IT expert provides cloud security advice

Writing under a pseudonym, Matthias Thurman, a recently hired IT manager, published a journal for Computerworld, detailing his early days with his company. In his new position, Thurman has to work with a number of SaaS solutions and try to keep the company secure. Overall, he concluded, establishing security in SaaS systems is possible, but will require a combination of end-user compliance and advanced security protocols.

Thurman explained his previous job was for a company using four SaaS solutions, making security relatively simple. At the new company, SaaS is used as the primary method of software deployment. This has created a challenging security environment because the organization now receives SaaS applications from 30 different vendors, leaving information spread over a variety of data centers.

The data distribution, however, does not concern Thurman too much. Instead, he is worried about the way employees can access cloud computing solutions. According to Thurman, most of the company runs through an internal, private network, keeping on-premise data safely shut within the intranet. However, many of the SaaS applications can be accessed through an internet-enabled device over any connection. This makes it possible for employees to expose their internal business files to public networks without any protection. Furthermore, many end-users do not understand the importance of wisely choosing where to access their cloud applications.

To combat this issue, Thurman is rewriting the company's usage policy to create compliance standards for SaaS. This will educate users on the types of connections considered insecure and how they can best protect themselves and the company when accessing the cloud. However, Thurman believes education is not the only solution, and plans to expand the business' security protocols.

One of the first steps of this upgrade, according to Thurman, is expanding the firewalls and extending the intranet to let employees sign in securely through mobile devices and from remote locations. This can be achieved through encryption or advanced networking software, and Thurman plans to place all SaaS applications within the intranet to improve security.

Thurman also intends to upgrade the current plan for sign-in and authentication when users access cloud-based applications. Currently, most programs require a single login to gain access to the website. As a result, hackers can obtain user information with such tools as keyloggers, screen-capturing and sniffers. A cyber criminal could use this information to access user and business files and learn each application used by the individual. This, in turn, would allow the hacker to access every cloud service and obtain critical information. For example, many users store nearly all of their data, contacts and calendars in their email application. By accessing this, a hacker would essentially have unlocked all of the employee's business-related information. The solution to this major security issue, according to Thurman, is upgrading login procedures.

By using double-authentication systems when users login to the cloud applications and company network, hackers would essentially be unable to gain the necessary user information as they would have to successfully break into two highly-secured pages simultaneously. Through this relatively simple solution, Thurman intends to secure the company's SaaS solutions.

According to a recent study from Gartner research, SaaS solutions have matured and become mainstream enough to assuage the security concerns that have been held by industry experts. As a result, the firm expects SaaS to grow by 16.2 percent in 2011, reaching $10.7 billion in value. This expansion comes after 15.7 percent growth in 2010, leading to industry revenue of $9 billion. Sharon Mertz, research director at Gartner, explains security improvements are among the primary reasons behind SaaS growth.