Challenges
The enterprise cloud revolution is here. IT organizations everywhere, from small and mid-sized businesses to Fortune 500 companies, are moving from on-premises software to on-demand, cloud-based services. This presents CIOs and their teams with a whole new set of security challenges. IT teams must assess the security of cloud service providers, address new identity management issues, and provide insight and advice about Software-as-a-Service (SaaS) products to ensure the company is maximizing the business value of their investments.
Leverage SaaS-based Security
Today many security applications are offered with a choice of appliance, server, VM, or cloud-based deployment. Should organizations take advantage of SaaS-based models for their own security applications?
The advantages of this approach are essentially the same operational advantages as apply to cloud-based business applications and include:
- Reduced upfront capital expenditure
- Simplification of data center environments (reduce racks of servers and appliances)
- Seamless scalability
- Off loading of administrative functions
- High availability
We believe these advantages are compelling for many security applications including SIEM (see Proficio's SIEM SaaS) , email security, and web security. IT teams must take responsibility for assessing the strength of these services. Are they fully SAS70 certified? Are they fully compliant with regulations governing your industry? Are the applications truly multi-tenanted?
Using Cloud-based Business Applications
As enterprise IT makes this transition to this new approach, we suggest the following steps:
Assess Your Provider
Conduct a full risk assessment before you contract with any cloud provider. Look not just at the provider’s security and compliance activities and how easily you can migrate your data to another platform at the end of a contract. Cloud standards bodies have already published frameworks and benchmarks you can use to conduct your assessment.
Prepare your Own Security
Look at how your own security works in a cloud environment. How comprehensive is your existing security capability? And can you adequately protect your data and your user identities beyond the perimeter? Password management becomes important as users have multiple logins for different cloud-based applications. Integration with the organizations directory services like AD helps avoid your competitor extracting your entire list of customers by knowing your VP of Sales' email address and pet's name. Automated provisioning and de-provisioning of user access with clear audit trails prevents disgruntled employees from stealing or damaging your data. Techniques like authentication and encryption are vital.
Implement a Governance Framework
Gather information from providers and from your own systems, and monitor for security events and compliance with accepted best-practice and specific regulation/standards where appropriate.
