Putting the SaaS into security management
Or at least put it in the contract
Hosted apps In all areas of business, security and privacy are built on good policy, properly applied. If you think moving to hosted services or software as a service (SaaS) changes this, then think again. While some aspects of security may be simplified, the cloud raises challenges in other areas.
From the perspective of systems administration, one area of security is much simpler to operate when using hosted and SaaS applications. The routine patching of the operating system, middleware and application becomes the concern of the service provider, thus relieving the in-house IT team of a number of processes. Delaying such tasks, as sometimes happens when resources are stretched, significantly increases the risk of security breaches.
The service provider should implement security patching as rapidly as possible, a matter which should be covered up front in discussions about service level agreements.
"Some vendors of SaaS maintain security policy databases that are not effectively integrated, producing a consistency nightmare."
Moving on to user and service provisioning, the primary requirement is to provide new users with appropriate access and, just as importantly, to remove access to the service, or parts of it, when they change jobs or leave.
One of the great selling points of many SaaS services is the speed with which they can provide access to services. But it is essential that whoever manages service provisioning understands the security and access requirements of the business. Deciding precisely what information and services Joyce in accounts or Brenda in HR can see remains the company’s responsibility.
Clearly, the implementation of access control relies on how well you capture your organisational structure and information management needs. Even more important is how well the tools provided with the service allow these to be translated into access control. This is familiar territory to those who routinely maintain Active Directory, LDAP or an equivalent directory system, but may be completely new to a line manager charged with controlling access to SaaS systems.
It is essential that the provider supplies effective solutions, preferably ones that can integrate with in-house systems. Some vendors of SaaS and hosted services maintain security policy databases that are not effectively integrated, producing a consistency nightmare. As we know, and as readers of the Register have told us, the best way to achieve security is to avoid fragmentation of policy and maintenance.
Defining standards for all areas of security must form part of contractual agreements. Unless the IT department is involved in discussions before things kick off, some security criteria may be compromised.
It is worth remembering that people are often the weakest link in every system. Users must be made aware of all the company’s working practices and expectations on the use of its applications, irrespective of whether systems are run internally or provided by a third party.
Cloud doesn’t make all this stuff go away, and may even aggravate it as users share more easily and access services from any web browser. Thinking about the human element is therefore as critical in any SaaS deployment as it is in traditional IT. ®
Information Security Team
Only the really big companies have "Information Security Teams". In most outfits, sceurity is nearly alwats left to IT, even though everyone in teh business is at risk.
Why would the IT department have to be involved? Surely you want your information security team involved and if you still think that is an IT problem you probably have more problems that you realise!