Feeds

Buying into the cloud

Maintaining security and compliance in a SaaS world

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Hosted Apps A lot of companies are reporting that individual departments and even business users are adopting SaaS or cloud-based applications.

This freedom to choose is a useful one, as it gives departments the flexibility to get the job done, and the likelihood is that the use of such services will continue to expand.

We’ve seen this type of activity before, with the proliferation of workgroup applications by departments with their own budgets. We’ve also seen the fallout as many businesses have sought to consolidate or centralise the many applications that have been adopted.

The flexibility that SaaS brings comes at a price, which is the distribution of control and the clouding, if you’ll excuse the pun, of responsibility. Although IT continues to be involved in many cases, there is a growing trend for SaaS applications to be sourced independently of IT. Many companies have yet to recognise and respond to this shifting trend in purchasing power. If individual departments want to put their applications or data in the hands of a SaaS provider, how should you go about influencing or directing it so that it is done properly so that business units can select the applications that they need while still maintaining or even increasing the security of the solution?

This leads to the rather thorny issue of oversight. IT has historically been responsible for the provisioning of applications and services, including purchasing, security and compliance. The unilateral adoption of SaaS by individuals or departments has the potential to sideline IT and bypass normal procurement procedures.

In this new world of distributed IT services, unless some structure is put in place around selection and procurement, there will be a strong tendency towards piecemeal adoption and a fragmentation of both systems and management. Recognising the risk of fragmentation is critical, because many of the problems inherent in IT result directly from disjoints, gaps and redundancy in applications, infrastructure and/or data.

So who should take responsibility? In an ideal world, you may think that all decisions would be vetted and approved by IT. The reality will be much more of a compromise. The issue ultimately boils down to the questions that need to be asked about the use of SaaS, and whether IT is qualified to answer them.

For smaller organisations, where decisions are taken more collaboratively, the problem is less likely to be the unilateral actions of individuals or departments. Instead, it is more the lack of expertise and knowledge about obligations and responsibilities when moving applications and data beyond the boundaries of the company.

There is a role here for both SaaS providers and partners to play in developing ‘cookie-cutter’ policies and best practices that provide these businesses with the confidence to adopt SaaS. The challenge is that the traditional IT resellers and integrators that smaller businesses rely on are, in most cases, a completely different set to those that sell and support SaaS or other online services, though this is likely to change as time goes on.

For larger organisations, sourcing SaaS is likely to involve different levels of the business coming together, and a division of responsibilities. The business as a whole, from senior management to any individual user with purchasing power, needs to understand the implications and dangers of sourcing externally provided services. One way of achieving this is a clearly defined hierarchy for decision making and approvals related to the buying of external IT services, with stiff sanctions for bypassing procurement procedures regardless of who “owns” the budget.

An option when going down this route is to make the IT department the ultimate arbiter when it comes to purchasing IT services of any kind. However, this could very well defeat the objective, which is to allow departments more flexibility to choose the services that they need.

The successful approach is more likely to be consensus driven and involve departments such as legal and procurement working together with IT. The ideal would be to have an office or team responsible for security or risk that has oversight across the business, not just within IT, to set the strategy for all departments. Giving users or departments a voice and role within the decision-making structure can help to shape their behavior as a willing and responsible contributor.

Giving departments a voice is not an invitation for a free-for-all. Working together, the team can help to make selection a more predictable process by creating a preferred set of providers and services that have been assessed and approved as suppliers to the business, in the same way that shrink wrapped software and on-premise solutions are often chosen. If there is a requirement for a service not on the list, then it can be considered and approved if necessary.

How this pans out in practice will depend on the size and culture of the organisation. Regardless of the approach taken, however, IT should probably always play a part in the decision-making process, even if it’s only in an advisory capacity. The objective here is making sure that the service is not duplicating existing functionality, and that it meets requirements for costs, security, privacy, compliance and management. This should not be a reason for IT to vote ‘no’ on principle, but instead to make sure that all angles are considered before moving ahead with adoption.

Whatever your situation, SaaS and cloud services are changing the way IT is developed, bought and used. Trying to control what can and can’t be used is likely to be counter-productive, pushing use underground. Working with suppliers and the business to develop a framework for evaluating, trialling and adopting services can help to maintain the critical oversight needed for properly integrated IT across the company boundaries, enabling the business to adopt services such as SaaS where it makes sense and without compromising security. ®

3 Big data security analytics techniques

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.