Concern about security is cited as one of the greatest hurdles to implementing SaaS. I had the opportunity to talk to a few SaaS providers regarding security concerns and would like to share what I learned from these providers.
Security is a broad term that can be broken down into three areas: data center, application and user. Each of these areas has its own security best practices schema and ignoring any one area presents a security vulnerability to the firm and its data. The best SaaS providers in the market discuss each of these areas with their customers, demonstrating how their SaaS solution is as secure, and frequently more secure, than what an internal IT department can provide. A bold statement, I know, but read on and you will learn why SaaS implementations are more secure than on-premise solutions.
Data Center Security
There are only two points of entry into a SaaS environment: The front-end, which the users utilize; and the back-end, used by the SaaS provider for maintenance and management. Limited entry eliminates all the ways in which data is lost or stolen. Front-end entry is always through a secure, encrypted VPN leveraging identity and role-based access.
All of the firms I talked with for this piece referenced Symantec's research about rogue employees and lost laptops as the primary sources of data loss and theft. Working in the cloud removes the laptop issue and even the smartphone issue. Reducing broad access by limiting employees to the groups and teams they work in reduces the potential for intellectual property theft.
Application Security
Application security is directly associated with identity and role based access permissions. Application security includes, but goes beyond the standard password access. By utilizing SaaS, application security also includes encryption of the password, logs the number of attempts to logon, and can encrypt field/text/attachments. Application security also disables Java Scripts, one of the leading causes of malware and malicious activities.
User Security
User security is rooted in role-based access and identity management. Identity management is maintained in the firm's LDAP directories. Permissions and denials are controlled by the firm's administrator. The directories can be either inside the firm's firewall, at the SaaS provider's site, or in a DMZ. Having the firm control the identity management directories enables the administrator to move quickly to enable or disable users as needed.
Certifications
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
James Gaskin
Learn How To Print Pages In Order with Ink Jet Printers
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Security Blues
to be sure about a company's security protocols, one should check out their security documentation extensively (all good SaaS providers have this). past security record is also important. Tenure is also important. How long have they been security record is another criteria. Tenure is also important. how long have they been providing SaaS solutions. I would be more secure with SaaS providers like HyperOffice who have been around for a while rather than a newbie.