SaaS Vendors Get Serious About Cloud Security

Cloud Security

The Security for Business Innovation Council, which consists of IT security professionals from 19 companies around the world, says that many businesses will move mission-critical applications and data to the cloud in 2013, but not without caution. Security, the council says, is the number one obstacle to cloud adoption.*

The report goes on to say that managers responsible for executing on the cloud initiatives may be failing to coordinate adequately with IT security managers in their efforts to meet timelines and stay within budget. Better relationships between business unit managers and security teams will help; however, IT will also need to ensure that cloud service providers offer solutions that comply with their internal security policies.

This heightened skepticism over cloud security is not without justification. Enterprises cringe at stories about users’ files being publicly exposed through cloud platforms, because the vendor lacked the security controls necessary for complete protection. Unfortunately, those rare incidents dampen the fervor around cloud-based service adoption, and companies that could be taking advantage of the benefits of cloud are still using costly on-premise solutions. The truth is, there are risks to computing in the public cloud—but not necessarily any more than in a private cloud environment.

Here are some important attributes to look for when selecting a cloud service provider:

  • SSAE 16 Compliance. A true cloud provider holds annual SSAE 16 audits (formerly SAS 70) to ensure they have the proper controls and processes in place. SSAE 16 is the de-facto industry certification for service providers in the United States, and examines both the design of service provider’s internal controls, as well as the effectiveness of those controls over a long period of time.
  • Application Security. Controls for application security help ensure your data remains fully secure. For example, strong wire encryption using Secure Sockets Layer (SSL) for all the information sent between your computers and the service provider servers, user authentication using strong cyphers such as S-Crypt or enterprise delegated authentication using SAML, password-protected access, auto idle user session timeout, unique non-predictable session ID/Token for access, every database SQL Queries are striped by customer company ID to prevent data contamination, configurable session timeouts to prevent session hijacking and role-based user access capabilities are other important controls to look for in a solution.
  • Network Protection. To protect your data from outside threats, the provider should have several layers of firewalls in place to separate the application network from outside traffic. Anti-virus software should be used to detect and prevent the transmission of data or files that contain certain virus signatures. Moreover, Intrusion detection and preventive solutions (IDS & IPS) in place to discover any network intrusions to steal customer data is also most important to look for.
  • Disaster Recovery. Make sure the provider has detailed disaster recovery procedures to ensure you can always access your data – even if a service location becomes inoperable. Procedures should include identical backup facilities, automatic failover to backup sites, recoverability testing, and regularly scheduled full and incremental system backups.
  • Physical Security. The provider’s data centers should be completely secure and protected with electronic key card and biometric scanning, as well as digital surveillance to track and record all activities. Also, 24×7 monitoring is recommended.
  • Environmental Controls. All hardware should be fully protected with multiple heating, ventilation and air-conditioning (HVAC) units to regulate temperature and humidity.
  • Power. Continuous uptime can be ensured with redundant power supplies that use a combination of uninterrupted power supply (UPS), generators or battery backup.
  • Full Redundancy. The provider should maintain data centers in various locations—the further apart the better. Make sure one of the facilities is dedicated to global disaster recovery.

Indeed, the tide is turning for security in the cloud: Market-leading SaaS vendors such as Replicon have already beefed up controls to meet the requirements of even the most careful enterprises, and others are sure to follow suit. Learn more about Replicon’s secure cloud offering.

*“Information security Shake-Up,” January, 2012
** The top 10 trends in enterprise cloud for 2013, venturebeat.com, Matt Marshall, December 27, 2012.

Suresh Kuppahally
ABOUT THE AUTHOR
Suresh Kuppahally
Suresh is the EVP of Engineering and Ops at Replicon. Replicon provides award-winning products that make it easy to manage your workforce. With complete solution sets for client billing, project costing, and time and attendance management, Replicon enables the capture, administration, and optimization of your most underutilized and important asset: time.
Get started today.
Set up a free trial based on your business needs. Start Free Trial

How a Shared Common Data Platform for Project Management Can Create Harmony Across Business Teams

Today, professional services firms use some combination of ERP, CRM, HRIS, PPM, or other software along with their PSA solution. These systems serve different purposes, host different and overlapping data,…Read More

6 Ways to Simplify Remote Resource Allocation and Why It Matters

When you’re an enterprise operating at a global scale with a team of employees working from home, one of your major concerns is proper resource allocation. When it goes wrong,…Read More

3 Ways to Grow Your Services Firm Profitably

Does your professional services organization deliver? When you provide services to paying customers, how, when, and what you deliver are your top priorities. Think of it this way: if you…Read More

Miscalculating wages by a few cents led to this company paying a six-figure lawsuit

West Marine Products, which operates a chain of retail stores across the United States specializing in boating supply and fishing equipment, recently settled a class action lawsuit involving 707 former…Read More

Employee time tracking is dead

iBeacons, Bluetooth Low Energy, Proximity sensing and the obsolescence of time tracking as we know it. Businesses have to track the time their employees work for a variety of reasons,…Read More

How Sarbanes-Oxley Impacts HR Departments

Ever since the Sarbanes-Oxley Act (SOX) was passed in 2002, following a spate of high-profile corporate scandals, companies have had to take a wide range of precautions to ensure that…Read More
  • Polaris
  • Time & Project Insights
  • Time & Projects Solutions
  • Replicon Products
  • Replicon Users
  • Cloud
  • Corporate
  • Professional Services Management
  • Shared Services Management
  • Time and Attendance Management
  • Customer Feature
  • Time Intelligence
  • Industry News
  • Global Compliance Updates