Mushegh Hakhinian, security architect at IntraLinks
Mushegh Hakhinian, security architect at IntraLinks
2009 was a growth year for cloud computing, with the trend capturing significant attention in both the press and from major companies around the world. As CIOs began to sink their teeth into cloud computing's business applications, the stage for large-scale adoption in 2010 was set. In fact, technology research and advisory firm Gartner recently published a report forecasting a tremendous increase in software-as-a-service (SaaS) revenues as a result of the emergence of cloud computing – an estimated $14 billion by 2013.  

Without a doubt, the cloud delivers highly affordable, flexible and secure solutions to organizations, providing them with a great opportunity to leverage economies of scale. Unfortunately, high-profile cloud computing outages (even among leading vendors) and concerns about security leave many enterprise decision-makers reluctant to offload their most critical data to the cloud. In fact, these concerns over security and reliability are widely cited as the biggest inhibitors to widespread enterprise adoption of cloud computing, even as businesses are increasingly reliant on cloud collaboration services for e-mail and other office communication needs.

The question is: Are these fears really warranted?

In reality, the biggest players in the financial services market, including all of the top 50 global banks and 16 of the 30 largest private equity firms, already trust the cloud with their most confidential data. For years, they have leveraged secure and reliable cloud solutions for everything from merger and acquisition deals and bankruptcies to restructuring and fund-raising activities.

These SaaS-based, mission-critical collaboration tools will continue to be important as the market begins to stabilize in 2010, allowing parties around the world to login to a password protected, extremely secure environment to collaborate, communicate and exchange highly-sensitive information in real time both inside and outside their firewall.

For business with some of the toughest security requirements in the world, there are a number of criteria to consider when evaluating potential vendors in the cloud.

The primary focus when it comes to security for SaaS models like cloud computing, of course, is finding a provider that can protect data at all times. Keep in mind that SaaS providers already offer a number of advantages when it comes to maintaining security standards for the enterprise. Unlike an internal IT department, in which IT resources are typically stretched thin and keeping current can be a challenge, SaaS vendors offer a faster response time to threats, homogeneous environments with smaller vulnerability surfaces to secure, and more vigorous security checks than traditional corporate IT departments that have limited resources and time.

In the evaluation process, we recommend taking this a step further to confirm a potential provider addresses four specific areas of concern with equal levels of attention. In fact, it is crucial to 360-degree security that these four pillars of information security are acknowledged:

  1. Application Security: The best SaaS providers protect their offerings with strong authentication and equally potent authorization systems. Authentication ensures that only those with valid user credentials obtain access, while authorization controls what services and data items individual valid users may access.
  2. Infrastructure Security: Cloud services are only as good as their availability. Providers must build a highly available, redundant infrastructure to provide uninterruptible services to their customers. Network and periphery security are paramount for infrastructure elements; therefore, leading-edge technologies for firewalls, load balancers and intrusion detection/prevention should be in place and continuously monitored by experienced security personnel.
  3. Process Security: SaaS providers, particularly those involved in business-critical information, invest large amounts of time and resources into developing security procedures and controls for every aspect of their service offerings.
  4. Personnel Security: People are an important component of any information system. They can present insider threats that no outside attacker can match. Administrative controls such as “need to know,” “least privilege” and “separation of duties” must be employed. Background checks of the employees and enforceable confidentiality agreements are mandatory.

Adopting a comprehensive approach that integrates application, infrastructure, process and personnel security with appropriate protection and controls is a critical factor. In addition to these fundamental components, organizations also need to, quite simply, take a good look at the provider's existing client base and where they set the bar for security. This can be a good gauge for the strength of a provider's claims. Only through discussions with existing customers, access to the public record and inspection of audit and incident reports can the best providers be distinguished from run-of-the-mill counterparts.

Finally, when evaluating and choosing a SaaS provider, it is important to verify that the provider can deliver the level of service and capabilities your company requires and to then double-check their ability to deliver on their promises.  Ideally, obtaining information about security from providers should require little or no effort from prospective buyers. The providers who understand security will provide detailed security information as a matter of course, if not a matter of pride.

Security-savvy SaaS providers can also deliver tremendous value-add to its clients by enabling effective collaboration among colleagues and co-workers, and even among teams assembled across multiple organizations. With the right security apparatus built in, providers can impose highly effective security restraints on SaaS offerings.

As cloud computing increasingly becomes a viable option for CIOs and other business professionals looking to do more with less, the real game-changing event is just around the corner – when companies move beyond simply virtualizing their servers and start applying cloud computing concepts in earnest. By following some of the guidelines detailed above, organizations can make sure potential provides have their security and regulatory needs in mind as they can float up into the next generation of enterprise collaboration.