Feeds

Buying into the cloud

Maintaining security and compliance in a SaaS world

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Hosted Apps A lot of companies are reporting that individual departments and even business users are adopting SaaS or cloud-based applications.

This freedom to choose is a useful one, as it gives departments the flexibility to get the job done, and the likelihood is that the use of such services will continue to expand.

We’ve seen this type of activity before, with the proliferation of workgroup applications by departments with their own budgets. We’ve also seen the fallout as many businesses have sought to consolidate or centralise the many applications that have been adopted.

The flexibility that SaaS brings comes at a price, which is the distribution of control and the clouding, if you’ll excuse the pun, of responsibility. Although IT continues to be involved in many cases, there is a growing trend for SaaS applications to be sourced independently of IT. Many companies have yet to recognise and respond to this shifting trend in purchasing power. If individual departments want to put their applications or data in the hands of a SaaS provider, how should you go about influencing or directing it so that it is done properly so that business units can select the applications that they need while still maintaining or even increasing the security of the solution?

This leads to the rather thorny issue of oversight. IT has historically been responsible for the provisioning of applications and services, including purchasing, security and compliance. The unilateral adoption of SaaS by individuals or departments has the potential to sideline IT and bypass normal procurement procedures.

In this new world of distributed IT services, unless some structure is put in place around selection and procurement, there will be a strong tendency towards piecemeal adoption and a fragmentation of both systems and management. Recognising the risk of fragmentation is critical, because many of the problems inherent in IT result directly from disjoints, gaps and redundancy in applications, infrastructure and/or data.

So who should take responsibility? In an ideal world, you may think that all decisions would be vetted and approved by IT. The reality will be much more of a compromise. The issue ultimately boils down to the questions that need to be asked about the use of SaaS, and whether IT is qualified to answer them.

For smaller organisations, where decisions are taken more collaboratively, the problem is less likely to be the unilateral actions of individuals or departments. Instead, it is more the lack of expertise and knowledge about obligations and responsibilities when moving applications and data beyond the boundaries of the company.

There is a role here for both SaaS providers and partners to play in developing ‘cookie-cutter’ policies and best practices that provide these businesses with the confidence to adopt SaaS. The challenge is that the traditional IT resellers and integrators that smaller businesses rely on are, in most cases, a completely different set to those that sell and support SaaS or other online services, though this is likely to change as time goes on.

For larger organisations, sourcing SaaS is likely to involve different levels of the business coming together, and a division of responsibilities. The business as a whole, from senior management to any individual user with purchasing power, needs to understand the implications and dangers of sourcing externally provided services. One way of achieving this is a clearly defined hierarchy for decision making and approvals related to the buying of external IT services, with stiff sanctions for bypassing procurement procedures regardless of who “owns” the budget.

An option when going down this route is to make the IT department the ultimate arbiter when it comes to purchasing IT services of any kind. However, this could very well defeat the objective, which is to allow departments more flexibility to choose the services that they need.

The successful approach is more likely to be consensus driven and involve departments such as legal and procurement working together with IT. The ideal would be to have an office or team responsible for security or risk that has oversight across the business, not just within IT, to set the strategy for all departments. Giving users or departments a voice and role within the decision-making structure can help to shape their behavior as a willing and responsible contributor.

Giving departments a voice is not an invitation for a free-for-all. Working together, the team can help to make selection a more predictable process by creating a preferred set of providers and services that have been assessed and approved as suppliers to the business, in the same way that shrink wrapped software and on-premise solutions are often chosen. If there is a requirement for a service not on the list, then it can be considered and approved if necessary.

How this pans out in practice will depend on the size and culture of the organisation. Regardless of the approach taken, however, IT should probably always play a part in the decision-making process, even if it’s only in an advisory capacity. The objective here is making sure that the service is not duplicating existing functionality, and that it meets requirements for costs, security, privacy, compliance and management. This should not be a reason for IT to vote ‘no’ on principle, but instead to make sure that all angles are considered before moving ahead with adoption.

Whatever your situation, SaaS and cloud services are changing the way IT is developed, bought and used. Trying to control what can and can’t be used is likely to be counter-productive, pushing use underground. Working with suppliers and the business to develop a framework for evaluating, trialling and adopting services can help to maintain the critical oversight needed for properly integrated IT across the company boundaries, enabling the business to adopt services such as SaaS where it makes sense and without compromising security. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.