Vigilance Advised: SaaS Security in the Cloud
Larry Steele brings more than 20 years of experience in technology to his role as technical vice president of software-as-a-service at Savvis, Inc. He leads the overall global strategy for SaaS solutions for Savvis, and is a frequent participant in CTO advisory boards and industry speaking events.LARRY STEELE
When it comes to delivering software in the cloud via Software-as-a-Service (SaaS), independent software vendors (ISVs) need to view security as a primary concern and should protect their SaaS infrastructure from all angles, from all entry points and from all users.
But it’s important to note that not all clouds are equally secure. A mass market cloud, for example, may be high on delivering cheap storage and compute but lack enterprise-level security measures.
Consistency of Security Needed
If your software customers require tight levels of security in on-premise deployments, these same controls must be replicated in the cloud. Cost savings obtained via SaaS delivery are of little value to if your data and reputation are compromised.
When you are looking at outsourcing your SaaS infrastructure to a cloud service provider, you need to consider not only safeguards for the cloud itself, but also network and physical security.
When outsourcing your cloud infrastructure, you’ll want to find a service provider with experience in securing networks and operating systems and leveraging the best practices available. Encryption and VPN services must also be considered. And the vendor should offer consulting services – either in-house or through a partner – that can assess the security risks, penetration testing, threat management services and remediation.
An area that seems to be overlooked is around Web application firewall services. These services help protect your application from misbehaving in response to invalid requests that can result in buffer overflow issues and/or cross-site scripting issues.
I have many times heard developers and architects say that their networks are secure because they are using encryption. Encryption protects your application data when someone is trying to listen in on it, but it does not guard against unwanted requests. Application firewalls create a “moat” around your application and can stop invalid or inappropriate application requests from being processed, thereby saving precious CPU and memory cycles as well as – and more importantly – leaking data.
Lastly, you should understand how your service provider responds to attacks. Does your vendor have a security operations center in place? Do they know how to respond and work with local, state and government authorities? They should.
Network security should protect all the virtual entry points into your SaaS environment. Your vendor should have policies and procedures in place for responding to attacks and even scouting out emerging threats before they become issues.
Some vendors monitor the Internet for several clients simultaneously, so they often can see and respond to threats much faster. This can be a huge deal for ISVs, who may not see an attack for days because it might not be directly aimed at them. While the threat is out there, proactive vendors can respond by writing rules to protect against it.
In the virtual IT world of today, many people don’t think about physical security. But whether you’re using a service provider for colocation, managed service or cloud, it’s important to know that the physical location where your data is stored is secure.
Service providers should ensure that physical entry into the facility is protected – so look for on-duty guards, security cameras, body scans and other measures to prevent potential breaches. Be sure that your vendor has SAS 70 and/or ISO 9000 certification.
When thinking about physical security, also consider the service provider’s disaster recovery solutions. Where will your data be stored at rest? Where will it go? Will it be encrypted and protected? And if your existing data goes to tape, is the tape encrypted for backup?
Overall, whether data from your SaaS application resides inside a data center, on a network or in a cloud, security is paramount for ISVs. I talk to IT decision makers nearly every day and usually leave them with this simple, straightforward advice: Be vigilant. Trust nothing and no one.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
[...] Security: Senators Ask SEC to Issue IT Security Guidance Data Center Knowledge: Vigilance Advised: SaaS Security in the Cloud PC World: Protect Your Data From the Breach Epidemic WebProNews: Mobile Device Security Threats [...]