|By Ken Asher||
|August 16, 2014 04:00 PM EDT||
Security professionals are constantly negotiating the tension of balancing ease-of-use with data security. Savvy security professionals know that their users will often choose a less secure technology that makes getting things done easier over a more secure technology that makes getting things done more cumbersome. The trick is in aligning the secure choice with the efficient choice - but this comes with much-needed analysis and consideration.
Increasingly, best-in-class applications are being offered in a Software as a Service (SaaS) model; just take a look at the plethora of cloud-based tools available for organizations that need a scalable way to access software across physical locations and a means of enabling their increasingly mobile users. Certainly, the SaaS model offers highly compelling advantages over traditional on-premise solutions such as:
- Reduction and simplification of license management costs as well as infrastructure procurement and management costs
- Increased disaster resiliency and improved business continuity driven by the remote nature of SaaS to the workplace
- Enablement of a remote or mobile workforce
While there are several reasons why enterprises around the globe are moving toward cloud-based software solutions, there are trade-offs in moving from on-premise to hosted SaaS. Control of the infrastructure means control of the security and compliance of the systems. Giving up this control means additional due diligence is required to meet security and compliance objectives.
From full-site SSL/TLS encryption to encryption of customer data at rest, SaaS providers are incorporating best practices in an effort to ensure that the data customers entrust them with remains safe in their hands. Support for single-sign-on (SSO) authentication standards such as Security Assertion Markup Language version 2.0 (SAML 2.0) allows customers to integrate uniform authentication standards (strong passwords or multi-factor authentication (MFA)) across multiple SaaS tools.
When evaluating SaaS technologies for potential adoption by your organization, here are five key questions that you should ask any potential vendor:
- How are you protecting my data while it's being transmitted to you and while it's stored in your systems?
- What are you doing to protect your systems against physical threats?
- What are you doing to defend your application from attack?
- What are you doing to protect your users from account compromise?
- How are you protecting the service from disaster and the data from corruption or accidental deletion?
User Management and Single Sign-On
One somewhat hidden challenge of increased reliance on SaaS applications is the potential for user management complexity. User on-boarding and off-boarding, end-user account and password management and privilege accounting are increasingly complex without a unified user management approach.
To solve for this, many SaaS providers now support one or more single sign-on (SSO) standards. Single sign-on allows for the central provisioning and de-provisioning of applications to the user, and a single source of truth for who has access to what.
Some additional benefits for SSO integrations include having a unified user authentication policy across multiple applications with fewer passwords for users to remember and keep secure. SSO also provides support for multi-factor authentication (MFA), which can be used to create a more secure but user-friendly means to log into mission-critical business software.
Whether we like it or not, keeping enterprise systems strictly on-premise isn't a viable or scalable option today. Adapting to the SaaS paradigm and understanding and quantifying both the benefits and risks have become a key skill for CIOs and security professionals. Those who can successfully negotiate this paradigm are the new heroes of IT procurement - delivering ease of use and efficiency while maintaining security and compliance best practices.
Oct. 21, 2014 01:00 AM EDT Reads: 1,138
Oct. 20, 2014 11:45 PM EDT Reads: 989
Oct. 20, 2014 11:15 PM EDT Reads: 1,498
Oct. 20, 2014 09:45 PM EDT Reads: 1,035
Oct. 20, 2014 09:30 PM EDT Reads: 826
Oct. 20, 2014 07:00 PM EDT Reads: 1,824
Oct. 20, 2014 03:45 PM EDT Reads: 1,554
Oct. 20, 2014 02:00 PM EDT Reads: 1,539
Oct. 20, 2014 02:00 PM EDT Reads: 1,723
Oct. 20, 2014 12:00 PM EDT Reads: 1,561
Oct. 20, 2014 12:00 PM EDT Reads: 1,806
Oct. 20, 2014 09:00 AM EDT Reads: 1,497
Oct. 19, 2014 10:00 PM EDT Reads: 1,459
Oct. 19, 2014 09:00 PM EDT Reads: 1,702
Oct. 19, 2014 07:30 PM EDT Reads: 1,376
Oct. 19, 2014 11:00 AM EDT Reads: 1,862
Oct. 19, 2014 11:00 AM EDT Reads: 1,662
Oct. 18, 2014 10:00 PM EDT Reads: 1,817
Oct. 18, 2014 05:00 PM EDT Reads: 1,889
Oct. 18, 2014 03:30 PM EDT Reads: 1,626