SaaS, Security and the Cloud: it's All About the Contract

Security practitioners have learned the hard way that contract negotiations are critical if their SaaS, cloud and security goals are to work. A report from CSO Perspectives and SaaScon 2010.

By Bill Brenner
Wed, April 07, 2010
. What's this?

CSO — The term Software as a Service (SaaS) has been around a long time. The term cloud is still relatively new for many. Putting them together has meant a world of hurt for many enterprises, especially when trying to integrate security into the mix.

Software as a Service (SaaS) Definition and Solutions
Cloud Computing Definitions and Solutions

During a joint panel discussion hosted by CSO Perspectives 2010 and SaaScon 2010 Wednesday, five guys who've been there sought to help attendees avoid the same ordeal. Perhaps the most important lesson is that contract negotiations between providers is everything. The problem is that you don't always know which questions to ask when the paperwork is being written.

Panelists cited key problems in making the SaaS-Cloud-Security formula work: SaaS contracts often lack contingency plans for what would happen if one or more of the companies involved suffer a disruption or data breach. The partners -- the enterprise customer and the vendors -- rarely find it easy getting on the same page in terms of who is responsible for what in the event of trouble. Meanwhile, they say, there's a lack of clear standards on how to proceed, especially when it comes to doing things in the cloud.

Add to that the basic misunderstandings companies have on just what the cloud is all about, said Jim Reavis, co-founder of the Cloud Security Alliance.

"It's important we understand there isn't just one cloud out there. It's about layers of services," Reavis said. "We've seen an evolution where SaaS providers ride atop the other layers, delivered in public and private clouds."

Somewhere in the mix, plenty can go wrong.

"If you're in a public cloud situation and Company B is breached, a lot of finger pointing between that company and different partners will ensue," Reavis said. "If this isn't covered in the terms of agreement up front, you have no hope of recovering data (or damages)."

Security vendors can be part of the problem as well. In a recent CSO article about five mistakes one such vendor made in the cloud, Nils Puhlmann, co-founder of the Cloud Security Alliance and previously CISO for such entities as Electronic Arts (ERTS) and Robert Half International, noted that the vendor -- who was not named -- did "everything you can possibly do wrong" when rolling out the latest version of its SaaS product, leading to users uninstalling their solution in large numbers.

Customers using a particular version of the SaaS product were caught unaware when the vendor decided to roll out a new version through the cloud. It was done in a way where, at the moment of the upgrade, any new endpoint that was added to be managed automatically got the new version. Customers were not asked or notified, and were forced into a mixed-version environment as a result. "In the past, I as a customer was able to choose if I wanted to do this, and I could choose the timing," he said at the time. "Here, there was no control, no timing or notification."

Continue Reading

Originally published on www.csoonline.com. Click here to read the original story.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
How Much Containment Is Enough?
Achieving an optimum degree of airflow containment cannot be reached through a one-size-fits-all solution. The true measurement of any containment solution is dependent upon using a Hot Aisle, Cold Aisle or Cabinet Containment strategy that has been optimized for airflow, static pressure, leakage, bypass air and temperature variance.
Fast Track your Access to Business Intelligence
Identifying the right configuration and deploying complete, scalable data warehouses can be a time consuming, costly and error-prone process. Success ultimately depends on the ability to deploy a system that can support an expected level of performance - then allow that performance to scale linearly as needed.
Best Practices for Implementing a Data Warehouse on Oracle Exadata
Increasingly companies are recognizing the value of an enterprise data warehouse (EDW). A true EDW provides a single 360-degree view of the business and a powerful platform for a wide spectrum of business intelligence tasks ranging from predictive analysis to near real-time strategic and tactical decision support throughout the organization. Ensuring the EDW will get the desired performance and will scale out as your data grows you need to get three fundamental things correct, the hardware configuration, the physical data model and the data loading process. By correctly designing these three corner stones you will be able to create an EDW that can seamlessly scale without constant tuning or tweaking of the system.

By using the Oracle Exadata Database Machine as your data warehouse platform you have a balanced, high performance hardware configuration. This paper focuses on the other two corner stones, data modeling and data loading, providing a set of best practices and examples for deploying a data warehouse on the Oracle Exadata Database Machine.
Oracle: Big Data for the Enterprise
Analyzing new and diverse digital data streams can reveal new sources of economic value, provide fresh insights into customer behavior and identify market trends early on. But managing this influx of new data can be a challenge. To derive real business value from big data, you need the right tools to ca! pture and organize a wide variety of data types from different sources, and be able to easily analyze it with your enterprise data. By using the Oracle Big Data Appliance with Oracle Exadata, enterprises can acquire, organize and analyze all their enterprise data to make the most informed decisions.
Oracle Database 11g Product Family
By deploying Oracle Database 11g within their IT architecture, organizations can leverage the power of the world's leading database to reduce their server and storage costs and improve quality of service. Read this white paper to get an overview of the Oracle Database family of products and learn how you can transform your business, budgets, and service levels with Oracle Database 11g Release 2.
Oracle Real Application Testing 11g Release 2
Real Application Clusters with Oracle Database 11g, enables a single database to run across a cluster of servers, providing unbeatable fault tolerance, performance, and scalability with no application changes necessary. This white paper provides a technical overview of Oracle Real Application Clusters 11g Release 2 with an emphasis on the features and functionality that can be implemented to provide the highest availability and scalability for your enterprise applications.
Webcasts »
Enterprise Data Warehouse Appliance (EDW)
Join IDC Analyst Dan Vesset and HP Senior Architect, Jeff Spiller, as they discuss the rise of analytics, the impact of big data and need for scalable enterprise solutions. Learn about the HP Enterprise Data Warehouse appliance, which offers massive scale at low cost for single rack appliances up to large scale Data Warehouses. All while providing a single view of information across your enterprise that scales with your data, improves query performance and reduces IT cost over traditional data warehousing offerings. Featuring Intel® Westmere processors. View the entire webcast or only the chapters you desire.
Appliance video
The first appliance in the industry which consolidates and manages thousands of databases, integrates hardware, software and support and is scalable to meet your changing business needs.
Database Consolidation-SQL Server Appliance and Building Your Private Cloud
Please join guest speaker IDC Analyst Carl Olofson as he discusses Enterprise Data Center challenges and why database consolidation is important and necessary. And hear from HP expert Joe Sullivan, who will discuss the HP Database Consolidation Appliance and how it addresses enterprise industry challenges. Joe will provide an overview of product architecture and details on how the appliance enables companies to build their own private cloud. This webcast will provide the latest information for simplifying your data management needs while reducing costs.
Gaining A Competitive Advantage With Your Data
Fact: The demand to respond faster and with greater insight to business demands, based on data, is increasing. Fact: More organizations are turning to business intelligence (BI) and data warehousing for insightful decision-making.
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific needs or traditional under investment, the net effect is usually the same: high cost and lower productivity. Enabling business-to-business (B2B) integration using point-to-point EDI translators is usually time intensive and cost prohibitive.

Join IDC's Maureen Fleming and SAP for an insightful Webcast on the different approaches companies are taking to B2B integration and how you can ask the right questions to reassess you B2B approach.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs, project delays, lower quality, and time-to-market delays. Providing a collaborative platform where the whole organization can prioritize, share and manage deliveries with more transparency can help the organizations make more informed decisions at all levels, and greatly improve communications and traceability between teams. Hear from application lifecycle management experts how to increase delivery efficiency and effectiveness with a new approach to Delivery Management.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

How Much Containment Is Enough?

Fast Track your Access to Business Intelligence

Best Practices for Implementing a Data Warehouse on Oracle Exadata

Oracle: Big Data for the Enterprise

Oracle Database 11g Product Family

Oracle Real Application Testing 11g Release 2

Backup and Recovery Performance and Best Practices for Exadata Cell and the Sun Oracle Database Machine

BDW IDC White Paper

An Introduction to the HP Business Decision Appliance

EDW Solution Brief

BDA solution brief

HP Business Data Warehouse Appliance

Mobile Middleware Strategies

Native & HTML5 Mobile Apps: Not an either or, but a where and when

The Evolution of Enterprise Mobile App Development

AlertBoot Case Study

Gilt Groupe Case Study

See Tickets Case Study

STA Travel Case Study

Socialbomb Case Study
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Click to see how Accenture has delivered high performance to clients

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords