Feeds

Putting the SaaS into security management

Or at least put it in the contract

  • alert
  • submit to reddit

The essential guide to IT transformation

Hosted apps In all areas of business, security and privacy are built on good policy, properly applied. If you think moving to hosted services or software as a service (SaaS) changes this, then think again. While some aspects of security may be simplified, the cloud raises challenges in other areas.

From the perspective of systems administration, one area of security is much simpler to operate when using hosted and SaaS applications. The routine patching of the operating system, middleware and application becomes the concern of the service provider, thus relieving the in-house IT team of a number of processes. Delaying such tasks, as sometimes happens when resources are stretched, significantly increases the risk of security breaches.

The service provider should implement security patching as rapidly as possible, a matter which should be covered up front in discussions about service level agreements.

"Some vendors of SaaS maintain security policy databases that are not effectively integrated, producing a consistency nightmare."

Moving on to user and service provisioning, the primary requirement is to provide new users with appropriate access and, just as importantly, to remove access to the service, or parts of it, when they change jobs or leave.

One of the great selling points of many SaaS services is the speed with which they can provide access to services. But it is essential that whoever manages service provisioning understands the security and access requirements of the business. Deciding precisely what information and services Joyce in accounts or Brenda in HR can see remains the company’s responsibility.

Clearly, the implementation of access control relies on how well you capture your organisational structure and information management needs. Even more important is how well the tools provided with the service allow these to be translated into access control. This is familiar territory to those who routinely maintain Active Directory, LDAP or an equivalent directory system, but may be completely new to a line manager charged with controlling access to SaaS systems.

It is essential that the provider supplies effective solutions, preferably ones that can integrate with in-house systems. Some vendors of SaaS and hosted services maintain security policy databases that are not effectively integrated, producing a consistency nightmare. As we know, and as readers of the Register have told us, the best way to achieve security is to avoid fragmentation of policy and maintenance.

Defining standards for all areas of security must form part of contractual agreements. Unless the IT department is involved in discussions before things kick off, some security criteria may be compromised.

It is worth remembering that people are often the weakest link in every system. Users must be made aware of all the company’s working practices and expectations on the use of its applications, irrespective of whether systems are run internally or provided by a third party.

Cloud doesn’t make all this stuff go away, and may even aggravate it as users share more easily and access services from any web browser. Thinking about the human element is therefore as critical in any SaaS deployment as it is in traditional IT. ®

The essential guide to IT transformation

More from The Register

next story
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
Told to cough up more details as antitrust probe goes deeper
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.