Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications.
Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility.
Research firm IDC predicts that 76% of U.S. organizations will use at least one SaaS-delivered application for business use by the close of 2009. Cloud-based services adoption is being driven by the business performance benefits and realized cost efficiencies. This isn't new for those of us in IT. Mission critical information already is handled in the cloud for companies that outsource email services or maintain customer information in CRM systems such as Salesforce.com. The challenge for security teams is to safely integrate extended cloud capabilities into corporate policies and procedures.
Forrester recommends the usual checklist of cloud security requirements that any enterprise would have for internally hosted applications. Authenticate users and control access to applications, tightly log and audit privileged operations, protect sensitive data to prevent loss and meet compliance mandates, and reduce risk with rigorous vulnerability management, according to Forrester. Take into account differences in the SaaS vendor's infrastructure and business practices when evaluating the sensitivity to security. For instance, expect the cloud vendor to be replicating data between data centers for performance and business continuity and expect to have a degree of shared resources with virtualized application environments.
A certain amount of due diligence is necessary before choosing a cloud business partner that should include:
- Integrate the boundaries between enterprise systems, cloud services, and the end user. In a SaaS operation, enterprise data, identities and authorizations have to flow easily between enterprise storage and cloud storage. This is essential to initially populate the system, to move data when migrating to another vendor and to manage changes in the business structure. Have security and application architects review API's and the interchange process to protect authentication strength and sustain data integrity.
- Implement a process of regular update reviews of the cloud service technology and best practices, even extending participation in staff meetings to the cloud partner. The enterprise may be exposed to undesirable side effects, or may be slow adapting to new features, as the SaaS vendor improves their service delivery capability to grow their business. Coordination between organizations requires more effort and discipline to comment on interface plans, coordinate application release cycles, and review audit logs to avoid unpleasant surprises.
- Focus on data security. Sensitive data can linger in third party archive vaults, end-user laptops and cloud vendor data centers. For instance, periodically ask for and inspect copies of data archives to reduce the risk of business disruption when switching vendors at the end of the agreement and require joint audit reviews to keep security efforts coordinated.
Businesses frequently take advantage of external services for special processing and/or access efficiencies. Manage the security risks to the organization by paying special attention to the new boundary conditions as data and access control policies are shared between the enterprise, SaaS vendor, and end-users.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.