The rush towards cloud computing began with more general business applications and a move to embrace social media marketing. The cloud computing model has also seeped
Security SaaS: Workforce augmentation
Before the security staff starts getting its resumes in order, it’s important to keep in mind cloud-based security services are not new. They were just not referred to as Security as a Service in the past. There are a few many security professionals are using today, such as antivirus, antispam, and vulnerability subscriptions. In each case, there would be no way for a single information security professional to stay updated on each of these categories of threats. These services free them up to concentrate on higher-value tasks to the organization instead of spending hours researching new virus signatures, for example.
There isn’t a single security organization that will pass up additional resources when offered; these resources don’t always have to come in the form of full-time employees. For this reason, security organizations shouldn’t be threatened by security SaaS , but should consider it as workforce augmentation. There is an array of services that allow security organizations to more effectively protect their IT assets. Just as with other types of cloud service offerings, security SaaS is not a cure-all. Some security services have adapted well to work in the cloud, and some are still in their infancy, such as federated identity management. Security organizations can utilize their risk assessments to determine where the available cloud offerings match existing needs. The Cloud Security Alliance recently released a document defining 10 categories of security SaaS offerings:
- Identity and access management
- Data loss prevention
- Web security
- Email security
- Security assessments
- Intrusion management
- Security information and event management
- Business continuity and disaster recovery
- Network security
Email security SaaS pros and cons
Some of these functions are just no-brainers to move outside the organization. Email security, for example, has become a nightmare of virus scanning, malware detection, spam filtering and user education. How many emails have you sent reminding users not to click on the attachment? So why not let an outside service proxy all of your company email? It will arrive almost completely free of viruses, malware and SPAM and have the side benefit of reducing your company’s bandwidth utilization. It will also be monitored and updated around the clock, including holidays, which is good news for the spouse of any security professional.
However, there are a few issues to consider when using a hosted email security solution. Encrypted messages will usually not be scanned as the service doesn’t have the keys to read the contents. There are services that will provide keys for the encrypted email communications, but they raise another issue: The email security service provider will have the ability to read all messages to/from your company. This fact in itself is not cause for alarm because as you know, all unencrypted email communications can be easily intercepted. However, what happens to your company’s email messages if this particular email security company is breached?
Web filtering security SaaS
Another security function that works well externally is Web security filtering. This was traditionally a hardware/software solution that existed in the data center to filter malware and block certain categories of content as well as provide data loss prevention capabilities. However, this system is very maintenance intensive, relying on constant updates to the filtering software. This type of pedantic monitoring is not where security professionals can provide the best security value to their companies.
Some companies have required their remote users have their traffic routed back to the company filters, introducing lag and other technical complications. This is another area where a remote hosted Web security solution makes a great deal of sense. The remote users may connect to localized Web content filters instead of connecting back to the company intranet. These users can also call the cloud services company for support, which frees up time for security pros for more critical security tasks.
Security SaaS: General risks and mitigation measures
Despite the upsides, there are risks that come with any of the security SaaS offerings. There is the risk of vendor lock-in that pervades all of these different services. It is best to avoid proprietary solutions and utilize standard Internet protocols where possible, such as Web proxies, SMTP relays, etc. However, this may not be possible with new services where standards have not yet been defined, so make sure to evaluate each technology thoroughly. Unscrupulous cloud providers could utilize this lock-in to raise prices dramatically over time. Make sure contracts address this pricing risk if there is no way around the proprietary technologies.
Another risk is that employees of these security SaaS companies will have access to your proprietary data at some level. This data could include your company’s Web browsing activity, email messages or proprietary information. Include contractual language that defines these individuals and the cloud service company’s screening procedures. Ensure separation of duties exists at the cloud provider and require logs be audited by your organization or some trusted third-party company. There may even be options for encryption of your proprietary data, but be aware of key management processes.
Security organizations should be assessing how to augment their current capabilities with the adoption of security SaaS. The benefits dramatically outweigh the risks as long as a thorough due diligence process is followed during the assessment and selection phase of service acquisition. The information security landscape is changing every day and security professionals should be focused on following these changes and adapting their mitigation strategies instead of focusing on menial tasks like updating antivirus signatures. Security SaaS partnerships may be the only way to continue to provide a secure computing environment in the reality of limited resources.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.
This was first published in October 2011