Cloud computing is on everyone’s lips right now, but some companies are still skeptical about the cloud due to security concerns. The security status in the cloud and the security procedures that distinguish SaaS service providers are undoubtedly fundamental issues for IT decision-makers. In our technical article, we help you with a checklist to find the best security concepts for the cloud.
Current cloud solutions cover many business needs, including applications for on-demand collaboration, web conferences, IT service management, online backup, or customer relationship management. The result: More and more critical information is in the cloud. However, despite extensive knowledge of how the on-demand model works and its advantages, such as cost efficiency, rapid application, flexibility, and scalability, this technology is slowly gaining a foothold in many companies.
One reason for the reluctance to move to SaaS is security concerns. If a company transmits sensitive data over the Internet, strict controls are necessary to ensure security, confidentiality, reliability, integrity, and compliance with legal requirements. Such controls must encompass all organizations to which services are outsourced. Because here, too, compliance with legal, ethical, and statutory regulations for protecting information is essential. Cloud-based systems relate to four main areas – application, infrastructure, process, and personnel security – each subject to their own security rules.
Application
security The need for security begins with the underlying application and as soon as the end-user logs into the system. The best SaaS providers protect their offerings with solid authentication and authorization systems. Authentication ensures that only users with valid credentials can gain access. The authorization controls which services and data each authorized user can access.
To prevent passwords from being shared, the application should not allow logging in with a single user ID in multiple locations simultaneously. In addition to using a password – a form of simple authentication – the user’s identity is confirmed again through multiple authentications. This serves as a protective shield to protect users and customers from unauthorized access to their content and data. Multiple authentications offer a higher security level, as is often required by government or financial institutions. Electronic systems use the information provided by users to verify that the user is the authorized person.
This information is based on a combination of tokens that fall into the following three categories:
- They know user IDs, passwords, passphrases, personal data, etc.
- They have PCs, laptops, hardware tokens (e.g., SecurID), smartphones, etc.
- Who they are – fingerprint, iris or retinal scans, etc.
Real-time reports and user activity reviews show who is accessing what, when, and what changes have been made. In addition, it should be controlled who is allowed to print, copy or forward documents. It is also essential to determine how such activities can be prevented, if not expressly authorized – even after the documents have left the company area. Stable watermark functions help ensure that documents are not reproduced or distributed without permission.
It is also wise to secure access to the application with effective encryption to prevent unauthorized sniffing (sniffing) or snooping (spying on) online activities. To protect data transmissions from customers at all times, coding must be in place. Furthermore, SDL processes (SDL = Security Development Lifecycle) should be adhered to when developing and using the application.
Infrastructure Security
Cloud services are only as good as their availability. The providers must have a highly available, redundant infrastructure to offer their customers uninterrupted services. The infrastructure should also include real-time replication, multiple connections, changing energy sources, and modern emergency systems to ensure comprehensive data protection. Network and peripheral security have top priority for the infrastructure elements. Therefore, modern technologies are required for firewalls, load balancers, and access security/prevention systems permanently monitored by experienced security personnel. In addition, providers should offer stable recovery procedures to protect their data and carry out regular disaster recovery tests in the event of a disruption.
Process
Security SaaS vendors have invested a tremendous amount of time and money in ensuring that their security procedures and controls, which govern all aspects of setting up and managing an online system, meet the highest standards. This is especially true for providers who work with critical business information. These processes are documented and regularly reviewed to ensure that they work effectively and are continuously applied.