NSS Labs highlighted the growth of security-as-a-service (SaaS) vendors, and issues facing the market.
NSS Labs highlighted the growth of security-as-a-service (SaaS) vendors, and issues facing the market.

A new report sheds light on the growing number cloud-based security vendors in the marketplace, as well as concerns that may arise as enterprises take advantage of solutions facilitating secure adoption of cloud services.

On Wednesday, security research and advisory firm NSS Labs released an analyst brief on cloud-based security offerings,which have increasingly allowed organizations "to control [their] data just as if it were on-premises, while allowing it to safely populate cloud-based applications,” like Salesforce or Dropbox, the report said.

NSS Labs noted that adoption of cloud-based services have grown at a “staggering rate,” and consequently “heightened interest in securing cloud-based deployments, prompting customers to evaluate security components that can protect data as it moves to and from the cloud, or to move components of their security infrastructure off-site."

While attractive points for organizations looking to such services entailed reduction of capital costs in the form of one monthly fee to providers, as well help meeting compliance requirements (particularly for smaller businesses with limited resources), the report named numerous pitfalls enterprises might face. Security-as-a-service (SaaS) vendors may find it difficult to adequately support legacy and mobile applications.

“Even though a number of vendors offer application wrapping in order to make applications mobile-ready, organizations have limited ability to secure their own legacy applications, and many vendors have struggled to provide equivalent functionality and controls between client- or web-based applications and mobile applications,” the report said.

In a Wednesday interview with SCMagazine.com, Rob Ayoub, the report's author and the research director at NSS Labs, further addressed mobile compatibility concerns.

“Sometimes the mobile applications for [services], like Salesforce and Dropbox, operate differently from the web applications, because they are designed differently and aren't exact copies. So, the third parties [cloud-based security providers] are working with other third parties, in order to make it work across all use cases," Ayoub said, later adding that “there's still a need for maturity within these solutions.”

The report also added that implementation of SaaS technologies, delivered through proxies or cloud-on-cloud deployments, can “unintentionally increase complexity for end users.”

“Proxy-based deployments can increase latency, require significant changes to routing, and even break hard-coded applications,” the report said.

Moving forward, IT departments will be charged with examining the security of such cloud-based services, “in the same manner that they evaluate internal security tools,” NSS said.

“Whether an organization employs a SaaS provider or another cloud-based service to deliver its security, these services must be incorporated into the same workflow as traditional controls,” the report said. “The services must be audited and tested against the same metrics as any other security product,” it continued, later adding that “ultimately, the governance of risk remain[s] the responsibility of the enterprise.”