Total cost of ownership used to be the most frequently cited roadblock among potential SaaS customers. But now, as cloud networks become more frequently used for strategic and mission-critical business applications, security tops the list.
"Security is the No. 1 reason preventing firms from moving to SaaS," Forrester analyst Liz Herbert writes in a recent report on software-as-a-service adoption.
Cloud computing resources are more highly concentrated than traditional network systems, in large part because of virtualization technology that allows a single server to hold many virtual machines and potentially the data of multiple customers.
If a server that has been hacked holds 15 virtual machines, "now 15 machines are at risk rather than one at a time," says Gartner analyst Neil MacDonald.
There are numerous security risks to look at before adopting software-as-a-service. Here are five problems to consider.
1. Identity management in the cloud is immature
Cloud providers themselves aren't always sophisticated about integrating their platforms with identity services that exist behind the enterprise firewall, says Forrester analyst Chenxi Wang. There are some third-party technologies that let IT extend role-based access controls into the cloud with single sign-on, from Ping Identity and Symplified, Wang says.
But overall, "this is a field that is still in the early stage," she says.
Google has a "Secure Data Connector" that forms an encrypted connection between a customer's data and Google's business applications, while letting the customer control which employees may access Google Apps resources. Salesforce provides a similar tool, Wang says.
But this approach may become unwieldy because customers that use numerous SaaS applications could find themselves dealing with many different security tools, she notes. Third-party products at least offer the advantage of connecting to many different types of SaaS applications.
Identity and access management in the cloud has a long way to go, according to the Cloud Security Alliance, an industry group.
"Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today," according to research from the Cloud Security Alliance. "While an enterprise may be able to leverage several cloud computing services without a good identity and access management strategy, in the long run extending an organization's identity services into the cloud is a necessary prerequisite for strategic use of on-demand computing services."
Unfortunately, the evolution of SaaS has outpaced efforts to build comprehensive industry standards, the Cloud Security Alliance says. Specifically, the group says there is "limited proprietary support for user profiles," and industry standards including Service Provisioning Markup Language (SPML) have not been significantly updated in several years.
2. Cloud standards are weak
"We've completed a SAS 70 audit" is one of the first things you'll hear from any cloud vendor touting its security credentials. SAS 70 is an auditing standard designed to show that service providers have sufficient control over data. The standard wasn’t crafted with cloud computing in mind, but it’s become stand-in benchmark in the absence of cloud-specific standards.
Better than SAS 70 is ISO 27001, an information security specification published by the International Organization for Standardization in Switzerland, analysts say.
While completing a SAS 70 audit is "more of a self-imposed exercise," ISO 27001 is a fairly comprehensive standard that covers a lot of the operational security aspects that customers might be concerned about, Wang says. "That to me is at least a starting point to evaluate how mature a SaaS provider is," she says.
ISO 27001 "is not perfect but it's a step in the right direction," MacDonald says. "It's the best one out there, but that doesn't mean it's sufficient."
There's no guarantee that your data will be safe with an ISO 27001-compliant vendor, however. One survey of IT managers commissioned by CA found numerous companies that claim to be compliant with ISO 27001 yet "admit to bad practices with regard to privileged user management," including sharing of administrator accounts between users and granting broader privileges to users than is necessary.
The case of Google engineer David Barksdale further illustrates the problem that companies may not follow their own guidelines. Google, like other vendors, have strict privacy policies for their employees. But those policies reportedly did not prevent Barksdale from accessing Google Voice call records and Gmail and Google Chat accounts of several Google users, and he was subsequently fired.
Cloud vendors argue that they are more able to secure data than a typical customer, and that SaaS security is actually better than most people think. But some customers find this hard to believe because SaaS vendors tend to be rather secretive about their security processes.
In particular, many cloud service providers release very few details about their data centers and operations, claiming it would compromise security. However customers and industry analysts are getting fed up with all the unanswered questions and hush-hush nondisclosure agreements.
Analysts in Gartner's Burton Group recently accused Amazon CTO Werner Vogels of not being transparent enough about Amazon's internal security practices. In general, the analyst firm says customers should assume the worst-case scenario in terms of security when a vendor is being secretive.
"If a vendor is not being transparent, it's not that we distrust them, it's that they haven't given us enough evidence to trust them," MacDonald says.
Microsoft has done a pretty good job publishing details about its cloud security model, MacDonald believes. When vendors are not transparent, customers need to be aggressive in demanding details about how data centers are secured and how vendors segregate data in multi-tenant systems.
"The question is how are they delivering multi-tenancy," MacDonald says. "Give me technical details, all the way up and down the stack, from the application itself down into the application where data is stored. … I want to understand how my stuff is kept separate from [other customers'] stuff."
The ability to analyze the security of SaaS applications is more limited than the ability to analyze the security of in-house systems, but that shouldn't prevent customers from demanding proof of vendor claims.
In a report titled "Analyzing the Risk Demands of Cloud and SaaS Computing," Gartner analyst Jay Heiser advises "Be skeptical of vendor claims, and demand written or in-person evidence."
Service-level agreements (SLA) have sometimes proven deceptive or confusing. But at least in theory, enterprises should be able to receive strong guarantees in SLAs, particularly if they have the time and expertise to negotiate with the vendors beforehand.
"The entire software-as-a-service environment is really driven by SLAs," says CTO Joe Coyle of technology consulting and outsourcing firm Capgemini. "If you really think about it, there's nothing you would do in SaaS that isn't SLA-based."
In some cases, if the vendor is willing, a customer may be able to bring in its own experts and attempt to hack the vendor's network in order to test security, Coyle says.
4. Access everywhere increases convenience, but also risk
One major benefit of software-as-a-service -- that business applications can be accessed wherever there is Internet connectivity -- also poses new risks. Coupled with the proliferation of laptops and smartphones, SaaS makes it even more important for IT shops to secure endpoints.
"Because of the nature of SaaS, it's accessible anywhere," Senior Vice President Rowan Trollope of Symantec Hosted Services notes. "If I decide to put my e-mail on Gmail, an employee could log in from a coffee shop on an unsecured computer. It's one of the benefits of software-as-a-service, but it's also one of the downsides. That endpoint isn't necessarily secure. The data is no longer in your walls in the physical sense and in the virtual sense."
Maintaining control over e-mails and documents is easier when those files are stored on your local servers, rather than in the cloud, Trollope says.
Enterprises that make use of SaaS need to implement policies to control connectivity, MacDonald says. A customer could, for example, work with the SaaS vendor to make sure a service can be accessed only from certain IP addresses, and require remote users to go through a VPN, he says.
Access can also be regulated by using secure Web gateway appliances from Cisco or Blue Coat, which broker the connection between a customer and cloud services. In one simple example, a company could allow employees access to Facebook, but block the chat feature. The approach of blocking access to certain types of functionality can be applied to business-focused cloud services as well, MacDonald notes.
There is also the problem of employees accessing SaaS products without IT knowledge. The keys to preventing this, Wang says, are educating employees and using various network monitoring and Web filtering technologies.
5. You don't always know where your data is
Regulations such as the Federal Information Security Management Act (FISMA) require customers to keep sensitive data within the country. Although keeping data within U.S. borders seems like a relatively simple task on its face, cloud vendors will often not make that guarantee.
In highly virtualized systems, data and virtual machines can move dynamically from one country to another in response to load balancing needs and other factors. Google, for example, would note that if an end user in California goes on a business trip to London, it's better (or at least faster) for that user's data to be served up by a data center in Europe.
Google Apps has received FISMA certification for its government cloud, but that same guarantee is not available to private industry. This isn't just a problem for U.S. customers either.
"If you're in Switzerland, that's just a law, period," Trollope says. "If they can't guarantee that information will be on servers in Switzerland, that's a non-starter."
"The typical SaaS vendors have held the view that it doesn't matter where the servers are," he continues. "We understand your laws, but the Internet doesn't work that way."
Symantec, which has data centers in 14 countries, does offer an in-country guarantee, according to Trollope.
But this is still considered a relatively rare feature. Even if data stays within a country, customers need to be able to verify the data's location in order to meet regulatory requirements. That's why EMC says it is developing technology to track and verify the location of virtual machines in cloud networks. But this technology will not hit the market until early next year, and it requires integration between EMC, VMware and Intel products.
"Right now, there's nothing that provides any verifiability of where a virtual machine lives," says Chad Sakac, vice president of the VMware technology alliance at EMC. "There's nothing stopping you from moving a VM from one place in the world to somewhere else, and more importantly, there's no way to audit that at any sort of scale."
Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin
Read more about software in Network World's Software section.
This story, "5 Problems with SaaS Security" was originally published by Network World.