Feeds

Buying into the cloud

Maintaining security and compliance in a SaaS world

  • alert
  • submit to reddit

High performance access to file storage

Hosted Apps A lot of companies are reporting that individual departments and even business users are adopting SaaS or cloud-based applications.

This freedom to choose is a useful one, as it gives departments the flexibility to get the job done, and the likelihood is that the use of such services will continue to expand.

We’ve seen this type of activity before, with the proliferation of workgroup applications by departments with their own budgets. We’ve also seen the fallout as many businesses have sought to consolidate or centralise the many applications that have been adopted.

The flexibility that SaaS brings comes at a price, which is the distribution of control and the clouding, if you’ll excuse the pun, of responsibility. Although IT continues to be involved in many cases, there is a growing trend for SaaS applications to be sourced independently of IT. Many companies have yet to recognise and respond to this shifting trend in purchasing power. If individual departments want to put their applications or data in the hands of a SaaS provider, how should you go about influencing or directing it so that it is done properly so that business units can select the applications that they need while still maintaining or even increasing the security of the solution?

This leads to the rather thorny issue of oversight. IT has historically been responsible for the provisioning of applications and services, including purchasing, security and compliance. The unilateral adoption of SaaS by individuals or departments has the potential to sideline IT and bypass normal procurement procedures.

In this new world of distributed IT services, unless some structure is put in place around selection and procurement, there will be a strong tendency towards piecemeal adoption and a fragmentation of both systems and management. Recognising the risk of fragmentation is critical, because many of the problems inherent in IT result directly from disjoints, gaps and redundancy in applications, infrastructure and/or data.

So who should take responsibility? In an ideal world, you may think that all decisions would be vetted and approved by IT. The reality will be much more of a compromise. The issue ultimately boils down to the questions that need to be asked about the use of SaaS, and whether IT is qualified to answer them.

For smaller organisations, where decisions are taken more collaboratively, the problem is less likely to be the unilateral actions of individuals or departments. Instead, it is more the lack of expertise and knowledge about obligations and responsibilities when moving applications and data beyond the boundaries of the company.

There is a role here for both SaaS providers and partners to play in developing ‘cookie-cutter’ policies and best practices that provide these businesses with the confidence to adopt SaaS. The challenge is that the traditional IT resellers and integrators that smaller businesses rely on are, in most cases, a completely different set to those that sell and support SaaS or other online services, though this is likely to change as time goes on.

For larger organisations, sourcing SaaS is likely to involve different levels of the business coming together, and a division of responsibilities. The business as a whole, from senior management to any individual user with purchasing power, needs to understand the implications and dangers of sourcing externally provided services. One way of achieving this is a clearly defined hierarchy for decision making and approvals related to the buying of external IT services, with stiff sanctions for bypassing procurement procedures regardless of who “owns” the budget.

An option when going down this route is to make the IT department the ultimate arbiter when it comes to purchasing IT services of any kind. However, this could very well defeat the objective, which is to allow departments more flexibility to choose the services that they need.

The successful approach is more likely to be consensus driven and involve departments such as legal and procurement working together with IT. The ideal would be to have an office or team responsible for security or risk that has oversight across the business, not just within IT, to set the strategy for all departments. Giving users or departments a voice and role within the decision-making structure can help to shape their behavior as a willing and responsible contributor.

Giving departments a voice is not an invitation for a free-for-all. Working together, the team can help to make selection a more predictable process by creating a preferred set of providers and services that have been assessed and approved as suppliers to the business, in the same way that shrink wrapped software and on-premise solutions are often chosen. If there is a requirement for a service not on the list, then it can be considered and approved if necessary.

How this pans out in practice will depend on the size and culture of the organisation. Regardless of the approach taken, however, IT should probably always play a part in the decision-making process, even if it’s only in an advisory capacity. The objective here is making sure that the service is not duplicating existing functionality, and that it meets requirements for costs, security, privacy, compliance and management. This should not be a reason for IT to vote ‘no’ on principle, but instead to make sure that all angles are considered before moving ahead with adoption.

Whatever your situation, SaaS and cloud services are changing the way IT is developed, bought and used. Trying to control what can and can’t be used is likely to be counter-productive, pushing use underground. Working with suppliers and the business to develop a framework for evaluating, trialling and adopting services can help to maintain the critical oversight needed for properly integrated IT across the company boundaries, enabling the business to adopt services such as SaaS where it makes sense and without compromising security. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.