SaaS, Cloud, encryption & you

Any IT professional who has heard “send it to my Hotmail” or “popped it into Dropbox for you” echo across the office will know how impossible it is to keep employees from using outside applications for work when those provided don’t quite meet their needs.

While some organisations in some sectors of the economy, pharma and financial services for example, may be able to impose a complete ban on the use of cloud-based apps, they are the exception to the rule.

Unless there are compelling IP or regulatory issues at stake, any IT professional who bleats on about lack of security in the cloud, will quickly become an irrelevance in an era where the ROI on SaaS and cloud services is indisputable. Indeed, those who decry the security of cloud-based solutions could be massively over estimating the strength of their own operations. The average IT department is awash with horror stories about unprotected servers, lost data, virus attacks and worse.

That is not to say that cloud providers are all secure and it is not to ignore the fact that ultimate responsibility for the security of cloud based services lies with the customer of those services, not the provider.

The job of IT teams is then to ensure the systems they offer mean end users don’t have to resort to consumer technology, with minimal levels of security, to get their day-to-day work done.

It is also to ensure that anyone purchasing cloud-based products for the organisation knows the risks and knows the question and guarantees to ask from suppliers. By raising these questions, purchasing departments – instead of excluding IT – might ask the IT team to take a hand in contract negotiations.

After all, IT professionals are best placed to break the cloud security down to its core components -data protection, vulnerability management, identity management, physical and personnel security, availability, application security, incidence response and privacy.

The IT department can ask suppliers whether they perform the same level of background checks on staff as the in-house team does on its recruits. It can list the technical standards that suppliers should comply with, and is best placed to spot any sleight of hand on terms and conditions.

At the same time the internal IT team has to put its own house in order. In particular it has to focus on how to secure data while ‘in-flight’ between client and application host. It has to understand data management and ultimately permanent secure disposal of data in the cloud.

In addition, it has to get to grips with access. When staff are using multiple apps from a range of providers, the temptation will always be there to use the same password and to share it within teams. Managing usable, secure single sign-on across multiple apps remains a real challenge, and it has to be cracked.

Fortunately such is the momentum behind cloud and SaaS that tools are rapidly being developed to meet these challenges. If you flag up the issues properly to your business, the IT team will get the investment it needs to ensure the business can gain the full benefits of cloud and SaaS securely.