Concern about security is cited as one of the greatest hurdles to implementing SaaS. I had the opportunity to talk to a few SaaS providers regarding security concerns and would like to share what I learned from these providers.
Security is a broad term that can be broken down into three areas: data center, application and user. Each of these areas has its own security best practices schema and ignoring any one area presents a security vulnerability to the firm and its data. The best SaaS providers in the market discuss each of these areas with their customers, demonstrating how their SaaS solution is as secure, and frequently more secure, than what an internal IT department can provide. A bold statement, I know, but read on and you will learn why SaaS implementations are more secure than on-premise solutions.
Data Center Security
There are only two points of entry into a SaaS environment: The front-end, which the users utilize; and the back-end, used by the SaaS provider for maintenance and management. Limited entry eliminates all the ways in which data is lost or stolen. Front-end entry is always through a secure, encrypted VPN leveraging identity and role-based access.
All of the firms I talked with for this piece referenced Symantec's research about rogue employees and lost laptops as the primary sources of data loss and theft. Working in the cloud removes the laptop issue and even the smartphone issue. Reducing broad access by limiting employees to the groups and teams they work in reduces the potential for intellectual property theft.
Application Security
Application security is directly associated with identity and role based access permissions. Application security includes, but goes beyond the standard password access. By utilizing SaaS, application security also includes encryption of the password, logs the number of attempts to logon, and can encrypt field/text/attachments. Application security also disables Java Scripts, one of the leading causes of malware and malicious activities.
User Security
User security is rooted in role-based access and identity management. Identity management is maintained in the firm's LDAP directories. Permissions and denials are controlled by the firm's administrator. The directories can be either inside the firm's firewall, at the SaaS provider's site, or in a DMZ. Having the firm control the identity management directories enables the administrator to move quickly to enable or disable users as needed.
Certifications
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Security Blues
to be sure about a company's security protocols, one should check out their security documentation extensively (all good SaaS providers have this). past security record is also important. Tenure is also important. How long have they been security record is another criteria. Tenure is also important. how long have they been providing SaaS solutions. I would be more secure with SaaS providers like HyperOffice who have been around for a while rather than a newbie.