In January I addressed the portfolio of security requirements for the SaaS environment. This post focuses exclusively on perimeter security.
Perimeter security is a firm's first line of defense against intrusion, malicious activities, malware and spam. Firms considering leveraging SaaS need to be sure the SaaS provider has the tools in place to support the level of security required. The defense needs to be strong enough to thwart the blackhats, but porous enough for users to be able to accomplish their day-to-day activities.
Before we get into the details of what to look and ask for in perimeter security, here are a few facts specific to email and spam: In August 2008, Yale University received 123 million emails, of which 94.54 percent were spam. SpamLaws.com quotes a study by the Radicati Research Group Inc., a research firm based in Palo Alto, California, stating that spam costs businesses $20.5 billion annually in decreased productivity as well as in technical expenses. In the same article, SpamLaws also quotes Nucleus Research as estimating that the average loss per employee annually because of spam is approximately $1934. These facts are only for email. There are substantial business impacts related to identity management, access management, DNS protection, Web access management, and industry compliance. The negative business impact related just to email issues is huge. Imagine the scale of the total impact when all of the perimeter security components are aggregated.
Perimeter security is comprised of a collection of management tools, each one providing specific protection. The collection of tools include:
- Access management supports application and system access, typically via authentication mechanisms.
- Identity management supports user identity and role information.
- Federated Identity supports authentication of and with business partners. It must be able to integrate and synchronize with different identity management systems. Integration is assisted when solutions are built to support Security Assertion Markup Language (SAML) and Web Services Federation (WS-Federation).
- Perimeter Security provides protection against Internet threats including intrusion detection and prevention, DDoS attacks, DNS protection, and BGP monitoring.
- Web Access Management allows users to take care of their own needs such as password resets and self registration. The solution should integrate with existing identity management tools.
- Regulatory Compliance Audit-ability Each industry has its own set of regulations that must be followed. The perimeter security solution must be able to support regulatory compliance audits.
Security is a complex issue. Many firms have some or even most of the tools implemented, but it is rare to find all of them installed and kept up to date in an enterprise. As firms adjust to the new economic environment and downsize, identity and access management is becoming increasingly more important. With the current workloads of the IT staff, security implementation and support is one more item in a growing list of things to do. Put all these facts into a blender and give it a whirl and you end up with serious exposure to the firm.
Taking advantage of SaaS is a sound business solution to the perimeter security problem. A comprehensive SaaS provider is able to deliver best-of-breed solutions for more than just your applications. They also provide top notch perimeter security, identity, and access management to the company's applications and data.
When calculating the business economics of using a SaaS provider look beyond the basic metrics of transferring licensing costs or reducing the number of IT employees. The calculation needs to also include:
- the cost of acquiring and maintaining perimeter security tools.
- the cost of a data breech.
- the cost of regulatory compliance.
On a cumulative basis, it becomes clear that utilizing a SaaS provider makes good business sense. Factor in enhanced perimeter security support and the decision to start migrating applications to the cloud becomes very easy.
On a separate note, if you are attending the IDC SaaS conference in NYC on March 26, plan to attend my panel discussion on SaaS Security. The panel consists of companies using SaaS today and will address the security issues they considered before migrating. It's bound to be an informative session. I look forward to seeing you there.