The security of SaaS: a market landscape

Table of Contents

  1. Summary
  2. The cloud’s evolution: the default IT
  3. Standards and best practices
  4. Cloud risk management: performance, security, and privacy
  5. Application security built for the cloud
  6. Key takeaways
  7. About Salvatore D’Agostino

1. Summary

For the CIO, the cloud holds compelling attraction in terms of reduced costs, time to deploy, and time to market and operational efficiencies. Yet it also introduces complexity and uncertainty along with concerns of expanded breaches, data sovereignty, and significant additional service integration.

Security concerns abound. In a vendor-published survey of over 250 companies, an average of 33,000 users were leveraging over 750 cloud-based services despite the observation that most are not enterprise-ready (including only 1 in 10 file sharing services), even as IT investment in cloud continues to grow.

Attacks have escalated in general. The threat landscape is studded with breaches, from advanced persistent threats to social engineering. Over the last year or so, for example, major breaches across retail were constantly in the headlines and rolled heads all the way to the CEO. Such breaches help to identify specific challenges facing providers of IT and security products and services. Research also points out that major breaches went undetected for months, and highlight applications as major targets. Helping the CIO address his or her concerns about this has given rise to many of the solutions reviewed in this market landscape.

Managing risk across a cloud deployment falls on the CIO as cloud consumer, in partnership with cloud service, brokers, carriers and audit providers. All build, operate, maintain and manage risk the in data center, network fabric, applications, and devices.

Looking at the current cloud and application security landscape, we find that:

  • The consumerization of IT places demands on the CIO for consumer-friendly, cloud-based services. If denied, users will acquire those services anyway.
  • Many cloud-based services by default do not incorporate security, privacy, or policy-based access control, while at the same time security, privacy, and policy requirements continue to escalate.
  • Traditional enterprise security technologies that involved protecting servers, applications and devices and finite number of applications behind the corporate firewall are no longer adequate for protecting SaaS services built for cloud (e.g., Office 365, Google Apps, Salesforce.com, Basecamp, NetSuite, Workday, Marketo, Box).
  • A new layer of security and identity solutions often leveraging cloud and big data has been developed to meet enterprise security and Everything-as-a-Service (XaaS) deployment needs.
  • Cloud federated identity and access management plays across applications, most prominently in the application security picture.
  • Visibility into usage (visualized or not) is often the first step.
  • The already-unreal expectation of a security (or any) magic bullet, including Security as a Service (SECaaS) is less, not more, likely.