Software On Demand

SaaS Journal

Subscribe to SaaS Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SaaS Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


SaaS Authors: Mehdi Daoudi, Elizabeth White, Pat Romanski, Rajeev Gupta, Christoph Schell

Related Topics: Cloud Computing, SaaS Journal, Security Journal

Blog Post

Three Tips to Improve SaaS Security By @RichCampagna | @CloudExpo [#Cloud]

Outsourcing an application to the cloud does not mean outsourcing all responsibility for data protection

The shift to the cloud is in full swing. More and more organizations are adopting Software-as-a-Service (SaaS), forcing IT organizations to develop new strategies to secure the onslaught of data created and stored in cloud applications. Failure to develop strategies to close security gaps can result in compliance violations and data breaches. In some cases, organizations incur fines, but in extreme cases, businesses are forced to reorganize, replace the CEO, or even shut down completely. Perhaps the most overlooked factor in these cases is the effect this has on customers, who place their personal and financial information in the hands of major companies.

SaaS providers can afford to hire the best and brightest minds in security and to invest heavily in security infrastructure - far more than the typical enterprise. So why is security still the number one inhibitor to SaaS adoption in the enterprise? SaaS vendors work tirelessly to prevent distributed denial of service (DDOS) attacks, malware attacks, data exfiltration events, and other service-wide security events. However, SaaS vendors are less concerned with solving another class of security issues - specifically issues related to the use of an organization's data and user accounts. These issues - user accounts and identity, appropriate use of company data, compliance regulations, and security for data downloaded to user devices - are all outside of the scope of the SaaS vendor's security investments, but in scope for the organization deploying the SaaS service. Outsourcing an application to the cloud does not mean outsourcing all responsibility for data protection.

Here is a look at the three most common SaaS security gaps:

1. Too Many Passwords
One of the biggest issues with cloud apps today is that they are not well integrated with existing IT systems. As a result, employees are often scrambling to remember the many passwords associated with the different applications they use on a daily basis. Frustration leads to resetting forgotten passwords, which also leads to the increased likelihood that employees will reuse the same passwords or write them down, minimizing the effectiveness of authentication as a security mechanism.

2. No Visibility
Most cloud apps do not offer any audit logging or visibility into user activity. For example, say "Dimitra" signs into Office 365 in Bangalore, India, at 1:00 p.m. local time while on a business trip. At the same time, someone posing as "Dimitra" logs into Salesforce.com from San Francisco, California. If Dimitra's company relied solely on a cloud app, it would not know it has a potential compromise on its hands, as no alerts would be sent. This lack of visibility can turn into hundreds of thousands of dollars of fines, not to mention it can lead to the loss of the public's trust. Financial, healthcare, and other institutions that are part of highly regulated industries have an even bigger responsibility to ensure visibility into who is accessing what information, and to flag all suspicious activities.

3. Data Leakage
When an employee loses a mobile device that has next quarter's financial results on it, and the information ends up in the hands of a hacker, do not blame the cloud application used to store that information for the mistake. Cloud apps cannot stop employees from downloading mission-critical information onto their devices. An interesting side fact: Forrester Research surveyed 2,000 IT professionals in North America and Europe and found "enterprise insiders" account for 36 percent of all data breaches.

How can an enterprise adopt cloud apps while filling in these security gaps and preventing the next breach? Companies must change the way that they secure data. Cloud data doesn't only reside at rest inside cloud applications. It is synched to a myriad of devices and downloaded by users all around the world. Securing cloud data requires an end-to-end, data-centric approach to security that protects corporate data as it travels outside the firewall. Here are three SaaS security remedies every company needs to know:

1. Control who can access data: A company's security policies are critical here. Decide who can do what inside a cloud app. Set up rules that automatically enforce the company's security policies and control access based on application, group, type of device, and geo-location.

2. Lock up important data: Decide which data is most sensitive. This is an important step because not all data is created equal. Deploy a solution that automatically removes (via encryption or redaction) highly sensitive information from emails and attachments before a cloud application can download them onto an employee's mobile device.

3. Track your data: Digitally watermark corporate data and track its movements anywhere on the Internet. By placing hidden identifiers on all highly sensitive data, IT will know every time it was downloaded, who accessed it, and when the download took place.

A data-centric approach fills the security gaps for organizations adopting cloud applications such as Salesforce, Google Apps, and Microsoft Office 365. For enterprises, this approach meets the needs of the business and its employees, while simultaneously data remains secure and compliant.

More Stories By Rich Campagna

Rich Campagna drives product management and marketing at Bitglass. Prior to becoming an integral team member at Bitglass in April 2013, he was senior director of product management at F5 Networks, responsible for access security. Rich gained valuable experience in product management and sales engineering at Juniper Networks and at Sprint before working at F5.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.