Feeds

Buying into the cloud

Maintaining security and compliance in a SaaS world

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Hosted Apps A lot of companies are reporting that individual departments and even business users are adopting SaaS or cloud-based applications.

This freedom to choose is a useful one, as it gives departments the flexibility to get the job done, and the likelihood is that the use of such services will continue to expand.

We’ve seen this type of activity before, with the proliferation of workgroup applications by departments with their own budgets. We’ve also seen the fallout as many businesses have sought to consolidate or centralise the many applications that have been adopted.

The flexibility that SaaS brings comes at a price, which is the distribution of control and the clouding, if you’ll excuse the pun, of responsibility. Although IT continues to be involved in many cases, there is a growing trend for SaaS applications to be sourced independently of IT. Many companies have yet to recognise and respond to this shifting trend in purchasing power. If individual departments want to put their applications or data in the hands of a SaaS provider, how should you go about influencing or directing it so that it is done properly so that business units can select the applications that they need while still maintaining or even increasing the security of the solution?

This leads to the rather thorny issue of oversight. IT has historically been responsible for the provisioning of applications and services, including purchasing, security and compliance. The unilateral adoption of SaaS by individuals or departments has the potential to sideline IT and bypass normal procurement procedures.

In this new world of distributed IT services, unless some structure is put in place around selection and procurement, there will be a strong tendency towards piecemeal adoption and a fragmentation of both systems and management. Recognising the risk of fragmentation is critical, because many of the problems inherent in IT result directly from disjoints, gaps and redundancy in applications, infrastructure and/or data.

So who should take responsibility? In an ideal world, you may think that all decisions would be vetted and approved by IT. The reality will be much more of a compromise. The issue ultimately boils down to the questions that need to be asked about the use of SaaS, and whether IT is qualified to answer them.

For smaller organisations, where decisions are taken more collaboratively, the problem is less likely to be the unilateral actions of individuals or departments. Instead, it is more the lack of expertise and knowledge about obligations and responsibilities when moving applications and data beyond the boundaries of the company.

There is a role here for both SaaS providers and partners to play in developing ‘cookie-cutter’ policies and best practices that provide these businesses with the confidence to adopt SaaS. The challenge is that the traditional IT resellers and integrators that smaller businesses rely on are, in most cases, a completely different set to those that sell and support SaaS or other online services, though this is likely to change as time goes on.

For larger organisations, sourcing SaaS is likely to involve different levels of the business coming together, and a division of responsibilities. The business as a whole, from senior management to any individual user with purchasing power, needs to understand the implications and dangers of sourcing externally provided services. One way of achieving this is a clearly defined hierarchy for decision making and approvals related to the buying of external IT services, with stiff sanctions for bypassing procurement procedures regardless of who “owns” the budget.

An option when going down this route is to make the IT department the ultimate arbiter when it comes to purchasing IT services of any kind. However, this could very well defeat the objective, which is to allow departments more flexibility to choose the services that they need.

The successful approach is more likely to be consensus driven and involve departments such as legal and procurement working together with IT. The ideal would be to have an office or team responsible for security or risk that has oversight across the business, not just within IT, to set the strategy for all departments. Giving users or departments a voice and role within the decision-making structure can help to shape their behavior as a willing and responsible contributor.

Giving departments a voice is not an invitation for a free-for-all. Working together, the team can help to make selection a more predictable process by creating a preferred set of providers and services that have been assessed and approved as suppliers to the business, in the same way that shrink wrapped software and on-premise solutions are often chosen. If there is a requirement for a service not on the list, then it can be considered and approved if necessary.

How this pans out in practice will depend on the size and culture of the organisation. Regardless of the approach taken, however, IT should probably always play a part in the decision-making process, even if it’s only in an advisory capacity. The objective here is making sure that the service is not duplicating existing functionality, and that it meets requirements for costs, security, privacy, compliance and management. This should not be a reason for IT to vote ‘no’ on principle, but instead to make sure that all angles are considered before moving ahead with adoption.

Whatever your situation, SaaS and cloud services are changing the way IT is developed, bought and used. Trying to control what can and can’t be used is likely to be counter-productive, pushing use underground. Working with suppliers and the business to develop a framework for evaluating, trialling and adopting services can help to maintain the critical oversight needed for properly integrated IT across the company boundaries, enabling the business to adopt services such as SaaS where it makes sense and without compromising security. ®

Boost IT visibility and business value

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.