As a former CIO, I have implemented and seen the significant benefits of cloud computing, both in the leverage of compute on demand via infrastructure as a service (IaaS) and platform as a service (PaaS) delivery models, and in the use of software as a service (SaaS) applications. In particular, SaaS-based applications are increasingly the way organizations quickly and easily leverage new applications. This is driving tremendous growth and innovation; AngelList has more than 11,000 SaaS startups listed in the U.S., and IDC predicts the SaaS-based market will surpass $112 billion by 2019.
Addressing this IT cloud security challenge is a two-fold challenge.
Changing Roles of IT Professionals
First, while cloud computing and SaaS business models can enable IT organizations to lower infrastructure costs and enable more agility to support customers, they are fundamentally changing the roles of many IT and IT security professionals. For example, in terms of IT security, the use of cloud computing forces IT organizations to give up control of – and visibility into – some of their IT infrastructure. To the degree the organization is leveraging SaaS-based applications, they also have third-parties store and control sensitive data.
Not so long ago, IT security staff worked to protect the organization’s IT perimeter. With today’s new computing and service models, the traditional perimeter no longer exists. Or, if a perimeter does exist, it might include protecting a number (perhaps up to dozens) of third-party cloud service and SaaS application providers.
Confidence in Third-Party Providers
Second, regarding the use of third-party IT cloud service providers (to include more traditional outsourced data center services), organizations need to have confidence these providers are implementing the proper security controls that should match (or at least be similar to) what they would implement within their own data centers in networks. These controls range from physical access for personnel to identity management for system administration access and appropriate network encryption.
A number of nonprofit organizations have been working on standardizing these controls for the industry. Notably, the Cloud Security Alliance (CSA) has developed the Cloud Controls Matrix (CCM), a security controls framework specifically designed for cloud computing. Leveraging CCM, the CSA has developed an auditing, certification and registry program for cloud service providers known as the Security, Trust and Assurance Registry (STAR). The U.S. government has developed a similar model, its FedRAMP program, a means for cloud service providers to meet minimum security control requirements at three different levels. It’s now critical to the security posture of the entire organization for IT security personnel to understand and be able to ensure these control suites are properly implemented.
Yet even if an IT security manager has faith in the control suite of the underlying cloud service provider, what about the case of an organization leveraging a SaaS application? In this case, it is likely that sensitive data will be stored and controlled by the third party and used by organization’s customers or partners so that the data never comes in contact with the organization’s network, firewalls, or any other security device or process controlled by the organization. As a CIO or CISO, this situation presents significant concerns, as SaaS applications can leave one with little visibility and control regarding security of the application and its data. Hence, the second challenge is how to extend an organization’s security policies and controls to public clouds and SaaS applications.
I will cover developments in how to protect sensitive data housed in SaaS applications in next month’s blog.