Feeds

Putting the SaaS into security management

Or at least put it in the contract

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Hosted apps In all areas of business, security and privacy are built on good policy, properly applied. If you think moving to hosted services or software as a service (SaaS) changes this, then think again. While some aspects of security may be simplified, the cloud raises challenges in other areas.

From the perspective of systems administration, one area of security is much simpler to operate when using hosted and SaaS applications. The routine patching of the operating system, middleware and application becomes the concern of the service provider, thus relieving the in-house IT team of a number of processes. Delaying such tasks, as sometimes happens when resources are stretched, significantly increases the risk of security breaches.

The service provider should implement security patching as rapidly as possible, a matter which should be covered up front in discussions about service level agreements.

"Some vendors of SaaS maintain security policy databases that are not effectively integrated, producing a consistency nightmare."

Moving on to user and service provisioning, the primary requirement is to provide new users with appropriate access and, just as importantly, to remove access to the service, or parts of it, when they change jobs or leave.

One of the great selling points of many SaaS services is the speed with which they can provide access to services. But it is essential that whoever manages service provisioning understands the security and access requirements of the business. Deciding precisely what information and services Joyce in accounts or Brenda in HR can see remains the company’s responsibility.

Clearly, the implementation of access control relies on how well you capture your organisational structure and information management needs. Even more important is how well the tools provided with the service allow these to be translated into access control. This is familiar territory to those who routinely maintain Active Directory, LDAP or an equivalent directory system, but may be completely new to a line manager charged with controlling access to SaaS systems.

It is essential that the provider supplies effective solutions, preferably ones that can integrate with in-house systems. Some vendors of SaaS and hosted services maintain security policy databases that are not effectively integrated, producing a consistency nightmare. As we know, and as readers of the Register have told us, the best way to achieve security is to avoid fragmentation of policy and maintenance.

Defining standards for all areas of security must form part of contractual agreements. Unless the IT department is involved in discussions before things kick off, some security criteria may be compromised.

It is worth remembering that people are often the weakest link in every system. Users must be made aware of all the company’s working practices and expectations on the use of its applications, irrespective of whether systems are run internally or provided by a third party.

Cloud doesn’t make all this stuff go away, and may even aggravate it as users share more easily and access services from any web browser. Thinking about the human element is therefore as critical in any SaaS deployment as it is in traditional IT. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.