While billions of dollars will be spent on SaaS and cloud applications by the end of 2009, executives continue to question data security inside the cloud. A recent article in CIO Magazine notes a growing majority of execs are worried about cloud security. These executives recognize that each SaaS application, like Salesforce.com, represents a potential highway of highly sensitive corporate data outside the firewall and outside IT’s security protocol. While no means exhaustive, here is a list of mistakes we’re seeing companies make when deploying SaaS applications, creating unnecessary risk and cost for their organizations:
- Creating the ‘three-headed admin’ – granting multiple people administrator-level roles inside a single SaaS application, or having multiple admins share the same credentials. Aside from the obvious security issues, resulting SaaS app management data typically ends up reflecting multiple perspectives of users and permissions.
- Hoping that everyone ‘locks the door’ – relying on manual workflows, phone calls and emails to de-provision SaaS users’ access in an accurate and timely fashion across SaaS apps. If there’s not an automated way to guarantee deprovisioning across all apps, then it’s unlikely that it’s happening.
- Applying a short term ‘band-aid’ for management – using trouble ticketing and help desk systems to coordinate administration between central IT and departmental SaaS admins. This is typically a short term fix that just kicks critical provisioning and identity management issues down the road, and does it in a way that creates more pain later.
- Attempting the IT ‘end-run’ – not engaging IT on management and support until SaaS app(s) become “mission critical” within the organization. As SaaS and cloud are now becoming more mainstream technologies, IT is regaining their seat at the table to help extend existing policies and controls – ignore this dynamic at your own peril.
- Delegating policy enforcement – relying on individual SaaS administrators to enforce corporate policies for roles and permissions. Most organizations have access control policies and controls exist for on-premise apps and data, but few think about how to extend them to SaaS and cloud applications prior to deployment, particularly in environments with distributed administration.
- Believing in a management ‘silver bullet’ – assuming that existing on-premise directories (such as Microsoft Active Directory) or identity management tools (including SSO) extend to support all SaaS-related identity challenges. They don’t.
- Creating ‘two sets of rules’ – treating SaaS governance differently than on-premise applications with regard to user identity and compliance. Governance frameworks and best practices should consistently apply to applications no matter how they’re delivered.
- Failing to create a ‘rearview mirror’ for audit and compliance – failure to identify and approach for capturing an audit trail of access, usage, user change and permissions history. Though delivered by a 3rd party, companies are still responsible for implementing and enforcing access control policies, and for demonstrating it at audit time.
- Forgetting about compliance reporting – wasting 20-30 executive hours each quarter to manually compile reports for internal or external compliance audits. Forgetting to consider compliance reporting needs up front when evaluating SaaS vendors and overall SaaS/cloud strategy can be painful.
- When in doubt, spending more – buying unnecessary subscription seats because of a lack of visibility to actual subscriptions and current usage.
We’d be interested in hearing what others are seeing and hearing in these areas as well…
Tags: Active Directory, cio, Cloud, Cloud Computing, GRC, SaaS, SSO
Conformity 
Leave a comment