II. It's a Sin to Put Information Security at Risk
Information security and data privacy are top concerns among SaaS buyers. To mitigate these risks its important to vet the SaaS providers layers of security, including:
- A security executive sponsor and dedicated, expert information security staff.
- An information security plan that prioritizes threats, vulnerabilities and risks and mitigates these factors with specific people, processes and tools.
- A digital certificate and encryption for both data in motion and data at rest.
- Judicious firewall management, preferably using application layer or deep packet inspection firewalls.
- Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and possibly honeypots managed 24 by 7 by security experts.
- Antivirus and malware defenses positioned at multiple network points.
- Conformance with industry specific or regulatory compliance security standards such as Sarbanes-Oxley Act, HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Index), GLBA (Gramm-Leach-Bliley Act) or NIST C&A (Certification and Accreditation).
- Vulnerability Assessment (VA) and penetration (PEN) tests performed by independent resources.
- Independent security audits by third party recognized authorities such as ISO or NIST.
The layering of intellectual and physical security defenses provides redundancy and creates an environment where the failure or circumvention of one security device does not necessarily lead to the compromise of the network.
However, when considering SaaS CRM solutions from most of the market share leaders, concerns about information security in the cloud are warranted, but generally misdirected. With reputable SaaS vendors, CRM buyers will discover that SaaS providers possess a security posture that is far superior to the buyer's in-house operation. Unfortunately, successfully validating the SaaS providers security doesn't leave you secure.
The Real Security Threat
The most pervasive and lethal security threats are not technical and don't reside with your SaaS provider, they stem with your people and the biggest threat may be from young professionals who do not know or do not care about corporate IT security policies.
The so called Gen Y is making a sea shift change to the working population, and while they are biased toward and proficient with cutting-edge technologies, several credible research studies indicate they care more about securing their home PC than their work PC. Four research studies (from Accenture, Intel, ISACA and Face Time Communications) have demonstrated that staff under 28 years of age are the enterprise's newest and most serious IT security risk.
The Accenture research polled more than 400 students and employees from age 14 to age 27. The study found that more than half (60%) of young people "are either unaware of their companies' IT policies or are not inclined to follow them." When asked which technologies they currently use for work-related activities that are not supported by their employers, mid-Millennials (ages 18 to 22) answered mobile telephones (39%), open source software (19%), IM (27%), online applications (12%), and social networking sites (28%)." The respondents also acknowledged freely and regularly downloading freeware, shareware and non-standard technologies from (unknown and untrusted) public Web sites.
In a separate research study, Intel and the research firm of Penn Schoen and Berland Associates suggested that while Gen Y workers are having a positive impact in the enterprise, they are also creating new security risks. Their propensity to download unapproved software and medios sociales tools was one of the chief reasons cited for IT professionals' concern. Some participants in the Intel survey indicate that tools for controlling or blocking access to certain applications or sites might be effective in controlling the Gen Y problem. Others referenced tools that monitor employees' activities and flag risky behaviors.
In the only after-the-fact social slip-up review, Face Time Communications discovered that 37% of IT managers surveyed found employees violating policies about sharing corporate information on social networking sites.
The threat from these unsanctioned activities is very real and the potential impact high. Inadvertently downloading a trojan, harboring a virus or exposing data leakage threaten confidential information and the trust bestowed to employers who manage employee and customer information.
The path to resolution is fairly clear - however requires compromise. In order to attract and retain the next generation of knowledge workers, employers should embrace the tools and technologies that make these professionals productive. Choosing to simply ban medios sociales tools is an ostrich in the sand approach which cannot be successful. Adopting the Web 2.0 tools which can make business sense and supplementing their implementation with initial and recurring user education is the constructive path. The Millennials must similarly compromise. Not all medios sociales tools have a legitimate business purpose and enterprise information security cannot be compromised under any condition. Striking a balance will mediate the requests for the newest and coolest medios sociales technologies within the context of enterprise security and corporate legitimacy.
Next — It's a Sin to Suffer Poor Online System Performance >>
A lot of security fears IT people have about SaaS are emotional and not based on reality. Security as provided by SaaS vendors is easily as good if not better than any IT shop."
~ Jim Warner, TM Forum