Four security issues to torture SaaS and cloud computing

One, the cloud standard is very weak

ISO27001 is a fairly comprehensive standard that covers a wide range of customer-focused operational security issues. "This is, for me, at least a basic basis for assessing the maturity of SaaS providers," said Chenxiwang, a Forrester analyst.

However, handing your data to suppliers passing the ISO27001 standard does not guarantee the security of your data. The survey found that many companies claimed to conform to the ISO27001 standards, and then acknowledged "deficiencies in the management of privileged users", including the sharing of administrator accounts among users and granting users more extensive privileges than necessary.

Second, the cloud in the authentication is not mature

Chenxiwang, a Forrester analyst, says that cloud providers themselves do not adequately include authentication services in their cloud computing platforms (typically the services behind the corporate firewall). There are Third-party technologies that enable IT departments to enhance role-based access control in cloud computing. But overall, "this area is still at an early stage," she says.

"Managing Authentication and access control for enterprise applications is still the biggest challenge for IT organizations," according to the Cloud Security alliance, "while companies can deploy cloud computing services that do not have a good authentication and access management strategy, in the long run, It is necessary to extend the authentication services of the enterprise to cloud services. ”

Iii. Confidentiality

Cloud vendors think they can better secure data than the average customer itself, and SaaS is actually more secure than most people think. But many customers find this hard to believe, because SaaS providers are usually fairly secretive about their security processes.

In particular, many cloud service providers rarely publish detailed data about their data centers and operations and claim that doing so will undermine security. However, customers and industry experts are already fed up with all the outstanding issues and confidentiality agreements.

In some cases, if the vendor wishes, the customer may be able to transfer their experts and try to enter the vendor's network for security testing.

Four, you don't always know the location of your data

But this is still a relatively rare feature, even if the data is stored in a country, customers need to be able to identify the location of the data to meet regulatory requirements, which is the technology that EMC is developing to track and verify the location of virtual machines in the cloud network, but this technology will not be available until next year, and it requires EMC, Integration of VMware and Intel products.

"Now, there is no technology to verify the location of the virtual machine," said Chadsakac, vice president of EMC company VMware Technology. "Nothing can stop you from moving a virtual machine to any place in the world, and more importantly, there is no way to audit this kind of transfer behavior." ”