Software as a Service (SaaS) and cloud-based business applications are one of the fastest growing segments of the computing world, with revenues nearly tripling between 2011 and now. Companies are quickly realizing the value of forgoing traditional software in favor of applications that can be more easily scaled licensed and monitored to ensure a worthwhile investment. Employees appreciate the flexibility as well; being able to log in to a program and work from virtually anywhere helps improve their productivity and their ability to maintain a work-life balance.
The benefits of SaaS cannot be understated, but there is one issue that companies using this model cannot afford to overlook: security. Simply put, SaaS requires a shift in how organizations approach security, as the traditional security measures used in the enterprise environment simply don’t mitigate all of the risks inherent with using the cloud for vital business functions.
BYOD, Diversity and Visibility, Oh My!
Traditional enterprise security solutions are very effective for protecting networks and data. After all, when you are working with a defined perimeter, it’s much easier to identify and contain threats.
However, when you start working within the cloud, the risks are magnified. SaaS by definition requires relinquishing some control over the data being shared and the network on which it is being shared. One of the major issues with SaaS is the lack of visibility. Unless you have developed the application in-house and are using a private cloud, the vendor manages the security of the application. As the client, you are only responsible for managing access (as in, preventing unauthorized access or use of the app) and what your employees are doing within the app. You simply do not have the ability to see within the infrastructure of the application in such a way that you can manage the security yourself.
Another issue with SaaS is the sheer diversity of the potential applications. Every application has its own functions and capabilities — and every one of them could be governed by a different risk or compliance rule. When sensitive information is stored in an encrypted database your own network, behind your customized firewall, you know for sure that you are complying with mandates. When you are using SaaS, you don’t have that level of control.
Finally, BYOD adds another wrinkle to the security of SaaS. One of the most appealing factors of SaaS is the fact that it can be accessed from anywhere, but that very flexibility can also present a security risk. You may be able to secure connections within your own network, but when an employee is logging on from home or a public location, you lose that control. Not to mention, many people remain logged in to applications or store their credentials; if a mobile device falls into the wrong hands, all it would take is a few taps of the keypad and you have a security breach.
Solving the Problem
Does all of this mean that SaaS will falter just as it’s beginning to pick up speed? Not at all.
What it does mean, though, is that enterprises need to adjust their approach to how they think about security, and accept that the traditional security methods that they have used for years are no longer enough. They need to look toward other means of security to protect their data. Some of the tactics to consider include:
- Integrating SaaS services with the identity and access management solutions that exist behind enterprise firewalls.
- Implementing two-factor authentication, like that found at www.safenet-inc.com, to control access to sensitive applications.
- Utilizing endpoint protection to secure mobile devices.
- Establishing secure IP addresses and/or virtual private networks (VPN) specifically for accessing SaaS applications outside of the enterprise network to ensure security.
- Employing web filtering and network monitoring protocols to prevent employees from accessing SaaS services without authorization or IT knowledge.
- Carefully selecting SaaS providers, and using only those that are willing to discuss security and/or allow you to run tests to confirm security protocols are adequate.
Successfully securing your networks and data in the world of the cloud and SaaS requires flexibility and a multi-pronged approach. You simply cannot rely on your existing enterprise security tactics to keep everything safe in this new and relatively unchartered territory. Before you jump on the SaaS train, carefully consider the security risks against the benefits, and take any additional steps necessary to ensure the security of your data in the cloud and in third-party applications. In the end, the extra time (and cost) is well spent when you avoid a costly security breach.