Software-as-a-service (SaaS) is one of the biggest challenges facing chief information security officers (CISO...
The model of supplying software over the internet, also know as cloud computing, often involves users of the service sending data outside the organisations to third party suppliers.
The challenge is around the governance required to ensure data is secure, says Patrick Tarpey, head of information systems security at communications regulator Ofcom.
Most CISOs are likely to face this problem in the next year with 90% of organisations planning to maintain or grow their usage of SaaS, according to analyst Gartner.
There is an increased demand for SaaS from the business, says Tarpey, because of the lower cost and minimal internal footprint.
From a security point of view, however, it requires a security audit-like approach to ascertain if the SaaS supplier is using all the necessary data protection controls.
"If they are processing credit card details, it is important to find out if they are following the payment card industry standard," says Tarpey.
CISOs also need to know where data is stored, how securely it is stored, if supplier employees are security checked, and that data is properly disposed of.
"Ofcom often regulates on issues that are market sensitive and can affect a share price, so one has to be confident that the supplier is secure," says Tarpey.
It is doubtful, he says, that many organisations or their customers and partners will be happy with the idea that there is no definite control over the way data is handled.
There has to be greater transparency from SaaS suppliers and a willingness to answer searching questions about data backup, security and disposal.
"If SaaS suppliers want the business, they will answer the questions, and in time this become standard practice as the market matures," says Tarpey.
Another big challenge to CISOs is the increasing use in the workplace of smart phones that can access the internet.
"There is a push from the business to use personal devices like Apple iPhones, but that requires encryption to avoid data privacy issues," says Tarpey.
Ofcom requires that all laptop computers and removable media are encrypted.
CISOs also need to maintain strict control over what consumer devices can be plugged into the corporate network.
The more devices that are allowed to connect to the network, says Tarpey, the more security vulnerabilities and security patches that need to be managed.
"End-point control is important so there is no free-for-all on the network that allows users to plug in any device and potentially leach information," he says.
Policies that reflect the data protection goals of the organisation are just as important to back up the technical controls.
Tarpey says technical controls can always be bypassed by tech-savvy users so organisations need to be able to impose sanctions for failing to follow policy.
"I would never consider releasing a technology for use in the business without having a policy in place to govern its use," says Tarpey.
Policy dictates that BlueTooth capabilities of consumer-style PCs are disabled by default to prevent users setting up personal area networks.
"This sounds inflexible, but the business need for security has to be balanced against the availability of new technology," says Tarpey.
Although all Ofcom IT policies are available in an easy to understand format on the intranet, users are continually reminded of best practice, says Tarpey.
One of the main forms of communication used by Ofcom is the in-house magazine, which includes weekly security tips on topics such as spam, phishing and Trojans.
Polices are also important in setting user expectations. For example, users connecting to Ofcom's wireless network are told it is for Ofcom use only with approved devices.
Simplicity, policy, communication and control are the watchwords for successful security strategies, according to Tarpey.