DrillDown
Extending security
into the cloud
SaaS applications are changing the way agencies work, but new security approaches are needed when there is no longer a clearly defined perimeter
BY RICHARD A. SPIRES
As a former government CIO, I have implemented and seen the significant benefits of cloud technology — both the use of computing power on demand and software-as-a-service applications. In particular, SaaS-based applications are becoming an increasingly popu- lar way for organizations to quickly and easily take advantage of new capabilities.
They are also driving tremendous growth and innovation. AngelList has identified more than 11,000 SaaS start- ups in the U.S., and IDC predicts the market will surpass $112 billion by 2019.
Although cloud computing and SaaS business models can enable IT organiza- tions to reduce their infrastructure costs and offer more agility to support cus- tomers, it also increases the complexity of dealing with IT security.
Not only is the IT organization giv- ing up control over and visibility into some of its IT infrastructure when it uses SaaS-based applications, it is also giving third parties the ability to store and control sensitive data.
Not so long ago, IT security profes- sionals would work to protect an orga- nization’s IT perimeter. With today’s new computing and service models, a tra- ditional perimeter typically no longer exists. And if it does, it might include protecting dozens of third-party cloud service and SaaS application providers.
Addressing the new IT security reali-
ties is a two-part challenge. First, with regard to the use of third-party IT cloud service providers (including more tra- ditional outsourced data center ser- vices), agencies need to be confident that the providers are implementing the proper security controls. Those controls should match, or at least be very similar to, what the agency would implement within its own data centers and networks.
Such controls include physical access for personnel, identity manage- ment for systems administration and appropriate network encryption.
A number of nonprofit organiza-
tions have been working on standard- izing those controls for the industry. Notably, the Cloud Security Alliance has developed the Cloud Controls Matrix, a framework designed to provide fun- damental security principles for cloud computing. Using CCM, the alliance has developed an auditing, certification and registry program for cloud service pro- viders known as the Security, Trust and Assurance Registry.
In a similar model, the government has developed the Federal Risk and Authorization Management Program, which enables cloud service providers to meet minimum security requirements
April 2017 FCW.COM 31