SaaS security weaknesses and how to correct them

SaaS applications can provide efficiency and agility, cost savings, and enhanced collaboration especially with suppliers and customers. At the same time, SaaS applications present security challenges because they are typically hosted on third-party infrastructure and run third-party application code.

Public cloud-based software as a service (SaaS) has become a common delivery model for many business applications, including office applications and sales-and-marketing software.

SaaS is best suited for situations with the following requirements:

• Efficiency, velocity, and agility. Business groups want to quickly adopt new applications as well as quickly change from one service provider to another.
• Cost-effective. Short-term licensing offers cost-saving opportunities.
• Better collaboration. Business groups want to collaborate with external customers, suppliers, OEMs, subsidiaries, and acquisitions.

As interest in software-as-a-service grows, so too do concerns about SaaS security. Total cost of ownership used to be the most frequently cited roadblock among potential SaaS customers. But now, as cloud networks become more frequently used for strategic and mission-critical business applications, security tops the list.

Cloud computing resources are more highly concentrated than traditional network systems, in large part because of virtualization technology that allows a single server to hold many virtual machines and potentially the data of multiple customers. There are numerous security risks to look at before adopting software-as-a-service. Here are five problems to consider.

1. Identity management in the cloud is immature

Cloud providers themselves aren’t always sophisticated about integrating their platforms with identity services that exist behind the enterprise firewall. There are some third-party technologies that let IT extend role-based access controls into the cloud with single sign-on. But overall, this is a field that is still in the early stage.

2. Cloud standards are weak

There are two standards, which can check security credentials of cloud services — SAS 70 and ISO 27001. The first one become stand-in benchmark in the absence of cloud-specific standards. It is designed to show that service providers have sufficient control over data. ISO 27001 is better than SAS 70, but still doesn’t give guarantees, that data will be safe.

3. Secrecy

Cloud vendors argue that they are more able to secure data than a typical customer, and that SaaS security is actually better than most people think. But some customers find this hard to believe because SaaS vendors tend to be rather secretive about their security processes. In particular, many cloud service providers release very few details about their data centers and operations, claiming it would compromise security.

4. Access everywhere increases convenience, but also risk

The data is no longer in your walls in the physical sense and in the virtual sense. Maintaining control over e-mails and documents is easier when those files are stored on your local servers, rather than in the cloud. It’s one of the benefits of software-as-a-service, but it’s also one of the downsides.

5. You don’t always know where your data is

Regulations such as the Federal Information Security Management Act (FISMA) require customers to keep sensitive data within the country. Although keeping data within U.S. borders seems like a relatively simple task on its face, cloud vendors will often not make that guarantee.

Solution

The SaaS delivery model for enterprise applications offers efficiency, velocity, agility, cost-effectiveness, and collaboration benefits for many enterprise use cases. To support the increasing demand  has been established several best practices to minimize risk in the cloud:

•  Develop a SaaS security strategy and build a SaaS security  reference architecture that reflects that strategy.
•  Balance risk and productivity.
•  Implement SaaS security controls.
•  Keep up with technology development.

Our SaaS security controls have enhanced security, privacy, and legal compliance at Intel, and we are making it safe for business groups to “go fast” when adopting new SaaS solutions.