Ensuring That Every Cloud Has A Secure-Lining

Compared to traditional IT environments, software is no longer purchased and locally installed on a PC or server. Instead, customers that take the SaaS Route simply buy a license for a software service hosted on the server of the SaaS-vendor, a period determined by whether they elect for a monthly, quarterly or yearly subscription.

Given the current economic downturn and the benefits the SaaS model offers, it is maybe not surprising that Forrester predicts the adoption of SaaS in enterprises to grow 33% on an annual basis. Many more organizations are set to benefit from the hosted application model: costs upfront are significantly lower, it is faster and cheaper in deployment, it requires no additional server hardware investments, it is extremely scalable and upgradeable, no dedicated staff are required, and thus ROI is guaranteed.

Both in a personal and professional capacity, we are already accessing hosted applications, such as newspaper subscriptions, CRM, HRM, ERP, e-learning services, legal, marketing and real estate services, online gaming and gambling and so on. The big question around the SaaS model relates to security.

Every cloud has its silver lining
IT-departments have genuine concerns about security when implementing SaaS: how secure are these hosted applications? After all, your data resides somewhere on a server hosted by the vendor. What measures does the vendor take to make sure that his infrastructure is sufficiently stable and redundant? How do they secure the access to the infrastructure and data? If you use a simple log-in and password to access the business critical data, does this provide you with sufficient protection against data theft through phishing and key logging attempts?  Are you really sure that only your organisation’s staff can access the data and not the competition, which is most likely using the same SaaS-application? What do you do if an employee leaves the company, joins the competition and still uses his old password to access my business critical details? All of these are questions that anyone considering adopting a SaaS model should ask.
 
Authentication is the answer
Strong authentication is already common and established practice in online banking, protecting banks and customers against transaction fraud. Each individual user has access to a two factor authentication device. The user ‘knows’ something, usually a PIN to activate the device, and ‘has’ something, in this case, the authentication device. The device generates One-time Passwords (OTP) or ‘dynamic’ passwords; these are valid for only a limited amount of time and can only be used once.  Thanks to the use of the OTP when logging onto the banking application, the bank is sure that a legitimate user is logging on. The same principle can be applied to the SaaS-applications, solving the many security concerns IT-departments have related to the legitimacy of the users. Not only can they ensure that only authorized users, the ones equipped with an authentication can log on and access the business critical data, they also ensure that data are protected against data theft. Since OTPs are only valid for a short time period and cannot be reproduced, they become useless to phishers and keyloggers, desperately trying to intercept passwords to steal data.

-- By Jan Valcke, President and COO, VASCO

Vasco Data Security SA is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk