Security and Software as a Service: New Solutions Need New Thinking

Loved the Mayweather-Pacquiao fight. Not because of the fight, but because of the technological issues it raised.

The Associated Press, among other news sources, reported that last-minute demand was so high for pay-per-view access to the bout that its start had to be delayed while cable and satellite providers tried to deliver. Meanwhile, many viewers eschewed legitimate pay-per-view access entirely, choosing to view live streams of the fight provided by viewers with smartphones and applications such as Meerkat and Twitter's recently acquired Periscope.

The key take-away here was that traditional providers of pay-per-view events were woefully unprepared for the actual demand levels they experienced, and for dealing with alternative viewing options not blessed by those providers. And this, to me, speaks directly to many enterprise IT and security decision makers who are wrestling with the need to secure their software-as-a-service (SaaS) applications effectively.

In May 2014, the consulting arm of Forrester Research published the results of a survey of 150 US-based organizations focused on SaaS security. Adallom, a provider of security solutions for SaaS applications, commissioned the survey. Here are some of the most noteworthy findings, quoted directly from Forrester Consulting's executive summary.

"SaaS adoption cannot be ignored. SaaS applications are now included as a prominent piece of IT portfolios across industries. Furthermore, in addition to applications supported by IT, a crop of shadow IT applications introduced by individuals or lines of business are also a large piece of the equation, presenting business opportunities and insights, as well as new and heightened security risks.

"IT decision-makers have a false sense of comfort with existing controls for SaaS security. The security decision-makers [sic] we surveyed expressed confidence in the ability of their existing controls, such as firewalls and VPNs [virtual private networks], to protect digital assets in SaaS applications. This confidence is ill placed, however, as SaaS adoption and BYOD [bring your own device] are conjoined, introducing new vulnerabilities that legacy security tools simply don't address, such as those used in data protection and configuration management.

"Many SaaS customers do not understand the division of security responsibilities. Despite an overarching sense of confidence in their comprehension of SaaS security responsibilities, security professionals struggle with the specifics of their contractual agreements and mistakenly place the onus of usage integrity and data loss prevention on their SaaS providers.

"IT security is a shared responsibility best addressed by seamless integration of SaaS provider and customer tools. Security is no longer the sole domain of IT departments; it is instead a shared responsibility between multiple stakeholder groups (including, but not limited to, IT security, business stakeholders, IaaS [infrastructure as a service] providers, and SaaS providers) as new technologies take hold. Seamless integration of security tools on both the user and cloud provider sides, with advanced capabilities such as behavioral analytics, are often viewed by forward-thinking security professionals as components of a solution to this challenge."

Here's another of my favorite quotes from the survey report. "71 [percent] of security decision-makers say they understand their accountability for SaaS security, but this figure diminishes significantly when specific aspects such as liability and division of responsibilities are dissected."

If your enterprise uses ServiceNow, you already have a strong head start on addressing the concerns raised by the Forrester/Adallom survey. But whether you're using ServiceNow or not, if your enterprise is using or considering SaaS solutions, you and your colleagues have got to revisit, revise, and replace many traditional approaches to information and network security. The ways you've been doing things and the tools you've been using are not sufficient for an environment moving toward "everything as a service."

You need to update and integrate your security tools, processes, and policies, so that your enterprise can deliver security as a service consistently and effectively. And that consistent, effective security must extend across your entire enterprise and to all of its customers, partners, and affiliates.

Think about it like the training for a championship boxing match. The work may be grueling and sometimes boringly repetitive. But not doing it guarantees failure. And the payoffs for all that effort can be truly astounding.