What has to change in an enterprise’s approach to create a more secure SaaS model?Focus on the following items:
Internal identity and access management (IAM)IAM in the cloud has improved, but still has some way to go. My point is that identity management in the cloud should not take priority over what is done within the enterprise firewall. There are some third-party technologies that let IT extend role-based access controls into the cloud with single sign-on; or firms can be using a security platform that has IAM already well-structured in place. There is also the problem of employees accessing SaaS products without knowledge of the enterprise and its IT policy. The keys to preventing this are educating employees and using various network monitoring and Web filtering technologies.
Greater focus on endpoint securityA major benefit of SaaS is that business applications can be accessed wherever there is Internet connectivity but this also poses new risks. Coupled with the proliferation of laptops and mobile devices, SaaS makes it even more important for IT shops to secure endpoints. Enterprises that make use of SaaS need to implement policies to control connectivity. They should be able to enforce SaaS security policies for mobile-to-cloud access to approved cloud services without requiring an agent on device or VPN to backhaul traffic through the network. Investment here at present is important. Access can also be regulated by using secure Web gateway appliances from vendors, such as Cisco or Blue Coat, which broker the connection between a customer and cloud services.
Better integration between enterprise data and third party appsGoogle has a Secure Data Connector that forms an encrypted connection between a customer's data and Google's business applications, while letting the customer control which employees may access Google Apps resources. Salesforce provides a similar tool. But this approach becomes cumbersome because customers that use numerous SaaS applications could find themselves dealing with many different security tools. Using third-party products, at least, offers the advantage of connecting to many different types of SaaS applications to reduce complexity.
Focus on cloud standardsStandards bodies are also developing their own guidelines for cloud standards, which include coverage of security. The largest and arguably most comprehensive player in cloud security standards is the Cloud Security Alliance (CSA). With corporate members, including Amazon Web Services, Microsoft, Oracle and Salesforce, most blue chip industry cloud services have a stake in the CSA. Customers evaluating cloud providers are warned against placing too much attention on SAS 70 certification as SAS 70 has been criticized for representing a snapshot in time which may not reflect a service provider’s ongoing performance.
Ask for cloud vendor security process transparencyIn the past, SaaS vendors have been rather secretive about their security processes. If this is a concern, then enterprises need to be more demanding on details about how data centers are secured and how vendors segregate data in multi-tenant systems. You also need to know where your data sits. For data, location matters due to regulatory compliance and privacy concerns. If you've got any other suggestions, please feel free to add those in the comments section below. To learn more about staying secure in the cloud, find out what 18 experts advise for effective and secure cloud migration, here.