Software-plus-service (S+S) and Software-as-a-service (SaaS) are next-generation software solutions for a number of today’s applications. Implementation flexibility, cost structure and ease of customer support make it a product decision differentiator in today’s market. Corporate acceptances of S+S and SaaS processes have moved beyond CRMs and Web Portals toward more traditional core business applications. However, it is not right for all applications. The introduction of these approaches into the traditional Enterprise has business advantages and security implications. To determine if an application is a candidate for S+S or SaaS, a number of factors need to be analyzed. This session will survey Identity, Network and Data Security impacts using SaaS and S+S:
1. Demonstrate the threats introduced by blending traditional enterprise application deployment with SaaS or S+S solutions.
2. Classify potential types of data leakage and points where they can occur.
3. Analyze the service and financial impact of these leak points.
4. Determine process changes required to implement SaaS/S+S while maintaining data containment.
5. Recommend a combination of identity management, network and data security systems and services to address potential data leakage within the enterprise, at the SaaS and S+S provider.
Applications are the access portal to the valuable business-critical information contained within the IT infrastructure. Corporations have deployed a wide array of security solutions to address User Access Control, Single Sign-on, Network Perimeter Defense, Secure VPN, Data Privacy/Data Encryption and Physical Data Center defenses, all to prevent leakage of valuable corporate information. These current security tools do not address the dramatic change in the life cycle of corporation information as it migrates through the SaaS/S+S provides, while still mixing the tradition models.
This lack of security tool integration creates threats that must be addressed in the corporate policies operating around a traditional enterprise model. This new hybrid model of SaaS, S+S and traditional enterprise creates several potential leak points from the standard enterprise in both existing areas as well as new points of concerns. The synchronization of corporate user access controls with SaaS/S+S providers will create gaps in the user-level security from the time required to handle manual processes.
Network perimeter defenses are outsources in the SaaS/S+S model, limiting the traditional enterprise management of security policies. Data encryption takes on a new role, as now actual raw information, in the storage systems, will need to be exchanged and synchronized with service providers. All of these risks many create costs that outweigh the benefits of the SaaS/S+S approach.
Today providers of SaaS/S+S are providing tools to address coexistence with traditional enterprise methods, however, most do not address the security impact. Given this, a data breach or leak could cause IT administrators to ‘remove’ the SaaS/S+S access until the problem can be eliminated. All of these new processes and management overhead on coexistence may very well wipe out the financial benefits. Beyond that, changes to compliance testing for corporate regulations and privacy requirements add startup costs to the deployments.
While CRM integration with traditional enterprise systems has limited points of impact on policy, complete applications like e-mail and collaboration as S+S will require new processes. SaaS and S+S providers have begun to see these possible deployment issues. New systems to create ‘shared’ user access control as a service, securing “virtual” links for protected communications, as well as new methods in data protection and replication, securely, will help close these gaps.
Knowledge of identity management, network and data security systems and their implementation within the traditional enterprise. Understanding of Software-as-a-service and Software-plus-service offerings focused at all levels of enterprises.