SaaS

Security Concerns in the SaaS Environment

1 comment | 11I like it!
January 9, 2009, 05:18 PM — 

Concern about security is cited as one of the greatest hurdles to implementing SaaS. I had the opportunity to talk to a few SaaS providers regarding security concerns and would like to share what I learned from these providers.

Security is a broad term that can be broken down into three areas: data center, application and user. Each of these areas has its own security best practices schema and ignoring any one area presents a security vulnerability to the firm and its data. The best SaaS providers in the market discuss each of these areas with their customers, demonstrating how their SaaS solution is as secure, and frequently more secure, than what an internal IT department can provide. A bold statement, I know, but read on and you will learn why SaaS implementations are more secure than on-premise solutions.

Data Center Security

There are only two points of entry into a SaaS environment: The front-end, which the users utilize; and the back-end, used by the SaaS provider for maintenance and management. Limited entry eliminates all the ways in which data is lost or stolen. Front-end entry is always through a secure, encrypted VPN leveraging identity and role-based access.

All of the firms I talked with for this piece referenced Symantec's research about rogue employees and lost laptops as the primary sources of data loss and theft. Working in the cloud removes the laptop issue and even the smartphone issue. Reducing broad access by limiting employees to the groups and teams they work in reduces the potential for intellectual property theft.

Application Security

Application security is directly associated with identity and role based access permissions. Application security includes, but goes beyond the standard password access. By utilizing SaaS, application security also includes encryption of the password, logs the number of attempts to logon, and can encrypt field/text/attachments. Application security also disables Java Scripts, one of the leading causes of malware and malicious activities.

User Security

User security is rooted in role-based access and identity management. Identity management is maintained in the firm's LDAP directories. Permissions and denials are controlled by the firm's administrator. The directories can be either inside the firm's firewall, at the SaaS provider's site, or in a DMZ. Having the firm control the identity management directories enables the administrator to move quickly to enable or disable users as needed.

Certifications

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Comments

Security Blues

to be sure about a company's security protocols, one should check out their security documentation extensively (all good SaaS providers have this). past security record is also important. Tenure is also important. How long have they been security record is another criteria. Tenure is also important. how long have they been providing SaaS solutions. I would be more secure with SaaS providers like HyperOffice who have been around for a while rather than a newbie.
| reply
peer-to-peer

jfruh
Apple syncing patent can't come soon enough

pasmith
New Twitter features borrow from 3rd party clients

Esther Schindler
Open Source Changes the Software Acquisition Process

mikelgan
How to set up continuous podcast play on the new iTunes

David Strom
Five important Windows 7 mobility features

sjvn
Guard your Wi-Fi for your own sake                        

Sandra Henry-Stocker
Grepping on Whole Words

 

Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace