It’s been my second day at the Gartner IT Security Summit. Many of my CISO colleagues were clearly flagging by lunchtime. Several went home early as there was little of interest for them, generally sessions led by Gartner analysts spouting their latest theories, or the odd vendor promoting a product. There were few practical sessions or case studies of interest to user organisations. Gartner need to rethink this programme if they are to retain their top customers. It’s an agenda that’s clearly vendor driven, rather than one that’s customer focused.
But I was keen to listen to Gerhard Eschelbeck, CTO of Webroot, who’s both a malware expert and a pioneer of Software-as-a-Service (SaaS) security products, as well as being a very nice guy and a bright, articulate speaker. I was particularly interested to hear Gerhard’s latest views and experiences of developing security services that operate in the cloud, rather than on the desktop or at the corporate perimeter.
Cloud services are the future as they’re cheaper, easier to manage, more up-to-date, easier to scale and avoid capital expenditure. They also enable support for remote clients operating outside the corporate perimeter. The business case is compelling, as long as you’re comfortable with the idea from a security perspective.
Performance is not an issue. In fact, you can generally boost the speed and reliability of services by going for a SaaS service, as many offer faster Internet connections than your existing services. Not all performance is the same though, as not all vendors invest in the additional hardware that’s needed for a multi-tenant service. You have to check this out.
But security is a genuine concern, as, in practice, you have to check out the actual security practices on the ground, unless you’re comfortable with the credentials of the vendor. It’s a difficult area, especially for small or medium enterprises who can’t afford to fly an expert out to California or India. But there’s no easy answer other than organising an audit yourself, or carefully checking out the customer list to see if there are lots of blue chip clients who might well have already conducted a thorough audit to satisfy their requirements.
References are a possibility, but there can be liability implications for companies that vouch for a service, so this is not an ideal solution. At the end of the day, you simply have to decide whether you trust your partner. And it takes years to build a mature security management framework. So my advice is not to go for the cheapest service, but to go for the one that shows they understand security and has sufficient experience to get it right. Let’s face it, you’re already saving lots of money on SaaS products, so don’t aim to skimp on their security.