Five questions about SaaS vendor Cloud security

SaaS growth was accepted by business and home users and, according to Gartner's announcement in July 2011, SaaS revenues reached $10 billion trillion in 2010 and are growing. In fact, Gartner estimates that it will grow more than 20% in 2011 years and come to 12.1 billion dollars. According to Gartner's definition of SaaS, Software "is owned, provided and managed remotely by one or more vendors." Vendors provide applications through common program code and data settings, and adopt a One-to-many model to provide to contract clients at any time. Can be used for billing, or a variety of other package subscription mode. Almost every article or lecture on a related topic is salesforce.com, although they are the main providers in the SaaS domain, but know that SaaS has many different types. Customer relationship Management, human resources management, cloud Backup, collaboration platform, Accounting audit platform, Service Support Center management, hosting services and web/email filtering, and so on, abound. For suppliers and customers, it is obvious that economic benefits, the cost of users to use SaaS, and their own software to purchase the cost of the agency compared to the more attractive. Because of the centralized nature, SaaS vendors can quickly and easily update and manage software and services, and can directly observe customer usage patterns to improve applications. Its scalability and quantity-pricing models are attractive to customers and suppliers. In addition, it offers more resilient integration capabilities and an open interface, and many SaaS providers are starting to provide collaborative capabilities or open interfaces (APIs) for the social media model. While SaaS can provide a flexible and cost-effective application environment to replace traditional models, it is not without risk. Because the transfer to the hosting platform, rather than stay within themselves, the enterprise will inevitably sacrifice a lot of control of the operating environment. Especially in SaaS, you can almost only choose to upload or not upload some data, and the rest is not you can control. But you still have to take legal and regulatory responsibility for your data protection. There are many kinds of risks in the SaaS environment, and most of them are related to the benefits it provides. As mentioned earlier, your provider understands your use of service platforms through some network analysis, and they are able to access all of your data, which can lead to unauthorized access or exposure to internal staff. The centralized nature of the system and the single setting pattern under the multi-tenant (multi-tenanted) environment means that if a vulnerability affects a customer, it is likely that other customers will be affected equally. The Epsilon data leakage event is a recent example, and it also affects many of the Fortune 500 companies that use the same SaaS provider. Vulnerability attacks may involve a wide range of areas. If not properly designed, developed and set, most SAACommon protocols and software stacks that suppliers of s will use, such as HTTP, Xml/soap, JSON, CSS, and JavaScript, have off-the-shelf and often exploited vulnerabilities. If the service platform provides greater flexibility to allow for customized and external integration (an important selling point for SaaS vendors), the more opportunities it will have for some customers to create vulnerabilities and other vendors to suffer the consequences of being attacked. This is the inevitable consequence of a multi-tenant environment. Five key security questions to ask your SaaS provider 1. Penetration testing-how and how often do the entire environmental penetration test, the ability to independently for some of the environment penetration test? Without frequent penetration tests, you won't know the full picture of the current security situation. 2. Data security-How do you encrypt data stored and transferred when using resource-shared SaaS vendor data centers? Who can get the encryption key? Is there a division of responsibilities (separation of duties) that is responsible for separating the encryption key from the data maintenance? Does the supplier provide your SAS 70 report? 3. Multi-tenant-is there an option to provide a single tenant custodian? Do you also want to make sure that the single tenant includes only the application, or does it include the data storage part? 4. Disaster recovery-are there programs ready to back up and reply when a catastrophic failure, external intrusion, or data loss occurs? Where is the backed-up data stored (remind again, need to encrypt) and how to respond effectively? 5. User authentication-What is the login program for SaaS applications? Do you use multiple factor authentication? Is it possible to integrate with the authentication mechanism that the customer is using? Analysis of cloud security issues for SaaS vendors to share here, there are many risks in the SaaS environment, and most of them are related to the benefits it offers. "Editors recommend" Symantec Acquisition MessageLabs Scheme SaaS Market SaaS and Virtual technology face software licensing issues Websense Publishing Web security and DLP, Hardware and SaaS solutions messaging archiving System Deployment SaaS and integrated Messaging server network security SaaS can provide real-time protection application enterprise SaaS selection facing security problems Summary "responsible editor: Liyan TEL: (010) 68476606" Original: Five questions on SaaS vendor Cloud security return to network security home