Welcome!

Security Authors: Yeshim Deniz, Imran Akbar, Sharon Barkai, Elizabeth White, Lori MacVittie

Related Topics: Cloud Expo, Java, SOA & WOA, Linux, Web 2.0, Security

Cloud Expo: Article

Migrating Apps to the Cloud

Security trade-offs and considerations

Security professionals are constantly negotiating the tension of balancing ease-of-use with data security. Savvy security professionals know that their users will often choose a less secure technology that makes getting things done easier over a more secure technology that makes getting things done more cumbersome. The trick is in aligning the secure choice with the efficient choice - but this comes with much-needed analysis and consideration.

Increasingly, best-in-class applications are being offered in a Software as a Service (SaaS) model; just take a look at the plethora of cloud-based tools available for organizations that need a scalable way to access software across physical locations and a means of enabling their increasingly mobile users. Certainly, the SaaS model offers highly compelling advantages over traditional on-premise solutions such as:

  • Reduction and simplification of license management costs as well as infrastructure procurement and management costs
  • Increased disaster resiliency and improved business continuity driven by the remote nature of SaaS to the workplace
  • Enablement of a remote or mobile workforce

While there are several reasons why enterprises around the globe are moving toward cloud-based software solutions, there are trade-offs in moving from on-premise to hosted SaaS. Control of the infrastructure means control of the security and compliance of the systems. Giving up this control means additional due diligence is required to meet security and compliance objectives.

From full-site SSL/TLS encryption to encryption of customer data at rest, SaaS providers are incorporating best practices in an effort to ensure that the data customers entrust them with remains safe in their hands. Support for single-sign-on (SSO) authentication standards such as Security Assertion Markup Language version 2.0 (SAML 2.0) allows customers to integrate uniform authentication standards (strong passwords or multi-factor authentication (MFA)) across multiple SaaS tools.

When evaluating SaaS technologies for potential adoption by your organization, here are five key questions that you should ask any potential vendor:

  • How are you protecting my data while it's being transmitted to you and while it's stored in your systems?
  • What are you doing to protect your systems against physical threats?
  • What are you doing to defend your application from attack?
  • What are you doing to protect your users from account compromise?
  • How are you protecting the service from disaster and the data from corruption or accidental deletion?

User Management and Single Sign-On
One somewhat hidden challenge of increased reliance on SaaS applications is the potential for user management complexity. User on-boarding and off-boarding, end-user account and password management and privilege accounting are increasingly complex without a unified user management approach.

To solve for this, many SaaS providers now support one or more single sign-on (SSO) standards. Single sign-on allows for the central provisioning and de-provisioning of applications to the user, and a single source of truth for who has access to what.

Some additional benefits for SSO integrations include having a unified user authentication policy across multiple applications with fewer passwords for users to remember and keep secure. SSO also provides support for multi-factor authentication (MFA), which can be used to create a more secure but user-friendly means to log into mission-critical business software.

Whether we like it or not, keeping enterprise systems strictly on-premise isn't a viable or scalable option today. Adapting to the SaaS paradigm and understanding and quantifying both the benefits and risks have become a key skill for CIOs and security professionals. Those who can successfully negotiate this paradigm are the new heroes of IT procurement - delivering ease of use and efficiency while maintaining security and compliance best practices.

More Stories By Ken Asher

Ken Asher is a Sales Engineer, Security, at Smartsheet. He has over 11 years of experience in technical operations, security and regulatory audit controls design and implementation. He currently serves as a sales security engineer at Smartsheet, a collaborative work management tool used by millions worldwide, where he advises Smartsheet's Enterprise customers on security and compliance controls. Previously, Ken served as the director of technical operations and the director of operations at Docusign.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.