Cloud compliance: How to manage SaaS risk

  • warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/includes/bootstrap.inc on line 684.
  • warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/includes/bootstrap.inc on line 684.

Cloud compliance: How to manage SaaS risk

Tags:   application security  cloud computing  SaaS  security threat  Software-as-a-Service  web security  web threats

By Joel Dubin, Contributor | Dec 8, 2008

Being an information security pro means learning how to deal with headaches. As if worrying about securing data within a corporate network isn't enough of a headache, securing data when it's in somebody else's network is even more complicated.

In a nutshell, that's the security issue surrounding hosted software, so-called cloud computing or Software as a Service (SaaS).

At first glance, SaaS might seem like a glorified version of third-party outsourcing. Many companies send data out to third parties, particularly those that process credit cards, but SaaS is a bit different: The third party hosts the software and manages the deployment and infrastructure. Instead of purchasing and installing software, a company links up with the SaaS provider, often via the Internet. SaaS is usually business driven for reasons such as availability, ease of management and cost-cutting.

Some well-known SaaS providers are Google Inc. and Amazon.com Inc., which offer applications as services through their networks. Other examples are Salesforce.com Inc., which offers customer relationship management (CRM) software online and Qualys Inc., which offers on-demand security monitoring and scanning of all things, including those mandated by PCI DSS itself.

SaaS and compliance
Basically, the same security concerns companies already have within their own networks -- securing networks, hardware, applications and data -- apply for companies outsourcing their data with SaaS. However, when compliance with government regulations like Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and HIPAA, and industry standards like the Payment Card Industry Data Security Standard (PCI DSS) is thrown into the mix, things can get messy.

Before SaaS, compliance success could typically be boiled down to a few key tasks: identify users and access privileges; identify sensitive data, where it's located and how it's encrypted; and document all of this for auditors and regulators. SaaS makes these processes more complicated. Theoretically, an enterprise has full control of its data, but in reality it may be difficult for a customer to discern where its data resides on a network controlled by its SaaS provider, or a partner of that provider.

 
 
123

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Comments

Comments

SaaS would be a major risk

Submitted by SEO Services on 22 March 2009 - 7:39pm.

SaaS would be a major risk if not dealt with properly. As they say, prevention is better than cure.

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Today's top security priorities
Attacks based on vulnerabilities in websites are skyrocketing, and not many solutions are available to protect organizations against them. How do you deal with this and other key security issues today?
Taking a holistic business-centric approach to security
Today’s CIOs face multiple challenges, including the need to innovate in an extremely competitive business climate, address highly dynamic regulatory and compliance challenges, speed ROI to counter shrinking IT budgets, and secure their organizations against a wide barrage of sophisticated threats.
 
 
 
UTM product offers Logansport Savings Bank superior protection
Astaro Security Gateway’s IPS was able to block attacks that other intrusion prevention systems (IPS) missed at Logansport Savings Bank.
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
 
 
 

Recent popular content

Most Read
Information security issues, strategies and spending in 2010
Could the 2010 World Cup be a nightmare waiting to happen for IT managers?
Top 10 tips for protecting sensitive data from malicious insiders
Today's top security priorities
Using Scapy to test Snort IDS

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS