Feeds

The weakest link in Software as a Service

Is that an elephant I see in the room?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

The delivery of cloud based application functionality via the Software as a Service (SaaS) model frequently sparks security-related concerns. In our latest workshop on hosted apps, Reg readers have been very forthcoming about their nervousness in this area.

In parallel with the workshop, however, we have been gathering data through a more structured reader survey. The aim of this was partly to understand perceptions and experiences with regard to SaaS, but also to put the specific discussion of SaaS related risk into a more general context. As with all emotive topics, and cloud computing is one of these, it is all too easy to lose perspective.

The reality is that we can discuss for as long as we like how inherently secure or otherwise various SaaS based offerings are, but at some point we need to pay attention to the huge elephant in the room. We are, of course, talking about the behaviour of end users, and this chart from the survey sums up the situation pretty well:

If you took part in the survey and your responses fell more into the red or amber areas on this picture then you obviously have some significant user-related exposure. Furthermore, that exposure is likely to overshadow any risks arising from the use of SaaS, assuming you are working with competent providers.

If your responses fell more into the green areas on the top two bars of the chart, then congratulations for having engendered a responsible attitude to IT security within the workforce. But before getting too complacent, we need to remember that the holes through which information can potentially leak are many, and even the most security aware user can make mistakes.

The training gap we also see on the above chart that exists in many organisations is significant here, as are the responses to another question from the survey illustrating that IT can’t possibly plug all of the holes:

When we consider the impact of SaaS on security in this context, apart from putting perceived provider or service related risks into their proper perspective, we can also see opportunities for cloud options to potentially reduce end-user related exposure.

If you are using a hosted office suite, for example, documents, spreadsheets and presentations tend to be saved to a cloud storage area. This makes them broadly accessible (subject to security and access rights) without the need to copy them to local devices.

You could argue that internal network-based storage (file servers, NAS drives, SharePoint, etc) achieve the same, but this isn’t typically the case. Using desktop software to directly open and save documents stored on the network can be slow on many corporate networks, and intolerable when working over broadband from a home-office, encouraging local copies to be made to overcome this. When the software itself is running in the cloud, in the same environment as the data, opening and saving even the largest file is extremely quick as documents are not being pulled and pushed across the network.

Of course stopping users making local copies of data for offline use and transfer between systems can’t be completely eradicated, but anything that reduces the need and/or temptation is going to help. Having said this, it is becoming increasingly common for SaaS solutions to support offline use through stand-alone client software working from a local cache of the cloud based data. The advantage here is that security and access policies are often enforced in the cache through properly controlled synchronisation, so even in mobile scenarios, cloud services can provide enhanced security. Taking a step back, we need to consider another dimension to end-user created risk that has to do with cloud service adoption. Our survey results tell us that more organisations are starting to see an active demand for SaaS from business management and end users, and we know from anecdotal feedback that we can only expect this to grow:

Where IT is in the loop on SaaS adoption, the opportunity naturally arises for proper attention to be paid to security and access issues. If departments, workgroups or individual users are adopting SaaS independently of IT, however, then with the loose attitude to security we have seen, and/or ignorance due to inadequate training, unnecessary exposure can arise. Even if the provider makes security and access features available, beyond standard measures such as default https sessions, there is no guarantee end users will take advantage of them. Indeed users are notorious for switching off anything they consider to be inconvenient, and enhanced security options often fall into this category.

The overriding lesson from all this is to maintain proper perspective when it comes to security and the cloud. The chances are that the service provider’s physical security measures and facilities to manage access policy are at least as good as yours, and in many cases will actually be a lot better. So, rather than agonise over that aspect of SaaS, it might be better to focus on the user end of the equation, as that’s where most of the real risks are likely to be.

In practical terms, a priority action that falls out of this is paying more attention to user education and awareness. Instigating clear policies and governance in relation to SaaS adoption, with appropriate ‘stick and carrot’ motivation, is also important, particularly for defining ground rules for when users are acting independently of IT.

The chances are that hosted services in their various forms are likely to touch most organisations going forward if they haven’t done already. Strengthening the ‘weakest link’ sooner rather than later is therefore a good idea. Not only will this lay the groundwork for effective SaaS adoption, it will also help to boost security in general across the organisation, with all of the risk management and compliance benefits that come with that. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.