|By Ken Asher||
|August 16, 2014 04:00 PM EDT||
Security professionals are constantly negotiating the tension of balancing ease-of-use with data security. Savvy security professionals know that their users will often choose a less secure technology that makes getting things done easier over a more secure technology that makes getting things done more cumbersome. The trick is in aligning the secure choice with the efficient choice - but this comes with much-needed analysis and consideration.
Increasingly, best-in-class applications are being offered in a Software as a Service (SaaS) model; just take a look at the plethora of cloud-based tools available for organizations that need a scalable way to access software across physical locations and a means of enabling their increasingly mobile users. Certainly, the SaaS model offers highly compelling advantages over traditional on-premise solutions such as:
- Reduction and simplification of license management costs as well as infrastructure procurement and management costs
- Increased disaster resiliency and improved business continuity driven by the remote nature of SaaS to the workplace
- Enablement of a remote or mobile workforce
While there are several reasons why enterprises around the globe are moving toward cloud-based software solutions, there are trade-offs in moving from on-premise to hosted SaaS. Control of the infrastructure means control of the security and compliance of the systems. Giving up this control means additional due diligence is required to meet security and compliance objectives.
From full-site SSL/TLS encryption to encryption of customer data at rest, SaaS providers are incorporating best practices in an effort to ensure that the data customers entrust them with remains safe in their hands. Support for single-sign-on (SSO) authentication standards such as Security Assertion Markup Language version 2.0 (SAML 2.0) allows customers to integrate uniform authentication standards (strong passwords or multi-factor authentication (MFA)) across multiple SaaS tools.
When evaluating SaaS technologies for potential adoption by your organization, here are five key questions that you should ask any potential vendor:
- How are you protecting my data while it's being transmitted to you and while it's stored in your systems?
- What are you doing to protect your systems against physical threats?
- What are you doing to defend your application from attack?
- What are you doing to protect your users from account compromise?
- How are you protecting the service from disaster and the data from corruption or accidental deletion?
User Management and Single Sign-On
One somewhat hidden challenge of increased reliance on SaaS applications is the potential for user management complexity. User on-boarding and off-boarding, end-user account and password management and privilege accounting are increasingly complex without a unified user management approach.
To solve for this, many SaaS providers now support one or more single sign-on (SSO) standards. Single sign-on allows for the central provisioning and de-provisioning of applications to the user, and a single source of truth for who has access to what.
Some additional benefits for SSO integrations include having a unified user authentication policy across multiple applications with fewer passwords for users to remember and keep secure. SSO also provides support for multi-factor authentication (MFA), which can be used to create a more secure but user-friendly means to log into mission-critical business software.
Whether we like it or not, keeping enterprise systems strictly on-premise isn't a viable or scalable option today. Adapting to the SaaS paradigm and understanding and quantifying both the benefits and risks have become a key skill for CIOs and security professionals. Those who can successfully negotiate this paradigm are the new heroes of IT procurement - delivering ease of use and efficiency while maintaining security and compliance best practices.
Nov. 23, 2014 07:30 PM EST Reads: 1,685
Nov. 23, 2014 12:00 PM EST Reads: 1,626
Nov. 23, 2014 07:45 AM EST Reads: 1,469
Nov. 22, 2014 10:00 PM EST Reads: 1,384
Nov. 22, 2014 05:30 PM EST Reads: 1,461
Nov. 22, 2014 05:30 PM EST Reads: 1,450
Nov. 22, 2014 05:30 PM EST Reads: 1,304
Nov. 21, 2014 09:15 PM EST Reads: 1,378
Nov. 21, 2014 08:00 PM EST Reads: 1,442
Nov. 21, 2014 08:00 PM EST Reads: 1,387
Nov. 21, 2014 07:00 PM EST Reads: 1,291
Nov. 20, 2014 09:15 PM EST Reads: 1,379
Nov. 20, 2014 06:00 PM EST Reads: 1,341
Nov. 20, 2014 04:45 PM EST Reads: 1,136
Nov. 20, 2014 01:00 PM EST Reads: 1,585
Nov. 20, 2014 12:30 PM EST Reads: 1,793
Nov. 18, 2014 09:00 PM EST Reads: 2,018
Nov. 18, 2014 08:15 PM EST Reads: 1,572
Nov. 18, 2014 01:30 PM EST Reads: 2,013
Nov. 13, 2014 05:00 AM EST Reads: 3,544