service provider, thus relieving the in-house IT team of a number of processes. Delaying such tasks, as sometimes happens when resources are stretched, significantly increases the risk of security breaches.

The service provider should implement security patching as rapidly as possible, a matter which should be covered up front in discussions about service level agreements.

"Some vendors of SaaS maintain security policy databases that are not effectively integrated, producing a consistency nightmare."

Moving on to user and service provisioning, the primary requirement is to provide new users with appropriate access and, just as importantly, to remove access to the service, or parts of it, when they change jobs or leave.

One of the great selling points of many SaaS services is the speed with which they can provide access to services. But it is essential that whoever manages service provisioning understands the security and access requirements of the business. Deciding precisely what information and services Joyce in accounts or Brenda in HR can see remains the company’s responsibility.

Clearly, the implementation of access control relies on how well you capture your organisational structure and information management needs. Even more important is how well the tools provided with the service allow these to be translated into access control. This is familiar territory to those who routinely maintain Active Directory, LDAP or an equivalent directory system, but may be completely new to a line manager charged with controlling access to SaaS systems.

It is essential that the provider supplies effective solutions, preferably ones that can integrate with in-house systems. Some vendors of SaaS and hosted services maintain security policy databases that are not effectively integrated, producing a consistency nightmare. As we know, and as readers of the Register have told us, the best way to achieve security is to avoid fragmentation of policy and maintenance.

Defining standards for all areas of security must form part of contractual agreements. Unless the IT department is involved in discussions before things kick off, some security criteria may be compromised.

It is worth remembering that people are often the weakest link in every system. Users must be made aware of all the company’s working practices and expectations on the use of its applications, irrespective of whether systems are run internally or provided by a third party.

Cloud doesn’t make all this stuff go away, and may even aggravate it as users share more easily and access services from any web browser. Thinking about the human element is therefore as critical in any SaaS deployment as it is in traditional IT. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.