Cloud Security: Myths Busted - What Chief Security Officers Need To Know

Posted on November 1, 2011 by Sam Conforti

 

I found a very good White Paper on Cloud Security entitled Cloud Security Myths and Strategies Uncovered. I think the best way to start off is with the opening quote from the White Paper itself:

“In today’s evolving information economy, cloud computing offers immense opportunity. Whether companies have started their cloud journey or not, security concerns remain the largest inhibitor to adoption. Concerns around control, data privacy, and security abound. However, the technology and expertise required to build a trusted cloud is closer than imagined. Progressive CSOs are embracing a new strategic role as a true business enabler in partnership with business leaders, to make sure that the trusted cloud becomes a reality and enterprises can capitalize on cloud technology.”

Security concerns still abound with Cloud Computing and a fair number of adopters still opt for a private cloud environment. However, there is a trend towards a more hybrid approach, allowing enterprises to take advantage of the cost saving a public cloud provides. A majority of IT professionals surveyed indicated that their top priority was managing access to the data in the cloud. The White Paper suggests that “Virtualization” provides better visibility than the older legacy systems.

The White Paper then lists the three major Myths about Cloud Computing and provides the answer that debunks each one:

1.       The Cloud simply cannot be secure - YES IT CAN.

2.       Cloud Security is a new challenge – NO IT’S NOT.

3.       Compliance equals security – not necessarily … it is only an “as of” date.

The authors state that a successful and secure Cloud is one that has “Trust” as its foundation. The Trust Equation is as follows:

 

Control + Visibility= Trust

Control

·         Availability: Ensure access to resources and recovery following interruption or failure.

·         Integrity: Guarantee only authorized persons can use specific information and applications.

·         Confidentiality/privacy: Protect how information and personal data is obtained and used.

Visibility

·         Compliance: Meet specific legal requirements and industry standards and rules.

·         Governance: Establish usage rights and enforce policies, procedures, and controls.

·         Risk management: Manage threats to business interruption or derived exposures.

The White Paper goes on to say that the key to obtaining the visibility needed to control the Cloud is Virtualization. “Virtualization consolidates multiple physical components into a logical view so they can be administered from one place. This alleviates the complexity of managing and monitoring multiple moving parts across internal and external infrastructure.

When it comes to building a trusted cloud, Checklist for Your Trusted Cloud is as follows:

·         Use virtualization as your foundation.

·         Build control and visibility into your security framework.

·         Extend your security perimeter to include applications and endpoints.

·         Adopt the three-layer controls framework: controls enforcement, controls management, and security management.

·         Select a cloud vendor with offerings that can meet enterprise-class cloud security requirements across private and public clouds.

·         Ensure services are secured to a common standard, in a transparent and auditable fashion.

·         Tap prescriptive guidance from industry coalitions such as the Cloud Security Alliance (www.cloudsecurityalliance.org).

Tags: , , , , , , , , , , , , ,

A Comprehensive SaaS Security Solution by McAfee

Posted on July 21, 2009 by Sam Conforti

 

Alex Goldman reports for Internetnews.com on McAfee’s recent announcement of its latest SaaS security software, Total Protection Service 5.0 in his article McAfee Embraces SaaS Security. McAfee’s senior vice president and general manager for SaaS, Marc Olesen, is quoted:

“The SaaS security market is growing a little over 30 percent per year, three or four times faster than the on premises security software market”.

 McAfee feels that its competitive advantage for Total Protection Service 5.0 is the solution’s comprehensive feature covering DLP, compliance, vulnerability scanning, e-mail, network protection, and endpoint protection. Its competitors in this marketplace are Symantec and Trend Micro. Although SMB’s will find the product’s “Security Center” straightforward and easy to use, this solution is not meant for the SMB market alone. McAfee plans to market this solution to the large enterprise customers as well. One interesting feature of this new product is that vulnerability testing can be performed from outside the network at POP’s (public points of presence) at ISP’s. This is something that cannot be done with on-premise software. The product will be user based pricing, subject to the number of modules employed, with quantity discounting available. McAfee envisions that some enterprises may choose a mix of the protections their product provides alongside any competencies the enterprise may build on its own.

 

Tags: , , , , , , , , , , , , , , , ,

Obama Appoints IT Security Czar

Posted on February 16, 2009 by Sam Conforti

Michael Markulec, COO of Lumeta Corporation, writes in CIO Update that the Obama Administration has appointed Melisa Hathaway as Advisor to the President on National Cyber Security. For a more comprehensive review of the appointee and her relationship to the Bush Administration see Siobhan Gorman’s article in the Wall Street Journal, Hathaway to Head Cybersecurity Post. Markulec is all for the newly created position. He points to the disconnect between the federal government and the private sector when it comes to our infrastructure and the necessary control systems in these most important industries. He states the obvious that their connection to the internet leaves us open to a cyber-attack. He also touts Hathaway’s concern that simple hand-held devices can be used to conduct foreign and industrial espionage.

I’m sorry but I just don’t see anything new or any quantum leap towards more effective cyber security from this newly created position. But one only needs to read further and the newness becomes apparent. Markulec predicts, and I agree with him, that new regulations are on the way. He compares the coming new regulations for the IT community and the CIO to the Sarbanes-Oxley legislation aimed at corporate CFO’s. Well, I guess we all know how that went. Do we really need more regulations or do we just need enforcement of the existing laws? If we are using our latest string of financial debacles as our guide, I guess arguments can be made for both sides. Some might say if the Congress didn’t block the creation of regulations for Freddie Mac and Fannie Mae we might not have had the subprime mortgage meltdown. Others might argue if the SEC had only investigated and enforced its own existing regulations the Bernie Madoff Ponzi Scheme would have been discovered much sooner with less devastating financial losses for investors.

I think the Obama Administration may have tipped their hand at what may or may not be coming down the pike as it relates to cyber security, and that I am afraid is more of the same. Gorman reports that James Jones, National Security Advisor, has requested a further study on cyber security. Hathaway is tasked with conducting this 60 day study. And so the end result will be a study that will collect and discuss issues that are apparently known. Will the ends justify the means? Will we have tougher regulations for CIO’s as Markulec predicts, and if we do, will they be enforced and make any difference? That remains to be seen.

Tags: , , , , , , , , , , , , , , ,

SaaS Vendors: A Legal Checklist

Posted on December 1, 2008 by Sam Conforti

 

Due to the differences between traditional “on premise” software licensing and the newer software as a service (“SaaS”) offering, there were bound to be required adjustments on how the software customer contracted for these services.  We owe a debt of gratitude to Gene Landy with the law firm of Ruberto, Israel & Weiner, P.C. in Boston, MA.   Landy has put together a list of 8 items in his article 8 Legal Tips for SaaS Vendors that should be considered by the SaaS Vendor while developing their SaaS offering.  Including some or all of these tips in your contract may be a smart decision.  Here is a brief summary of those legal tips:

1.     Look for restrictions in your own software licenses:  As you develop your offering, do your licenses prohibit use as a service bureau or are there restrictions on remote access or use as an Application Service Provider.  You wouldn’t want your SaaS application to be in violation of any of these restrictions.

 

2.     Has your contract model evolved:  Initially the SaaS offering came in a 2 part form - first a software license and then a hosting agreement.  Today the more common contract model is to view this as a subscription and not mention licensing in the agreement.

 

3.     The Tax Man:  Your customers may be interested to know that most states do not levy a tax on services as they do for the sale of a license.

 

4.     Trials:  The SaaS Vendor could include a trial period bundled into the subscription agreement.

 

5.     Required upgrades limit the SaaS vendor’s maintenance costs:  Require customers to upgrade and eliminate having to maintain prior releases.

 

6.     Security:  It is fine to tout your security measures, but never promise 100% guaranteed data protection.  This is IT after all and you are using the internet.

 

7.     Consider SAS 70 as a selling feature:  You can provide your customers with an extra level of comfort and some of your customers may actually require a SAS 70 certification.  This is a certification performed by an outside accounting firm which attests to the accuracy and security a vendor provides.  The certification states that the controls are adequate.

 

8.     Data Breach Notification:  In the event of a data breach most states require a notification be sent out to the subjects of such a breach.  Make sure that your customers do not attempt to place such obligation upon you.  The costs could be prohibitive.

This is by no means an inclusive list, but Landy has hit some key issues. I found it very informative and helpful.

 

 

Tags: , , , , , , , , , ,

SaaS Contracting: Tips Leading to the Decision and What to Include in the Agreement

Posted on September 29, 2008 by Sam Conforti

 

There are many items to consider before deciding to adopt a SaaS approach to your IT operation.  Marcia Gulesian, a software developer, project manager, CTO, CIO, and author of numerous feature articles on IT, has captured the salient points in her article SaaS: Financial, Legal & Negotiation Issues.  As the title to her article suggests, the financial implications should be addressed first.  Gulesian has a very descriptive section on the differences between buying the software application and leasing it.  She discusses the differences of owning an asset and its tax advantages of the deductibility of depreciation as opposed to the leasing option.  There is a brief explanation of cash flows between the two alternatives, finding your opportunity cost, and making your determination on the comparison of the present values of the cash flows from the cost of owning versus the cash flows from the cost of leasing.  Before we go too far afield, my readers can attest to the fact that I always try to define our terms before delving into the nuances that the subject line suggests.

Wikipedia’s definition of SaaS is very complete yet succinct:

“Short for Software as a Service, SaaS is a software delivery method that provides access to software and its functions remotely as a Web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee. Also, because the software is hosted remotely, users don't need to invest in additional hardware. SaaS removes the need for organizations to handle the installation, set-up and often daily upkeep and maintenance. Software as a Service may also be referred to as simply hosted applications.”

I also have a posting in this blog, which I must admit has become quite popular based on the number of hits registered to it, entitled SaaS is the Future.  In it I discuss how a Managed Service Provider (“MSP”) can help software developers get their product to the market faster since the infrastructure barriers and capital expenditures are significantly lessened.  In another posting about Unified Communications I have quoted Mat Taylor, a senior software architect with British Telecom, regarding the benefits of SaaS:

"The ability to get things done faster, get workers more engaged in a business scenario, provide better customer service, are all big productivity wins that benefit the bottom line"

In light of the above discussion surrounding “lower total cost of ownership and quicker time-to-value”, Gulesian cautions us that the other factors to include in the financial calculation is the maintenance and support fees that come with ownership as compared to the SaaS fees which includes these items.

SO WHAT DO I INCLUDE IN THE SAAS CONTRACT?

Gulesian points out three areas that must be addressed in the contract:

·         Integration with your non-SaaS systems

·         Loss of control of data

·         Dependence on the provider for security

The CIO and his or her team are the main players to address the integration issue.  Although the next two points also require the IT organization’s participation and input, these are matters that must be addressed upfront in the agreement itself.

Risk of loss of your data is paramount.  In the event that the SaaS provider is unable to provide the support anticipated, it is essential that you have access to the applications as well as your proprietary data.  Inability of the provider to provide support may happen for a myriad of reasons such as bankruptcy of the provider or a real or threatened patent infringement claim and subsequent injunction.  The preferred approach to protect against such loss is to insist that the provider place its code into an ESCROW account.  Language can be drafted which will instruct the trustee  of the escrow ( an independent and trusted third party) to release the code to the beneficiary (i.e. you) upon the happening of certain events which are defined in the escrow language in your SaaS agreement.  One shortcoming to this occurrence is the downtime that may be involved in getting your systems up and running, but this is a necessary protection that you must include in your contract.

Transition assistance is another item to consider.  In the future you may wish to change the SaaS application currently in use.  Language should be included to require the provider’s assistance in developing the data migration strategies and the procedures to be followed so you can move your data to another application.

Since the SaaS model is economical by nature (see Wikipedia definition above), traditional discounting expectations are not available.  Pricing is based on users or seats.  The more users subscribed, the more likely the cost per user can be discounted.  So plan accordingly and try to build in volume discounting per blocks of users.

Other items Gulesian notes for inclusion in the agreement are:

·         Service Level Agreements (SLAs) regarding

§  Availability

§  Response times

§  Notifications of outages

·         Regulatory compliance

·         Data integrity

·         Data Privacy

·         Frequency of backups

·         Disaster Recovery

Gulesian’s article hits the main points and I highly recommend it to my readers.

 

 

Tags: , , , , , , , , , , , , , , , , , , , ,