Welcome!

Java IoT Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Zakia Bouachraoui, Carmen Gonzalez

Related Topics: @CloudExpo, Java IoT, Cloud Security

@CloudExpo: Blog Post

Achieving a Secure Cloud Infrastructure for Enterprise SaaS Applications | @CloudExpo #Cloud

Simplifying security for SaaS applications

Software as a Service (SaaS) is a model that has become a popular choice for deploying enterprise applications, delivering efficiencies and value to organizations in many ways. The benefits SaaS solutions deliver include not only avoiding the major resource drain and licensing costs associated with deploying business-critical software across the organization, they also relieve IT from ongoing maintenance tasks associated with on-premise deployments, such as performing upgrades, installing patches and managing availability. Moreover, SaaS can enhance flexibility and scalability for enterprise applications and workloads. Of course, while these benefits gained from adopting SaaS solutions in the enterprise are significant, they must nevertheless be balanced against potential risks. In particular, consideration must always be given as to whether cloud applications are sufficiently secure.

A use case for enterprise SaaS: Customer communications in regulated industries
One use case for which SaaS applications have the potential to deliver numerous advantages is customer communication management (CCM) in regulated industries. To meet compliance rules and regulations applicable to customer communications, organizations typically face inflexible formatting requirements and document models as well as tight deadlines. In many cases, the processes relied on to ensure that customer communications are compliant are manual and labor intensive. The complexity of the task is compounded by the need to manipulate individual file structures, account for duplication of content and engage in coordination with outside agencies. Mistakes are costly, because failure to remain in full compliance risks having to pay significant financial penalties or becoming subject to legal action.

Adopting an automated SaaS workflow can avoid these hurdles by leveraging accurate, preset processes instead of time-consuming, error-prone and expensive manual activities. Dynamic formatting can replace manual layout methods, eliminating the need for outside agencies or dedicated internal staff for this process. Centralization of content will streamline its management, add control, provide visibility into the workflow process and significantly reduce costs. As a result, time-to-market can be improved.

Of course the most important advantage to be gained from automating previously manual processes for regulated communications is that it will ensure that customers receive timely, compliant and effective documents that enhance the customer experience and loyalty.

Cloud security - A critical consideration in regulated industries
While the advantages of using SaaS applications for CCM in regulated industries are clear, it's also the case that the workflows in these organizations routinely involve sensitive customer data. For that reason, security tops the list of priorities that should be addressed in considering a SaaS solution.

A recent survey by the Ponemon Institute found that enterprises storing sensitive or confidential business data in the cloud environment made a number of common mistakes when it comes to ensuring security, including:

  1. Most companies are not evaluating SaaS applications for security prior to deployment.
  2. IT is in the dark about cloud services in their organizations. Instead, procurement and cloud users are responsible for cloud security.
  3. Cloud deployment strategies often leave out the use of security technologies in the cloud environment.
  4. Inspection of data in the cloud rarely happens.
  5. Despite concerns about security, organizations are not willing to pay for extra cloud security.

Moreover, while 90 percent of IT survey respondents said SaaS will be important to meeting IT strategies over the next two years and 79 percent said security is an important consideration in their cloud migration decision, only 33 percent believe their organizations are achieving necessary objectives for cloud security.

In light of these survey results, organizations should take steps to mitigate the potential for making similar security mistakes. But attaining a secure cloud posture is not an easy task. It involves procuring, integrating and managing dozens of point security products, as well as making all the necessary changes to processes, staff training and resource utilization.

In addition, even when a secure cloud environment is achieved, it must be maintained through constant monitoring, periodic risk reassessments and other techniques. Controls must be established that comprehensively address:

  • Risk management, which must be assessed both initially and periodically.
  • Security architecture. A careful analysis of how the organization fulfills its unique security requirements.
  • Incident handling, involving the creation of an entire program covering the incidence response lifecycle.
  • Threat management. Deploying technologies to identify and investigate potential threats and instituting ongoing practices to prevent them.
  • Vulnerability management, which entails identifying and remediating exploitable flaws and configuration errors in software.
  • Change control. Tracking additions, alterations and removals that might affect and organization's security architecture, and
  • Data security lifecycle support. Employing encryption technologies to protect data in transit and data at rest as well as secure backup, restore and deletion capabilities.*

As the survey results showed, it is unlikely that these tasks will be accomplished by an organization's internal IT team given that it may not even participate in the selection or know about the SaaS applications deployed by business users. That means that business users and, by default, their organizations, are relying on the SaaS provider to ensure that adequate security protections are in place, which may not be an accurate assumption.

Simplifying security for SaaS applications
Rather than attempting to accomplish all the foregoing tasks internally, organizations needing to protect sensitive data can simplify the process by investigating whether the cloud infrastructures that store their data workloads, applications and assets are secure. When it comes to SaaS applications, an important consideration is whether the SaaS provider is partnering with a secure cloud hosting provider that has the expertise and technologies in place to ensure proactive protection of the organization's sensitive data. The secure cloud hosting provider should have the ability to accomplish all of the foregoing tasks, maintaining security for all applications and data that the organization accesses through the cloud. This approach has the potential to be much more cost effective, efficient and comprehensive for the organization than attempting to handle cloud security using internal IT resources.

In order to ensure a secure cloud environment, an organization should confirm that the following three objectives are met:

  • The organization has achieved complete visibility within the cloud environment.
  • Dwell time - the amount of time that a threat actor remains undiscovered and unmitigated within the environment - should be reduced from weeks or months to days or even hours.
  • Lesser threat actors should be automatically blocked so that the security controls - including technology and trained personnel - can focus on finding and stopping more sophisticated threats.*

Combining a cloud-based SaaS solution for generating highly regulated customer documents with secure cloud hosting of all deployments of this and other SaaS platforms in the organization has the potential to provide the best possible security while enhancing the organizations agility when delivering regulated communications to customers.

This approach can provide a comprehensive way to ensure security of data while also meeting an organization's threshold compliance requirements for compliant customer communications.

*See Armor White Paper, "Inside the 6 principal layers of the cloud security stack"

More Stories By Waqar Ahmad

Waqar Ahmad is Chief Information Security Officer for Elixir Technologies. He is a senior advisor to the solutions architect group and served as Elixir’s vice president of engineering for 10 years. Visit www.elixir.com for more information.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...