Digital Edition

SYS-CON.TV
Migrating Apps to the Cloud
Security trade-offs and considerations

Security professionals are constantly negotiating the tension of balancing ease-of-use with data security. Savvy security professionals know that their users will often choose a less secure technology that makes getting things done easier over a more secure technology that makes getting things done more cumbersome. The trick is in aligning the secure choice with the efficient choice - but this comes with much-needed analysis and consideration.

Increasingly, best-in-class applications are being offered in a Software as a Service (SaaS) model; just take a look at the plethora of cloud-based tools available for organizations that need a scalable way to access software across physical locations and a means of enabling their increasingly mobile users. Certainly, the SaaS model offers highly compelling advantages over traditional on-premise solutions such as:

  • Reduction and simplification of license management costs as well as infrastructure procurement and management costs
  • Increased disaster resiliency and improved business continuity driven by the remote nature of SaaS to the workplace
  • Enablement of a remote or mobile workforce

While there are several reasons why enterprises around the globe are moving toward cloud-based software solutions, there are trade-offs in moving from on-premise to hosted SaaS. Control of the infrastructure means control of the security and compliance of the systems. Giving up this control means additional due diligence is required to meet security and compliance objectives.

From full-site SSL/TLS encryption to encryption of customer data at rest, SaaS providers are incorporating best practices in an effort to ensure that the data customers entrust them with remains safe in their hands. Support for single-sign-on (SSO) authentication standards such as Security Assertion Markup Language version 2.0 (SAML 2.0) allows customers to integrate uniform authentication standards (strong passwords or multi-factor authentication (MFA)) across multiple SaaS tools.

When evaluating SaaS technologies for potential adoption by your organization, here are five key questions that you should ask any potential vendor:

  • How are you protecting my data while it's being transmitted to you and while it's stored in your systems?
  • What are you doing to protect your systems against physical threats?
  • What are you doing to defend your application from attack?
  • What are you doing to protect your users from account compromise?
  • How are you protecting the service from disaster and the data from corruption or accidental deletion?

User Management and Single Sign-On
One somewhat hidden challenge of increased reliance on SaaS applications is the potential for user management complexity. User on-boarding and off-boarding, end-user account and password management and privilege accounting are increasingly complex without a unified user management approach.

To solve for this, many SaaS providers now support one or more single sign-on (SSO) standards. Single sign-on allows for the central provisioning and de-provisioning of applications to the user, and a single source of truth for who has access to what.

Some additional benefits for SSO integrations include having a unified user authentication policy across multiple applications with fewer passwords for users to remember and keep secure. SSO also provides support for multi-factor authentication (MFA), which can be used to create a more secure but user-friendly means to log into mission-critical business software.

Whether we like it or not, keeping enterprise systems strictly on-premise isn't a viable or scalable option today. Adapting to the SaaS paradigm and understanding and quantifying both the benefits and risks have become a key skill for CIOs and security professionals. Those who can successfully negotiate this paradigm are the new heroes of IT procurement - delivering ease of use and efficiency while maintaining security and compliance best practices.

About Ken Asher
Ken Asher is a Sales Engineer, Security, at Smartsheet. He has over 11 years of experience in technical operations, security and regulatory audit controls design and implementation. He currently serves as a sales security engineer at Smartsheet, a collaborative work management tool used by millions worldwide, where he advises Smartsheet's Enterprise customers on security and compliance controls. Previously, Ken served as the director of technical operations and the director of operations at Docusign.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, ...
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 20...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 1...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point wh...
Dynatrace is an application performance management software company with products for the informatio...
Today, we have more data to manage than ever. We also have better algorithms that help us access our...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held Novemb...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, ...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018,...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing w...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news an...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | ...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling ...