Discover PerformanceHP Software's community for IT leaders // June 2012
Keep SaaS secure from the start
Until SaaS application providers do a better job of delivering security visibility and control to their customers, those users will have to take action against potential compliance risk.
When business applications get pushed outside the enterprise perimeter, security tends to take a hit. With poor visibility into user activity, including limited access controls and nonexistent monitoring, SaaS can be a direct challenge to the CISO's compliance responsibility.
To mitigate these SaaS security concerns, the enterprise security team must
- be involved in procurement, assuming a proactive role in vetting all SaaS relationships;
- be actively aware of the data compliance issues involved in each prospective SaaS application; and
- be willing to reject those vendors who cannot supply adequate access control, visibility or activity monitoring.
SaaS security risk checklist
SaaS is a young industry and changing rapidly. Thus, no two providers are alike. To assess the security threats or capabilities of third-party SaaS providers, customers must ask the right questions:
How granular are the access controls?
The most prevalent mechanism for data breaches today is through malicious or unintentional misuse of user log-in credentials. Visibility into the activity of individual users, including administrative changes, is essential to data protection.
What metrics are available for reporting?
Will you be able to create the reports you need to satisfy the board, the CIO and auditors that enterprise data security meets regulatory requirements?
Is the data provided in a manner that can be easily integrated into internal monitoring tools, thus preventing data silos?
To make compliance reporting simple and foolproof, you'll need to monitor internal enterprise applications and SaaS applications side-by-side, from a centralized dashboard.
Finally, for each SaaS application, you must know the business criticality of the data involved. Is the application handling confidential customer information or just job postings? From there, you can perform an inventory of the applicable compliance issues.
Not good enough
By and large, today's third-party SaaS vendors are behind on this curve. Most provide very little information to their customers. When asked, they may not be able to answer specific questions about user access anomalies. For example, one common concern is that few SaaS vendors can inform customers about who in the organization can modify permissions, despite the fact that such information is vital to the investigation of an internal attack.
Also lacking are industry standards that would guide SaaS vendors toward simplified customer reporting. Even when log data is available, with no agreement on the format, enterprise customers may face a difficult, expensive integration process.
Rising to the challenge
Fortunately, downward pressure on enterprise cloud providers to expose data security tools and options is beginning to have an effect. Newer companies are raising the competitive bar, providing first-generation tools to help customers see and control aspects of data security.
HP has developed a program to assist enterprises in finding SaaS application vendors who are already taking an early lead in addressing the security injunction. HP Cloud Connections is a select affiliation of SaaS providers who have demonstrated best-of-breed customer security features. These features include visibility into user activity and authorization, monitoring of critical control points and a commitment to making integration simple for customers.
A higher standard
The Cloud Security Alliance publishes a detailed guide to help enterprises practice strategic management of cloud services. This year's guide addresses the downward pressure on cloud providers to deliver more security information to their customers. Download it at https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf.