Home > Information Security Magazine > Columns > SaaS security risks must be addressed
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

SaaS security risks must be addressed
by Kelley Damore
Issue: Apr 2009
printer-friendly

The lure of software-as-a-service is simple: It comes down to cold hard cash.

So in this economic environment, it comes as no surprise that organizations, large and small, are looking to SaaS providers to offer them services where they pay for infrastructure or expertise on a monthly basis.

Salesforce.com is the poster child for the SaaS space offering hosted CRM. Other business applications using the SaaS model include HR, expense reporting and the like. We've seen SaaS models also pop up in the security space with Qualys, Webroot, Google, Veracode, Zscaler, Purewire , among others, offering security services ranging from messaging security to vulnerability assessment to application security testing. With huge data centers, Amazon and Google rent their capacity on a by-job basis.

It seems to me that in a relatively short amount of time this will be the way we use computing power and access applications. It will radically change the ways businesses operate -- much like what Web browsers and email did in the 1990s.

And you've got to adapt. You'll have no choice. So the time is now to look at the security and regulatory implications of these types of services and get ahead of a wave that seems almost inevitable.

The reason SaaS works at the lower price points is because they can host multiple customers on a shared infrastruct...



ure. And it's just this type of architecture could be very troubling for a security team. As a security manager, you have to insert yourself into the conversation and lay out a few necessary requirements.

The first must be clear separation of customer data. In addition, you need to determine whether you can get access to logging and audit trails for both compliance and security should an incident occur. Moreover, determine how secure are their Web applications? And what about insider threats at the provider's facility? What are your provider's access controls? How does your provider handle breaches or other insider threats?

Add in government and industry regulations and you've got a lot to muddle through.

But thankfully there is lots of time for discussion and fixes. The market is relatively new and many of these questions will need to be hashed out. It is your job as users of these services to force the SaaS providers to offer you the adequate answers you need.

It will take time but as other technologies before this, the industry, and security practitioners, will come up with a way to make it work.

Kelley Damore is Editorial Director of Information Security and TechTarget's Security Media Group. Send your comments on this column to feedback@infosecuritymag.com.




TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts