SaaS and security compete for business priority

Web 2.0 and SaaS providers have finally fulfilled the promises that ASPs made a decade ago – widespread business adoption of “applications for hire.” These providers’ success has been growing for some reasons that appeared unattainable with the original ASP attempt. How is this possible? Quite simply, advances in browser technology and simplified Web-based application development using a lightweight client approach provide a great universal enablement platform. The second significant piece of the puzzle is the ever-needed “eye candy” and customization that were previously unavailable due to limited “agentless” Web-based applications. Finally, simplified deployment also aids in the success. Given the power of these applications, the increasing need for focused tools and stretched IT resources, it is no wonder that many companies are seeking hosted, turn-key based solutions.

So, the fundamental question surrounding adoption of this technology is, “How does this comply with security policies?” and, more important, “Do IT managers need to adjust security tools and safeguards so that department managers can use these tools?” The answer is an overwhelming “Yes!” Adopting hosted applications will have an impact on security that can vary from minimal to significant.

Intellectual property leakage is a definite concern. If your engineering, finance, operations, management or other departments are seeking hosted tools, what kind of confidential information is being held outside of the corporations boundaries (in this case IT boundaries)? It could be anything from product plans, financial statements, HR records, product shipments…and the list goes on. If this information is highly critical to the business, is it acceptable to host this information external to the company? Chances are the answer is no, so what can you do to prevent this type of policy violation?

This is a where an integrated network-based DLP technology can be utilized to provide appropriate protection mechanisms. By keying on some aspect of the data (keyword held within the contents, watermark used for corporate documents etc.), the DLP technology is able to trigger an appropriate action to protect from this leakage. To truly enforce this policy, the DLP solution needs to detect the content in transit and deal with it prior to exiting the corporate boundaries, which needs to include inspection of multiple protocols, applications and traffic types – especially as users try to circumvent these safeguards.

Now, if your policy accommodates SaaS adoption for corporate confidential / proprietary information, minimizing (not completely eliminating) the need for DLP – some information may be OK to be SaaS’d while other information should never be SaaS’d. So if some SaaS is acceptable, are there other concerns that should be considered? Again, yes. Consider a user base that incorporates remote users (obviously one of the attractions for SaaS), can you be 100 percent sure that their systems are free of any compromises (trojans, viruses, spyware, etc.)? If these users upload collaborative documents, they can be a threat when a corporate user needs to access that compromised document. This is again a concern for the corporation and highlights the need for a solution that can incorporate detection of malicious code injected in documents / files, etc.

Unless your SaaS vendor provides real-time document scanning for these types of threats, you will need to deploy a solution that inspects of data / documents transferred to and from these Web 2.0 sites ensuring trouble-free content collaboration.