Companies Must Consider Security When Choosing a Cloud Provider
No enterprise today can afford to ignore the compelling benefits of cloud-based computing and the SaaS delivery model it enables. Yet CIOs continue to be reluctant (justifiably in some cases) to entrust critical data and business processes to cloud-based systems
10 February 2010
No enterprise today can afford to ignore the compelling benefits of cloud-based computing and the SaaS delivery model it enables. Yet CIOs continue to be reluctant (justifiably in some cases) to entrust critical data and business processes to cloud-based systems. In fact, these concerns over security and reliability are widely cited as the biggest inhibitors to widespread enterprise adoption of cloud computing, even as businesses are increasingly reliant on cloud collaboration services for e-mail and other office communication needs.
The question is: Are these security fears really warranted?
For business with some of the toughest security requirements in the world, there are a number of criteria to consider when evaluating potential vendors in the cloud.
The primary focus when it comes to security for SaaS models like cloud computing, of course, is finding a provider that can protect data at all times. Keep in mind that SaaS providers already offer a number of advantages when it comes to maintaining security standards for the enterprise. Unlike an internal IT department, in which IT resources are typically stretched thin and keeping current can be a challenge, SaaS vendors can offer a faster response time to threats, homogeneous environments with smaller vulnerability surfaces to secure, and more vigorous security checks than traditional corporate IT departments that have limited resources and time.
In the evaluation process, I recommend taking this a step further to confirm a potential provider addresses four specific areas of concern with equal levels of attention. In fact, it is crucial to 360-degree security that these four pillars of information security are acknowledged:
- Application Security: The best SaaS providers protect their offerings with strong authentication and equally potent authorization systems. Authentication ensures that only those with valid user credentials obtain access, while authorization controls what services and data items individual valid users may access.
- Infrastructure Security: Cloud services are only as good as their availability. Providers must build a highly available, redundant infrastructure to provide uninterruptible services to their customers. Network and periphery security are paramount for infrastructure elements; therefore, leading-edge technologies for firewalls, load balancers and intrusion detection/prevention should be in place and continuously monitored by experienced security personnel.
- Process Security: SaaS providers, particularly those involved in business-critical information, invest large amounts of time and resources into developing security procedures and controls for every aspect of their service offerings.
- Personnel Security: People are an important component of any information system. They can present insider threats that no outside attacker can match. Administrative controls such as “need to know,” “least privilege” and “separation of duties” must be employed. Background checks of the employees and enforceable confidentiality agreements are mandatory.
Adopting a comprehensive approach that integrates application, infrastructure, process and personnel security with appropriate protection and controls is a critical factor. In addition to these fundamental components, organizations also need to, quite simply, take a good look at the provider's existing client base and where they set the bar for security. This can be a good gauge for the strength of a provider's claims. Only through discussions with existing customers, access to the public record and inspection of audit and incident reports can the best providers be distinguished from run-of-the-mill counterparts.
Finally, when evaluating and choosing a SaaS provider, it is important to verify that the provider can deliver the level of service and capabilities your company requires and to then double-check their ability to deliver on their promises. Ideally, obtaining information about security from providers should require little or no effort from prospective buyers. The providers who understand security will provide detailed security information as a matter of course, if not a matter of pride.
Security-savvy SaaS providers can also deliver tremendous value-add to its clients by enabling effective collaboration among colleagues and co-workers, and even among teams assembled across multiple organizations. With the right security apparatus built in, providers can impose highly effective security restraints on SaaS offerings.
As cloud computing increasingly becomes a viable option for CIOs and other business professionals looking to do more with less, the real game-changing event is just around the corner — when companies move beyond simply virtualizing their servers and start applying cloud computing concepts in earnest. By following some of the guidelines detailed above, organizations can make sure potential provides have their security and regulatory needs in mind as they can float up into the next generation of enterprise collaboration.
John Landy is the chief security officer at Intralinks. Having served as chief technology officer at Intralinks for the past 5 years, he utilizes his technical background to work with clients to understand their security needs in sharing and storing sensitive information. John has been working on internal Intralinks controls for enterprise security and corporate risk and oversees a function comprising Customer Engagement, Security Architecture and a Security Operations Center.