Software-as-a-service (SaaS)is one of
the biggest challenges facing chief information security officers
(CISOs).
The model of supplying software over the internet, also know as
cloud computing, often involves users of the service sending
data outside the organisations to third party suppliers.
The challenge is around the governance required to ensure data
is secure, says Patrick Tarpey, head of information systems
security at communications regulator Ofcom.
Most CISOs are likely to face this problem in the next year with
90% of organisations planning to maintain or grow their usage of
SaaS, according to analyst
Gartner.
There is an
increased demand for SaaS from the business, says Tarpey,
because of the lower cost and minimal internal footprint.
From a security point of view, however, it requires a security
audit-like approach to ascertain if the SaaS supplier is using all
the necessary
data protection controls.
"If they are processing credit card details, it is important to
find out if they are following the payment card industry standard,"
says Tarpey.
CISOs also need to know where data is stored, how securely it is
stored, if supplier employees are security checked, and that data
is properly disposed of.
"Ofcom often regulates on issues that are market sensitive and
can affect a share price, so one has to be confident that the
supplier is secure," says Tarpey.
It is doubtful, he says, that many organisations or their
customers and partners will be happy with the idea that there is no
definite control over the way data is handled.
There has to be greater transparency from SaaS suppliers and a
willingness to answer searching questions about data backup,
security and disposal.
"If SaaS suppliers want the business, they will answer the
questions, and in time this become standard practice as the market
matures," says Tarpey.
Another big challenge to CISOs is the
increasing use in the workplace of smart phones that can access
the internet.
"There is a push from the business to use personal devices like
Apple iPhones, but that requires encryption to avoid data privacy
issues," says Tarpey.
Ofcom requires that all
laptop computers and removable media are encrypted.
CISOs also need to maintain strict control over what consumer
devices can be plugged into the corporate network.
The more devices that are allowed to connect to the network,
says Tarpey, the more security vulnerabilities and security patches
that need to be managed.
"End-point control is important so there is no free-for-all on
the network that allows users to plug in any device and potentially
leach information," he says.
Policies that reflect the data protection goals of the
organisation are just as important to back up the technical
controls.
Tarpey says
technical controls can always be bypassed by tech-savvy users
so organisations need to be able to impose sanctions for failing to
follow policy.
"I would never consider releasing a technology for use in the
business without having a policy in place to govern its use," says
Tarpey.
Policy dictates that BlueTooth capabilities of consumer-style
PCs are disabled by default to prevent users setting up personal
area networks.
"This sounds inflexible, but the business need for security has
to be balanced against the availability of new technology," says
Tarpey.
Although all Ofcom IT policies are available in an easy to
understand format on the intranet, users are continually reminded
of best practice, says Tarpey.
One of the main forms of communication used by Ofcom is the
in-house magazine, which includes weekly security tips on topics
such as spam, phishing and Trojans.
Polices are also important in setting user expectations. For
example, users connecting to Ofcom's
wireless network are told it is for Ofcom use only with
approved devices.
Simplicity, policy, communication and control are the watchwords
for successful security strategies, according to Tarpey.