- Cloud computing models of the future will likely combine the use of SaaS (and other XaaS’s as appropriate), utility computing, and Web 2.0 collaboration technologies to leverage the Internet to satisfy their customers’ needs.
- New business models being developed as a result of the move to cloud computing are creating not only new technologies and business operational processes but also new security requirements and challenges.
- As the most recent evolutionary step in the cloud service model, SaaS will likely remain the dominant cloud service model for the foreseeable future and the area where the most critical need for security practices and oversight will reside.
SaaS providers handle much of the security for a cloud application. The SaaS provider is responsible for securing the platform, network, applications, operating system, and physical infrastructure. However, providers are not responsible for securing customer data or user access to it. Some providers offer a bare minimum of security, while others offer a wide range of SaaS security options.
Just as with an managed service provider, corporations or end users will need to research vendors’ policies on data security before using vendor services to avoid losing or not being able to access their data. The technology analyst and consulting firm Gartner lists seven security issues which one should discuss with a cloud-computing vendor:
1. Privileged user access—Inquire about who has specialized access to data, and about the hiring and management of such administrators.
2. Regulatory compliance—Make sure that the vendor is willing to undergo external audits and/or security certifications.
3. Data location—Does the provider allow for any control over the location of data?
4. Data segregation—Make sure that encryption is available at all stages, and that these encryption schemes were designed and tested by experienced professionals.
5. Recovery—Find out what will happen to data in the case of a disaster. Do they offer complete restoration? If so, how long would that take?
6. Investigative support—Does the vendor have the ability to investigate any inappropriate or illegal activity?
7. Long-term viability—What will happen to data if the company goes out of business? How will data be returned, and in what format?
Below are SaaS security practices that organizations can adopt to protect data in their SaaS applications.
- Detect rogue services and compromised accounts
- Apply identity and access management (IAM)
- Encrypt cloud data
- Enforce data loss prevention (DLP)
- Monitor collaborative sharing of data
- Check provider's security
SaaS security solutions: Several types of security solutions can help organizations improve SaaS security. The solutions can be implemented separately or together as part of a CASB.
- Data loss prevention (DLP) ) safeguards intellectual property and protects sensitive data in cloud applications, as well as at endpoints such as laptops. Organizations can define data access policies that DLP enforces.
- Compliance solutions provide controls and reporting capabilities to ensure compliance with government and industry regulations.
- Advanced malware prevention includes technologies such as behavioral analytics and real-time threat intelligence that can help detect and block zero-day attacks and malicious files that may be spread through cloud email and file sharing applications.
- Cloud access security brokers (CASBs) protect enterprise data and users across all cloud services, including SaaS, PaaS, and IaaS. According to Gartner's Magic Quadrant for Cloud Access Security Brokers, CASBs detect threats and provide IT departments with greater visibility into data usage and user behavior for cloud services, end users, and devices. CASBs also act immediately to remediate security threats by eliminating security misconfigurations and correcting high-risk user activities applications. CASBs provide a variety of security services, including:
- Monitoring for unauthorized cloud services
- Enforcing data security policies including encryption
- Collecting details about users who access data in cloud services from any device or location
- Restricting access to cloud services based on the user, device, and application
- Providing compliance reporting
CASB solutions, which are typically SaaS applications, may provide additional capabilities. These may include:
- File encryption
- Pre-built policy templates to guide IT staff through the process of policy creation
- User entity behavior analytics (UEBA) backed by machine learning
- In-application coaching to help end users learn improved security practices
- Security configuration audits to suggest changes to security settings based on best practices
IT departments can learn to protect their cloud applications and data by following cloud security best practices and implementing effective SaaS security solutions.
6.3.2 Security Governance
A security steering committee should be developed whose objective is to focus on providing guidance about security initiatives and alignment with business and IT strategies. A charter for the security team is typically one of the first deliverables from the steering committee. This charter must clearly define the roles and responsibilities of the security team and other groups involved in performing information security functions. Lack of a formalized
strategy can lead to an unsustainable operating model and security level as it evolves. In addition, lack of attention to security governance can result in key needs of the business not being met, including but not limited to, risk management, security monitoring, application security, and sales support. Lack of proper governance and management of duties can also result in potential security risks being left unaddressed and opportunities to improve
the business being missed because the security team is not focused on the key security functions and activities that are critical to the business.
6.3.3 Risk Management
Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. Actions should also include maintaining a repository of information assets. Owners have authority and accountability for information assets including protection requirements, and custodians implement confidentiality, integrity, availability, and privacy controls. A formal risk assessment process should be
created that allocates security resources linked to business continuity.
6.3.10 Security Monitoring and Incident Response
Centralized security information management systems should be used to
provide notification of security vulnerabilities and to monitor systems continuously through automated technologies to identify potential issues. They
should be integrated with network and other systems monitoring processes
(e.g., security information management, security event management, security information and event management, and security operations centers
that use these systems for dedicated 24/7/365 monitoring). Management of
periodic, independent third-party security testing should also be included.
Many of the security threats and issues in SaaS center around application and data layers, so the types and sophistication of threats and attacks
for a SaaS organization require a different approach to security monitoring
than traditional infrastructure and perimeter monitoring. The organization
may thus need to expand its security monitoring capabilities to include
application- and data-level activities. This may also require subject-matter
experts in applications security and the unique aspects of maintaining privacy in the cloud. Without this capability and expertise, a company may be
unable to detect and prevent security threats and attacks to its customer
data and service stability.
No comments:
Post a Comment