Embed Size (px)
DESCRIPTION
Citation preview
contents Tips and Tactics
2 SaaS considerations
7 Questions to askyour SaaS provider
16 Outsourcing vulnerabilitymanagement
23 Security in the cloud
SaaSDifficult economic times are forcing someorganizations to look at security as a service.We’ll weigh the opportunities and the pitfalls.
BY INFORMATION SECURITY AND SEARCHSECURITY.COM
S PO N S O R E D BY
Evaluating
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 2
Some of thesesubscriptionservices watchoverall IP traffic,some scan email,some watch Webcontent.
Tight budgets and regulatorydemands are driving companiesto tap service providers for security.
t may seem a counterintuitive move,but a growing number of companieshave signed on outside services toprotect their internal networks and data.
Vendors such as Veracode, Websense,Qualys, Alert Logic and Google subsidiaryPostini lead in answering this security-as-a-service charge, while incumbent securitypowers such as McAfee and Symantecfigure out how to enter the fray withoutcannibalizing their existing businesses.
Some of these subscription serviceswatch overall IP traffic, some scan email,
some watch Web content. They all issuealerts and take action in the event of athreat.
So what leads a business to trust out-siders with its inside-the-firewall treasures?Constrained IT budgets and burgeoningregulations are prime factors.
Scott Smith, senior network engineer forLincoln Property in Dallas, says Lincolnbrought on a service so it wouldn’t have tohire more people to monitor its system andsecurity logs. Before signing on with securityservices provider Alert Logic, the real estatemanagement company didn’t have muchmore than a syslog server and staffers read-ing through tons of logs. “That is a night-mare, and the odds of finding what you’relooking for are slim to none. It was an over-whelming task,” Smith says.
And logs read after-the-fact are of little
SaaS
Taking theServices-on-Demand Plunge
BY BARBARA DARROW
I
use against ever- and quickly changingsecurity threats.
“The things that change most in our worldare security threats. Why invest in an expen-sive [in-house] system when we can useexperts? They read the logs, they provideimmediate alerts. And there is no capitalexpense, but a small monthly fee,” Smithsays.
Compliance pressures also are drivingcompanies to bolster security via a subscrip-tion service. Chris Smith, vice president ofmarketing for Alert Logic, cites the PaymentCard Industry Data Security Standard (PCIDSS) as a key motivator. Pushed by themajor credit card companies, these stan-dards dictate what users must do to complyand assess penalties for noncompliance,ranging from $500,000 per instance to aban on processing credit cards.
“Unlike some government regulationswhich can be very general, PCI is veryprescriptive,” says Smith. “You must haveantivirus, you must have a firewall andintrusion detection, you must have periodicscans.”
Whereas Qualys mostly targets largeenterprise accounts, Alert Logic’s sweetspot is more in midmarket businesses, many
of which see the cost of deploying on-prem-ises personnel and solutions as beyond theirbudget.
The PCI penalties demonstrate how secu-rity-as-a-service differs in one respect frombusiness application service offerings likeSalesforce.com or NetSuite. While costanalysis shows that hosted CRM, for exam-ple, can cost more than on-premises CRMafter three or four years, such calculationsdon’t necessarily hold in the security realmfor one good reason: The downsides of abig breach are incalculable.
“You can’t run a spreadsheet that will tellyou how much you might lose because youdon’t protect your information,” says AlertLogic’s Smith. One might point to themassive TJX credit card breach as acautionary tale.
In some cases, SaaS doubters don’t wanttheir information residing anywhere in thecloud; the outside-the-firewall aspect stillspooks many companies and governmentagencies.
“These in-the-cloud providers must haulevent and security data to a central datacenter,” says Andrew Plato, president ofAnitian Enterprise Security, a consulting firmin Beaverton, Ore. “That turns off a lot of
“The things thatchange most inour world aresecurity threats.Why invest inan expensive[in-house] systemwhen we canuse experts?”
Scott Smith, seniornetwork engineer,
Lincoln Property
SaaS Considerations
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 3
customers who do not want their securitydata commingling with other companies’[data].”
For Paul Simmonds, former global informa-tion security director for chemical giant ICIand now chief information security officer forLondon-based Astra Zeneca, that fear isunwarranted. ICI adopted Qualys’ serviceabout five years ago to offload the manage-ment of network protection and its associat-ed headaches.
“My data is encrypted with my keys ontheir database. [Qualys] systems adminscan’t even access my data,” Simmonds says.
Another perk is that security services over-lay the customer’s existing infrastructure. ICIand other users continue to run their existingdesktop security and other software. “Qualysis an addition; we don’t have to change theway we’re working,” Simmonds notes.
For smaller companies, the notion of fore-seeable costs also leads them to securityservices versus on-premises solutions.Incremental subscription payouts aren’tlarge capital expenditures like big up-frontpurchases of hardware and software forsecurity monitoring.
“Predictability helps for budgeting. Youknow how much you’ll spend annually on
hardware, support, service and mainte-nance. It’s almost a no-brainer,” says JoeyRappaport, IT manager for RosettaResources, an oil and gas company.
Rosetta started with one Alert Logic appli-ance at its Houston headquarters a fewyears back and has added a second at itsDenver site. “The only time the cost goesup is when you add another hardware unit,”Rappaport says.
But the biggest driving factor for choosingSaaS, Rappaport says, is there is no need todedicate personnel to security and threatmonitoring, which are full-time jobs.
Qualys CEO Philippe Courtot says thenature of the Web forced the move to secu-rity services. As companies opened theirlines of electronic communications to workbetter with partners, suppliers and cus-tomers, their networks had to become moreporous, so the old tactic of defending theperimeter was no longer applicable.
“People used to do security audits oncea year; the rich ones implemented scannersfrom ISS. But now people realize all thesevulnerabilities are not just at the perimeterbut inside. They need to understand theirnetwork from beginning to end…and it isno longer practical to deploy a management
“Predictabilityhelps for budget-ing. You knowhow much you’llspend annuallyon hardware,support, serviceand maintenance.”
Joey Rappaport,IT manager,
Rosetta Resources
SaaS Considerations
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 4
solution that requires you to install it andmanage it yourself,” Courtot says.
He likens how Qualys combined its serv-ice—which watches a customer’s network fromoutside with an appliance that guards it fromthe inside—to what Apple did in another realm.
“Apple Computer connected its iTunesservice to a device, the iPod and now theiPhone, and completely changed how musicis distributed. We connect our service withour appliance to look at your network vulner-abilities. We are bringing security and com-pliance together,” Courtot says.
Another player, Veracode, offers an on-demand service to find software vulnerabili-ties. In the past year there has been a flurryof M&A activity as tech giants andothers are buying their way in: Googlesnapped up Postini; SurfControl boughtBlackSpider and was in turn bought byWebsense. The security incumbents arealso reacting; McAfee is starting its ownservice and Symantec is promising severalservice-delivered capabilities.
Courtot maintains that just as Microsoftstruggles with the SaaS model because itwants to protect its lucrative on-premisessoftware business, the security giants willnot be able to retrofit their wares into a
services model.Those giants would disagree. Symantec
has promised to make a set of infrastructuresoftware services available starting with anew backup service that was due late thisyear.
Symantec’s promised network “will bedelivered via a software-as-a-service para-digm over the Web by browser, adminis-tered over the Web and managed over theWeb,” says Chris Schin, director of productmanagement at Symantec.
Symantec’s recent acquisition bingeincluded Brightmail, a leading antispam serv-ice, which bolsters its services expertise.
It is becoming clear—whether the marketlead goes to one of the young upstarts or toa more traditional incumbent—that more cus-tomers would like to stop threats before theyenter their domain.
Alert Logic’s Smith likes the answeringmachine analogy. “How many people nowuse an answering machine versus a phonecompany service? That’s a great exampleof moving key infrastructure off-site to aprovider. [Those services] can do things thata machine could never do, like put yourmessages on a Web server,” he notes.
There is evidence that more companies
“Apple Computerconnected itsiTunes serviceto iPod, and com-pletely changedhow music isdistributed. Weconnect ourservice with ourappliance to lookat your networkvulnerabilities. Weare bringing secu-rity and compli-ance together.”
Philippe Courtot,CEO, Qualys
SaaS Considerations
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 5
of all sizes are seeing the logic there andare at least kicking the tires of the securityservice model.
In a July report, Credit Suisse said thesecurity-on-demand model is starting to findfavor in both SMBs and enterpriseaccounts. “We expect this trend to acceler-ate in the coming years as customers are
now beginning to favor the higher costsavings from on-demand solutions,” CreditSuisse research analysts Phillip Winslowand Dennis Simson wrote.m
Barbara Darrow is a Boston-area freelance writer.
“We expect thistrend to acceler-ate in the comingyears as cus-tomers are nowbeginning to favorthe higher costsavings fromon-demandsolutions.”
Phillip Winslow andDennis Simson, research
analysts, Credit Suisse
SaaS Considerations
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 6
Outsourcing an application meansyour organization relinquishes somecontrol; don’t, however, loosen yourgrip on security.
n a bizarre way, the high-profile phishingattack against Salesforce.com suggeststhe software-as-a-service (aka SaaS)model has come of age.
In that attack, a spoofed email messagewas apparently used to lure a Salesforce.comemployee to release certain customer infor-mation, which was in turn used to launcha secondary phishing campaign. Whilethe breach was certainly embarrassing, itillustrates the power of the Salesforce.combrand.
It also reminds businesses of all sizes thatjust because they’ve outsourced an applica-tion doesn’t mean they can be any lessvigilant about defining a security policy.The difference is now they’ll need to entrustenforcement to someone else.
“A lot of time, I find I’m putting myself inthe role of a chief security officer,” saysMathew Hegarty, director of infrastructureand security for Net@Work, an IT servicesfirm in New York that often recommends theSaaS approach to its customers. There arecertain fundamental things you need tostudy—from authentication policy to infra-structure redundancy to how often the SaaSprovider invests in independent penetrationtesting—especially when you’re talking abouta single-tenant service where all customersshare the same instance of the software,Hegarty says.
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 7
“A lot of time,I find I’m puttingmyself in the roleof a chief securityofficer.”
Mathew Hegarty,director of infrastructureand security, Net@Work
SaaS
7 Security Questionsto Ask Your SaaS Provider
BY HEATHER CLANCY
I
“The biggest thing we focus on with all ofthis is control of the data,” says MichaelMucha, chief information security officer forStanford Hospital in Palo Alto, Calif., whichuses several clinical applications that aredelivered as a service, including transcrip-tion, and radiology and analysis systems.Given that health care is by far the most reg-ulated industry he has worked in, Mucha hascreated a standardized checklist for his tech-nical assessment of any application deliv-ered via the SaaS model. Among the mostcritical of those items include whether or notthe service provider complies with SAS 112audit requirements (which applies to non-profits), how it documents its procedures forhandling a security breach, and how it han-dles requests for changes and customizedfeatures, Mucha says.
Even more important will be the simplepolicies that a SaaS provider uses among itsstaff to protect your data. “We have com-plete access to the data, and we are theonly ones with control of the authentication,”Mucha says. “The point is that you need aconsistent approach to all these situations.”
The Salesforce.com breach, which thecompany acknowledged in an email lastNovember, offers a perfect example of why
this is critical. In that message, the SaaSgiant acknowledged that data purloined fromSalesforce.com was later used to compro-mise accounts at some of its customers, andSalesforce.com moved to disclose its expo-sure. Salesforce. com declined to commenton its security policy for this story, but in itsemail last fall, it made several suggestionsfor how its customers could protect them-selves in the future, including ignoringpotential phishing messages, activating IPrange restrictions so that the software couldonly be used on a specified internal networkor VPN, or using two-factor authentication.
Building on those ideas, we offer sevenquestions you should resolve with yourprovider before investing in SaaS.
QUESTION 1:WHO HANDLES PENETRATIONTESTING, AND HOW IS IT DONE?It stands to reason that if you would hirean outside company to test the effectivenessof on-site firewalls and other IT securitymeasures, your SaaS provider shoulddo the same—regularly.
Chuck Mortimore, director of platformservices for Rearden Commerce, whichoffers the application Rearden Personal
“The biggestthing we focuson with all ofthis is controlof the data.”
Michael Mucha,chief information securityofficer, Stanford Hospital
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 8
Assistant that helps coordinate various orga-nizational tasks of your business and per-sonal life such as booking travel, says hiscompany employs someone to manageaspects of the vulnerability managementprocess. The Foster City, Calif.-based com-pany regularly runs both threat assessmentsas well as tests that verify its ability to with-stand denial-of-service attacks. If a serviceprovider doesn’t invest in creating regularprocesses for penetration testing, its riskincreases exponentially, Mortimore says.
Likewise, Xythos Software, which offersits enterprise document management sys-tem as a service, has hired several special-ized service providers to help managesecurity functions. Jim Till, CMO for SanFrancisco-based Xythos, says many of thecompany’s clients store highly sensitiveinformation such as legal documents orlogistics data in its application, which it firststarted selling as an on-premise option. Forstarters, the company has teamed up withOpSource, which recently announced Level1 compliance with the rigorous PaymentCard Industry Data Security Standard.
“We would have been foolish if wethought we could do this ourselves,”Till says.
Other providers of vulnerability assess-ment services for SaaS include Qualys(which itself offers its capabilities as a serv-ice); Akibia, a security services firm andMicrosoft Gold Certified Partner; PerimetereSecurity, which has been acquiring a slewof SaaS security integrators; and ComputerSciences, which offers a set of operationalservices for ISVs looking to turn themselvesinto SaaS providers.
QUESTION 2:WHAT ARE THE SIGN-ON, ACCESSAND AUTHENTICATION POLICIES?The most common way to get at an appli-cation via the Internet is via a username andpassword. “The normal way is to go to theirfront door,” says Patrick Harding, chief tech-nology officer for Ping Identity, a Denvercompany that makes identity federationsoftware.
But a growing number of companies areworking with their service providers to pullthe SaaS sign-in process into the boundsof their firewall or VPN, providing a higherdegree of authentication. Simply put, theuser must first safely log in to the company’scorporate intranet before he or she can signon to the application in question. This
“We would havebeen foolish if wethought we coulddo this ourselves.”
Jim Till, CMO, Xythos
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 9
ensures that the login conforms to the com-pany’s security policy. Later, if an employeeleaves the company, it’s easier to disable hisor her account access.
Liz Herbert, an analyst with ForresterResearch who follows SaaS, says this effec-tively puts the access policy back into thehands of a company’s internal IT depart-ment. “Your company may have a passwordpolicy, but sometimes the SaaS applicationisn’t being managed according to the samerules,” she says. One thing to look for, shesays, is whether the SaaS sign-in processcan be tied into a single sign-on process(see “One & Done”, right) or integrated withan LDAP directory service such as ActiveDirectory.
“I’ve looked at some Web-based applica-tions that I’ve rejected because of this,”says Adam Sroczynski, CEO ofEbiztechonline, which uses SaaS to handleproject management and business func-tions. The biggest issues for Sroczynski arethe policies a SaaS provider has in place toprotect the username and password. Ifthere is no formal plan in place, a breach ofthe Salesforce.com sort is more likely tohappen because internal personnel haven’tput in the proper security measures to
reduce the potential for human misjudg-ment. Businesses should consider main-taining control of this process themselves,he suggests. That means, however, if apassword is lost, the SaaS provider won’tbe in a position to recover it on behalf ofthe customer.
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 10
SINGLE SIGN-ON
One & DoneSingle sign-on simplifies access control.
How many account passwords can the average human manage?The holy grail of single sign-on, allowing a person to log in just once for multiple
applications, is being accelerated by the move to SaaS accounts, says AdamSroczynski, CEO of Ebiztechonline, an early user of TriCipher’s new on-demand singlesign-on software myOneLogin. The more passwords a person must remember, thebetter the chances that at least one will be lost or compromised, he says.
Chuck Mortimore, director of platform services for Rearden Commerce, a SaaSprovider that offers a personal assistant service, says that single sign-on puts accesscontrol and authentication back into the hands of the IT department. “It’s very impor-tant. It provides them with one set of information to worry about, which they alreadyhave control over.”
Patrick Harding, chief technology officer for Ping Identity, says single sign-on alsomakes it simpler to disable access quickly if an employee leaves or is terminated.“Plus, organizations can add whatever authentication they feel is necessary. They canreuse things they already have like certificates and tokens. It takes the burden off theSaaS provider.”m
—HEATHER CLANCY
QUESTION 3:WHAT ENCRYPTION POLICIESWILL PROTECT DATA AS IT ISTRANSFERRED, OR WHEN ITIS BEING STORED?For starters, you should look for and insiston the strongest encryption levels possible.
This was the deciding factor for AimableMugara, the IT and multimedia director forthe nonprofit organization Free The Childrenin Toronto, which about a year ago opted touse the Mozy online data storage and back-up service. While 128-bit SSL encryption isnow fairly typical, Mozy—a division of EMC—offers 448-bit Blowfish on-disk encryption.“That is very rare,” Mugara says. Mozy alsohas taken steps to ensure its service meetscompliance standards of the Health Insur-ance Portability and Accountability Act(HIPAA), which also gave Mugara a highercomfort level.
Prat Moghe, founder and chief technologyofficer for Tizor Systems, an enterprise dataauditing and protection firm in Maynard,Mass., says it’s also important to study howthe provider stores each customer’s data.“How strong is the security program when itcomes to the data being stored. If there is abreach, how is that caught? And if the data
gets out, is it encrypted?”Another question worth asking: What
breaches has the company had, if any, andhow did it manage them?
One way to review the SaaS provider’sdata protection policies is to request a copyof its SAS 70 Audit Report (see “Up toStandard?,” above). While SAS 70 is a justa “gross level” audit, it does provide acommon ground for discussion, says JohnPescatore, security analyst with researchfirm Gartner. “This forces companies to
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 11
SAS 70
Up to Standard?SAS 70 audits verify data protection methods.
SAS 70 is by no means a guarantee of security, but it is helping shine a light on accept-able security processes around SaaS.
SAS is short for Statement on Accounting Standards. The SAS 70 report detailsexactly what measures someone is taking to protect your company’s data. The Type Iaudit covers whether a SaaS provider has internal controls that are described in itsdisclosures to customers; Type II tests those controls in action.
John Pescatore, security analyst with research firm Gartner, says one good thingabout SAS 70 is that it is recognized by corporate auditors. “If you use someone whodoesn’t use this measure, then you’re always at risk,” he says. “It sets a barrier to entry.”
But Pescatore recommends adding a service-level agreement that outlines specificsecurity measures, what will happen if something goes wrong and who is liable.m
—HEATHER CLANCY
define things in a way that’s meaningfulto both sides,” Pescatore says.
Shally Stanley, managing director ofglobal services for Acumen Solutions, asecurity technology services provider, saysher team forces its customers to step backand consider the type of data that wouldbe stored.
“These questions are largely governed bythe company’s own risk posture and the typeof data that is being handled,” Stanley says.
“There are organizations that have verysensitive data that cannot, under any cir-cumstances, be seen by anyone else. Theirposture will be different than another com-pany that has confidential information, butit isn’t disastrous if it gets out,” Stanleysays.
QUESTION 4:IS THERE A SINGLE-TENANTHOSTING OPTION SEPARATEDFROM THAT OF OTHER CUSTOMERS?Another complicating factor is that in atrue SaaS multi-tenant deployment, yourcompany’s data may be side-by-side withanother company’s data. So it’s important tounderstand how things are kept separate.
“The risk is that your data could leak out
of your environment and be seen by othercustomers, potentially even their competi-tors,” says Acumen’s Stanley.
There are several ways in which customerdata can be separated, and it’s importantto understand which method your SaaSprovider uses, she says. For example, if thedivision occurs within the application itself,a bug within the application could cause afailure of separation, meaning your datacould be exposed to other customers or, ina worst-case scenario, to the outside world.Another way of keeping customers separateinvolves working with separate Web serversrunning on shared hardware.
The rise of virtualization, with customerspotentially hosted on different virtualmachines, should make separation easier.But Burton Group cautions that while thiswill cut down on risks, these virtual operat-ing systems are subject to the same risks.Moreover, the hypervisor management layeradds a level of vulnerability.
Stanley says your provider should runregular tests for data leaks. If it is not, youmight be better off insisting on a single-ten-ant data storage option (closer to outsourc-ing) or looking for a provider that offers thischoice, she says.
“The risk is thatyour data couldleak out of yourenvironment andbe seen by othercustomers, poten-tially even theircompetitors.”
Shally Stanley,managing directorof global services,Acumen Solutions
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 12
QUESTION 5:WHO MANAGES THE APPLICATIONON THE BACK END, AND WHATPOLICIES ARE IN PLACE TOTHWART INSIDER BREACHES?As the Salesforce.com breach illustrates,many security issues are tied more to theflaws of human nature than to some techni-cal weakness.
“A lot of SaaS providers offer optional128-bit encryption on the fly, but thishasn’t always been made mandatory,” saysJay Elder, managing director of servicedevelopment for Incentra Solutions, a secu-rity services firm in Boulder, Colo. “Usersreally need to be trained to log in using[the toughest] encryption and to be awareof the social vulnerabilities of giving awaytheir passwords.”
The matter of user administrationrights once you’re inside the applicationalso can’t be underestimated. GreggBostick, vice president of transportationat Pinnacle Foods, uses the SaaS applica-tion LeanLogistics On-Demand TMS tomanage transportation arrangementsbetween his team and various shippingpartners. Bostick closely controls whohas the right to view certain types of data,
such as the carrier rate tables or theaccounts payable information.
“This is really process-oriented security,”Bostick says. “It’s only a problem if you allowit to be a problem.”
A bigger problem, perhaps, comes inmanagement of an application back at theprovider. Forrester’s Herbert says it’s impor-tant to understand who will be able to modi-fy the application, along with the rules andaccess rights. From the customer stand-point, this should remain under the controlof the business’ internal IT team, which caninterface with the technical contacts at theservice provider, she says. There needs tobe strong measures in place to ensure thataccount information cannot easily be sharedor accessed by personnel at the serviceprovider. The company should also havespecific policies related to spoofing ofaccounts and phishing.
QUESTION 6:WHAT IS THE BACKUPAND RECOVERY PLAN?One thing that doesn’t get talked aboutas much when it comes to SaaS securityis business continuity—how the providerprotects its customers against potential
“A lot of SaaSproviders offeroptional 128-bitencryption on thefly, but this hasn’talways beenmade mandatory.”
Jay Elder,managing director ofservice development,
Incentra Solutions
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 13
denial-of-service attacks or in the eventof a natural or man-made disaster.
But that was a major consideration forMichael Roseman, vice president of financeand strategy at Astadia, a 155-person man-agement consulting firm that uses severaldifferent SaaS applications including Sales-force.com, Workday and Cornerstone onDemand.
“These companies can make muchbetter investments in security than we can,”says Roseman. “If we did this on-premise,we would have to provide backup andredundancy. How can my company hopeto offer the same levels as theseproviders?”
Gartner’s Pescatore says businessesshould also be concerned with the physicallocation of the hosting facility, requestingan on-site inspection if possible. Geogra-phy also matters: If the service providerhosts the data in another country, thebusiness should acquaint itself withprivacy and data ownership laws of thosejurisdictions. “You have to worry a lot moreif something goes wrong,” he says. Plus,it may be tougher to enforce service-levelagreements.
QUESTION 7:HOW WELL DOES THE PROVIDER’SSECURITY POLICY MATCH MYCOMPANY’S (IF MY COMPANYHAS ONE)?If your company already has a securitypolicy in place, it should be relatively simpleto compare the vision of a would-be SaaSprovider against your own. A SaaS compa-ny’s ability to provide security measurescould actually be more sophisticated andthorough than a customer’s capabilities,especially if you’re talking about a smallbusiness or midsized account. That doesn’tsupercede the need for the customer to vetthe provider’s policy, but it makes it simplerto justify going with SaaS.
“This really saves us a lot of money,” saysMike Stump, director of information technol-ogy for Roundtable Corp., which owns 46Dairy Queen franchises that use variousSaaS applications to manage their opera-tions. “For us, that is the biggest advantage.”
For other companies, it comes down tofocus—and scale. Dan Nadir, vice presidentof product strategy for ScanSafe in SanMateo, Calif., which offers managed servicesfor Web security, says many of his compa-
“These compa-nies can makemuch betterinvestments insecurity thanwe can.”
Michael Roseman,vice president of finance
and strategy, Astadia
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 14
ny’s customers have few IT staffers tohandle issues like security.
“We make their headaches go away.…We use multiple engineers, which theycan’t. We’ve got tons of techniques theycan’t use. We’re able to react. The moreusers we have, the more traffic, and the
better off everyone ends up being.”m
Heather Clancy is a business journalist and commu-nications consultant based in Midland Park, N.J. Shespecializes in writing about emerging trends, includ-ing mobility and green technology, and can bereached at [email protected].
SaaS Questions to ask
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 15
Giving it to an outsider could be aneasy solution, but enterprises needto first understand the gritty details.
he idea of outsourcing an espe-cially difficult duty is pretty appeal-ing. At home, who wouldn’t happily“outsource” cleaning the bathroom,doing the laundry or taking out the
trash? And, in the professional IT world, whowouldn’t want to outsource the tough task ofvulnerability management (VM)?
With the growing number of softwarepatches, regulatory requirements, andincreasing complexity of networks and threatmodels, managing network and systemvulnerabilities has become an arduouschore for most enterprises.
Though it may appear that outsourcingVM is a no-brainer for many companies, out-sourcing any security function is a far morecomplicated decision than sending yourshirts to the cleaners. We’ll take a look atwhat outsourcing VM means, and reviewthe technical and non-technical considera-tions enterprises should sort through whenassessing the benefits and costs associatedwith VM outsourcing.
CONSIDERATIONSBefore considering VM outsourcing,it’s important to understand VM. Whendiscussed in an IT context, it’s not meant toencompass the whole spectrum of potentialenterprise vulnerabilities. Whole-enterprisevulnerability management would need toinclude the vulnerability associated withhaving a criminally minded CEO, or thevulnerability of investing time and money
SaaS
Outsourcing VulnerabiltyManagement BY DIANA KELLEY
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 16
Though it mayappear that out-sourcing VM isa no-brainer formany companies,outsourcing anysecurity functionis a far morecomplicateddecision thansending yourshirts to thecleaners.
T
in an ill-conceived product.When IT professionals discuss VM, we are
most often talking about how to identify andremediate threats in the resource layer. Thismeans looking for vulnerabilities in the oper-ating system, applications, databases andother IT resources, and then closing the riskwindow via some form of remediation, likeapplying a patch or making a configurationchange.
Be aware, though, that taking the wrongaction could introduce a greater vulnerabilityto the enterprise. For example, if a databasevendor releases a patch designed to fix anobscure and difficult-to-exploit vulnerability,and the patch is problematic, it can bringdown your enterprise servers. Automaticresponses outside the normal trouble ticket-ing, workflow and change managementaccountability chain can introduce unac-ceptable levels of risk. Risk reductioncontrols, such as testing the patch priorto applying it to the production server,can keep risk in check, as can keeping theresponse and remediation process inlinewith corporate workflows and approvalprocesses.
To close the loop, most companies imple-ment ongoing verification and monitoring
of their VM system, and accomplish this, inpart, by sharing the data collected and man-aged via the VM systems with external tools.In addition to integration with workflow andchange management solutions, VM toolscan share critical event information withnetwork systems management (NSM) tools,security event and information management(SEIM) tools, compliance dashboard tools,and other correlative and analytic portals.
SERVICESWhen thinking about outsourcing VM,break down what types of services an exter-nal provider supplies. Here are some of themost commonly outsourced VM services(most large outsourcers supply all of theseservices, but always check for details ofspecific vendor offerings):
• Asset identification. There’s an old say-ing that is appropriate in the VM world: “Youcan’t manage what you don’t know.” Thereare dozens of vulnerabilities released everyday, but many aren’t a priority for your net-work. The only way to know which vulnerabil-ities and exploits matter to your companyand your systems is to know exactly whatyou’ve got. It can also help to know where
When thinkingabout outsourcingVM, break downwhat types ofservices anexternal providersupplies.
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 17
the systems are. Many attacks can bethwarted via port blocking; if a device is in aprotected zone and all traffic into that zonecan be filtered, the vulnerability can be miti-gated. Asset identity services scan your net-work and return detailed listings that identifywhat systems are on the network, their patchand configuration levels and their locationwithin the network topology.
• Vulnerability identifica-tion/assessment. What vulnerabilities are inthe wild? Part of the intelligence process ofa VM outsourcer is the ability to gather anddisseminate data on vulnerabilities andpatches.Vulnerability information can come from avariety of sources: vendors, lists and mediareports, among others. The depth of theinformation gathered in the asset identifica-tion is then assessed against known vulnera-bilities and exploits. The outsourcer can thennotify the customer where the problems areand what actions are recommended.
• Remediation and patching. Takingaction is a critical part of VM, but what aboutwhen remediation is outsourced? It canmean that the outsourcer makes the call and
takes action as needed—anything fromapplying a patch to reconfiguring accesscontrol rules on a firewall. Alternately, theoutsourcer could integrate with the cus-tomer’s workflow and trouble ticketing sys-tem, so the patch is queued for deployment,but the actual deployment task is completedby the customer.
• Control verification and monitoring.Because VM is fundamentally about closingwindows of exposure, it’s important toensure that there is an audit and verificationfunction to verify that changes and fixes havebeen applied properly. It is also important toknow who approved the change and whoapplied it. An outsourcer should be able toprovide the customer with detailed, real-timeaccess into the audit and verification func-tions. Additionally, many enterprises want tohave transparency back to the internal cor-porate network and event managementengines via the export of log informationfrom the service provider.
ARCHITECTUREBefore moving forward with outsourcingof vulnerability management, enterprisesmust take into account a number of impor-
Many attacks canbe thwarted viaport blocking; ifa device is in aprotected zoneand all traffic intothat zone can befiltered, the vulner-ability can bemitigated.
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 18
tant architectural considerations.Will the outsourcer be using internal
scans, external scans or both? If out-sourcers are only scanning from outside thecompany (usually in front of the firewall),they will only be able to see what an externalattacker can. While this is useful information,there are vulnerabilities inside corporate net-works that should not be ignored. The tradi-tional single perimeter continues to movedeeper and deeper into the network andis distributed on hosts and sub-zones.
If the decision is made to allow the out-sourcer to place internal scanners on thenetwork, be clear up front about who isresponsible for managing those scannersand how the data being sent back to theoutsourcer is protected. What level of trustwill the outsourced scanner have insidetrusted corporate zones? If the scanner fromthe outsourcer is being placed in a restrict-ed zone, will the owners of that zone haveappropriate control of the scanner?
Then consider how invasive the scans willbe on the network. Scanning can be donevia an agent or from the network, with orwithout credentials. An agent requires apiece of code be installed on every host thatwill be scanned. Does your company feel
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 19
VULNERABILITY ASSESSMENT
Ironing Out the DetailsIn the outsourced VM services world, the phrase “vulnerability assessment” usuallymeans scanning a network of target devices for current patch levels and configurations,and matching this information against technical security policy requirements and knownvulnerabilities.
The question that often arises from customers is whether the vulnerability assess-ment offered as part of a VM service is the same kind of large-scale vulnerabilityassessment offered by consulting firms and even some VM outsourcers. The answeris, “No, not really.”
VA, as part of VM, is tightly focused on automated scanning and informationgathering from target devices. A full-blown security and vulnerability assessmentusually includes a people, process and technology review of security and vulnerabilityin an enterprise. A large-scale security and vulnerability assessment project can includea number of moving parts:
• Tiger team penetration testing• Process and procedure reviews• Interviews with key personnel• Documentation reviews• Code reviews• In-depth assessment of threat models and paths• Recovery readiness
Clearly, a vulnerability or security assessment of that level is a much more complicat-ed process than automated scanning of systems. Before contracting with a VM out-sourcer, check to see what the company will explicitly provide as part of the vulnerabilityassessment service. If you need a deeper and more complete VA, it’s possible to out-source that, too. Be aware, though, that you may need to contract with a specializedconsulting firm (such as one of the Big 4) for this type of detailed assessment work.m
—DIANA KELLEY
comfortable having a piece of code froman outsourcer installed on all its monitoreddevices? Many do not, so the outsourcermay have to use a network-based scanningsolution. Although these are less invasivebecause no code installations are required,they can be a heavier hit to network trafficdepending on how frequently and how manydevices they scan.
In addition, VM scanning can be moreor less invasive based on whether or notcredentials are used. In credentialed scan-ning, some form of valid credentials is givento the scanner so that it can log in and lookfor vulnerabilities as a legitimate user. Thiskind of scanning can turn up more informa-tion, but can also crash systems.
Some scanners attempt to exploit vulnera-bilities, with or without credentials, whichcan result in system or service crashes.Check with your outsourcer to determinethe right level of invasiveness to keepsystem outages to a minimum.
It’s important to consider the generalreadability of the information gathered by theoutsourcer. Having a lot of wonderful datastored at the outsourcing partner won’t helpmuch if you can’t access it and understandit easily. Is the dashboard data shown in
near real-time, or is there a delay? Some VMoutsourcers provide dashboards that enablethe customer to have the same visibility intothe current state of the network that theirsecurity operations center engineers have.Also, can the information be accessedsecurely, with appropriate authenticationand protection in transit, and can it beexported to stem systems and consoles,such as a SEIM or other event correlationtool?
ACCOUNTABILITYAny company that is considering out-sourcing vulnerability management needsto take a long, hard look at accountabilityissues. The bottom line is that accountabilitycannot be outsourced. This places addition-al management and monitoring responsibilityon the company that has contracted with anoutsourcer. If a critical accounting servergoes down in the last quarter of the year,your IT department will be accountable evenif the server went down because of an errorby the VM outsourcer. Simply put, any infor-mation that is lost and any downtime that issuffered will be your IT department’s respon-sibility.
Cyber-insurance may defray the cost of
Any companythat is consideringoutsourcingvulnerabilitymanagementneeds to take along, hard lookat accountabilityissues.
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 20
losses due to internal or outsourcer errors.Think through what kind of data the out-sourcer will be holding, and whether youtrust the outsourcer to hold this data. If yourservers do not have the latest patches, doesthat constitute a risk to your organization?This vulnerability could be used by an attackerto know where to strike, or by a lawyer toprove lack of diligence.
Also, you need to examine the level ofcommunication that you expect betweenyour IT team and the outsourcer. Definingkey liaisons from each team to work togethercan increase the success of the communica-tion process. Make weekly status calls to goover any outstanding issues. The communi-cation plan should extend to escalation anddisaster procedures: When and why shouldthe outsourcer start paging internal adminis-trators? What constitutes an emergency?What is the escalation path at your organiza-tion that the outsourcer should take to getresolution?
Once your questions have beenaddressed, get everything in writing beforecontracting the service. Clear, concise,enforceable service level agreements (SLAs)can go a long way to keep the relationshipproductive. It also helps to have a clause in
the SLA regarding remuneration should theoutsourcer fail to keep to the terms of theagreement. Although accountability can’tbe transferred, partial cost of failure canbe distributed back to the outsourcer inthe event of a security incident.
RETURN ON INVESTMENTSecurity is a notoriously difficult area inwhich to prove ROI; what is being measuredis often the cost of nothing bad happening.To realize realistic ROI, focus on metrics thatcan be measured rather than estimated.
For VM outsourcing, review how the serv-ice may save your enterprise head count.Are there full-time employees currently incharge of internal scanning, monitoringvulnerability lists and deploying patches?If so, how many of them can be reassignedto other jobs if the VM task is outsourced?Don’t forget that you will still need staff tomanage the outsourcer, as well as some tooversee escalation and change managementapproval.
Many enterprises are outsourcing vulnera-bility management to reduce demands oninternal personnel and resources. There aremany benefits that can be realized by out-sourcing VM. Overall head count require-
Once yourquestions havebeen addressed,get everythingin writing beforecontracting theservice.
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 21
ments for VM may go down as the tasksare assigned to the outsourcer and,subsequently, internal resources canbe reassigned to other projects.
But VM outsourcing is not a decisionto be made lightly. For the best chance atsuccess, think through the questions andconcerns that matter to your enterprise andget the answers from your outsourcedagency in writing.
Remember that while much of the laborand resource requirements can be out-sourced, accountability cannot. Someoneat your organization will still be on the hookto ensure that the outsourcer takes thecorrect steps in managing the vulnerabilities.
If all your white shirts come back from thelaundry gray due to a bad process, who hasto go to work the next day in a gray shirt? Ifyour systems are attacked because the rightpatches or configurations were not applied,who takes the fall?
Think carefully about the process andhow it will work optimally for your organiza-tion before dumping this laundry load on anoutsourcer.m
Diana Kelley is a partner with Amherst, N.H.-basedconsulting firm SecurityCurve. She formerly servedas vice president with research firm Burton Group.She has extensive experience creating secure net-work architecture and business solutions for large
Remember thatwhile much ofthe labor andresource require-ments can be out-sourced, account-ability cannot.
SaaS Vulnerability management
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 22
Security managers are looking tothe keepers of the Internet cloudfor relief.
s attackers get more sophisticat-ed, security managers are lookingfor a little help from above—theInternet cloud and the keepers ofthe Internet backbone. Carriers
are starting to offer in-the-cloud securityservices that take advantage of their inlineposition with network traffic and their abilityto stop attacks before they reach the enter-prise gateway.
Savvis, AT&T, Verizon and PerimeterInternetworking sell DDoS, antispam andantiphishing protection and other securityservices from the cloud. The majority ofthese services are in their infancy, with a
few financial services organizations andSMBs among the early adopters. Carriers,meanwhile, continue to seek the right com-bination of technology to mitigate threatsand add new services down the line—allthe while managing a level of cooperationamong competitors to keep incidents incheck.
If carriers take hold of the ever-dissolvingnetwork edge and move enterprise DMZsinto the cloud, companies will be able to retirehardware licenses and subscribe to servicescurrently offered by managed security serviceproviders at a fraction of the cost.
“All security functions will be forced intothe cloud—DDoS, antivirus, firewalling. Ifwe’re right, it’s a profound concept,” saysAT&T CSO Ed Amoroso. “We become anMSSP. We are taking what MSSPs do andmeshing that with our own infrastructure sothat the service provider and the carrierbecome one.”
SaaS
Security in the CloudBY MICHAEL S. MIMOSO
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 23
Carriers arestarting to offerin-the-cloudsecurity servicesthat take advan-tage of their inlineposition withnetwork traffic.A
A CRUCIAL HEADS-UPMark Ramsey, formerly the global managerof data security and compliance for PitneyBowes, had the scoop on the Zotob wormoutbreak days before most of his peers.Zotob exploited a buffer overflow in WindowsPlug and Play and spread from network tonetwork. It opened a back door and enabledremote access to infected machines. Itappeared less than a week after Microsoftreleased security bulletin MS05-039.
But Pitney Bowes’ network survivedunharmed. Why? Its bandwidth provider,AT&T, put out the word that spikes in activityon port 445 were signaling an impendingoutbreak of malicious code. Ramsey wasable to act on this intelligence and orderpatching and other remediation steps.Eighty-five percent of Pitney Bowes’ networkwas patched days before Zotob struck.AT&T, meanwhile, choked off the bad traffic.
“AT&T has the unique perspective that itcan see everything at the bits and byteslevel, collate that information and see thingslike this coming quickly,” Ramsey says. “It’sgreat as a security manager getting that kindof heads-up. We’re not blindsided.”
Carriers are banking on enterprises recog-nizing that bandwidth providers have the
edge in their ease of access to network traf-fic, and that there is an economy of scale inoutsourcing network security services to thecloud.
“The big Tier-1 types definitely have theadvantage because they see everything atthe backbone,” says Gartner vice presidentJohn Pescatore.
The trickle-down to security managersrests in the fact that carriers have to meetbandwidth SLAs with their customers.Carriers must invest in avant-garde technolo-gies to defend and clean their pipes, andto absorb DDoS attacks and malware out-breaks while still hitting these service levels.Also, in order to squeeze a few bucks outof their investments and stave off tumblingrevenue and profit margins, carriers can offercloud security services cheaper than anMSSP, putting a chokehold on that segmentof the competition.
“The biggest advantage to doing [secu-rity] in the cloud is that you remove attacksfrom bandwidth,” Pescatore says. “If I pay fora T1 line, and 700 kilobits per second [oftraffic] are worms and viruses scanning mynetwork, I might consider buying anotherT1 because I need more bandwidth. If thatnoise gets filtered at the cloud, I might not
“The biggestadvantage todoing [security]in the cloud isthat you removeattacks frombandwidth.”
John Pescatore,vice president, Gartner
SaaS Cloud services
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 24
have to buy another T1.” T1 lines can costmore than $1,500 a month, which includescarrier and ISP fees. “You’re looking at realbig numbers,” Pescatore says. “If you’relooking at some of the big T3s, how manymegabits per second are they logging for noreason? Think about the amount of spambefore filtering became popular—hitting harddrives and requiring more storage.”
The numbers are compelling, but they’renot the clincher in this kind of decision. Acompany needs to consider how its networkarchitecture is constructed, how it connectsto the Internet and what kind of trust rela-tionship an enterprise has with a networkservice provider.
A Forrester Research paper points out thatsecurity managers are usually unwilling togive up control over part of their infrastruc-ture, but should to realize that providersalready carry company’s sensitive data andare responsible for how they connect to andpresent themselves on the Internet. Internally,there has to be a determination in an SLAwhat a carrier, for example, would be respon-sible for blocking and what a company wouldsecure.
That would force security and networkteams to examine how a company connects
to the Net. Companies with many locationsmay use multiple service providers. If somesecurity functions are transferred to a carrier,the carrier becomes responsible for that risk,Forrester says. A company would then haveto make decisions on who would provideconnections to the Internet and where, whatkind of traffic is carried via those connec-tions and what security services would berequired for the different connections.
UP IN THE AIRKen Emerson, CIO of Boiling SpringsBank, a 14-branch regional financial servic-es provider in New Jersey, says his organi-zation’s investment in cloud services (IDSmanagement, spam filtering) from Perime-ter Internetworking helps keep its businessmodel viable. Perimeter sells managed net-work security services and acts as a utilitybetween a customer and its carrier or ISP.Traffic is routed through Perimeter via apoint-to-point switch or frame relay VPN,cleansed and then routed back to thecustomer.
“If ISPs don’t take care of this themselves,you’re going to see a reduction in onlineactivities,” Emerson says. “The businessmodel won’t work, and people won’t invest
“If ISPs don’ttake care of thisthemselves, you’regoing to see areduction inonline activities.”
Ken Emerson,CIO, Boiling Springs Bank
SaaS Cloud services
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 25
in it unless we have a cleansing of the Inter-net at the level of those who provide accessto it—it’s incumbent upon ISPs and carriersto do so.”
AT&T’s Amoroso says the challenge withsecurity managers is not only overcomingthose reticent to give up control of all orpart of their security operations to a carrier,but fighting long-standing infrastructureinvestments.
“The only thing standing in the way wouldbe inertia, meaning, ‘I’m set now; this wouldbe a change. Even if it’s cheaper, it wouldbe a change,’” Amoroso says. “The issue inthe industry is that there are an awful lot ofcompanies that are not happy about themessage that we are proposing. It’s been avery lucrative market for so long to sell IDSand IPS. Then Ed comes along and says,‘Hey, this functionality really can be embed-ded in the carrier infrastructure.’ Naturallythat’s not going to make everyone happy.”
MSSPs argue that the carriers don’t havethe in-house expertise to develop technolo-gies like theirs. Keith Laslop, vice presidentof business development for MSSP ProlexicTechnologies, which offers a Clean Pipemanaged service, says the carriers have torely on partnerships with providers like Arbor
Networks, McAfee and others that haveestablished DDoS protection tools on themarket.
“The difference is in expertise,” Laslopsays. “It’s just not the same.” He also arguesthat carriers cannot adequately satisfy thesecurity needs of medium or larger compa-nies getting bandwidth services from multi-ple carriers.
“[DDoS] services, for example, are next toimpossible to do themselves unless you arethe largest of the large with 20 gigabits ofbandwidth. You have no chance of stoppingan attack yourself,” Laslop says, adding thata trend is developing where many DDoSattacks originate from competitors and arrivewithout warning. “A lot of companies want tobe proactive and want protection eitherbecause they’re being threatened, or some-one in their [market] has been threatened.”
A company like Prolexic can charge about$5,000 per month for its anti-DDoS servic-es, as opposed to almost double that priceper month from a big carrier, according to aGartner study. While some may think that asteep figure, providing DDoS protectioninternally could run in the hundreds of thou-sands of dollars annually, factoring in thepurchase of additional hardware, bandwidth
“[DDoS] services,for example, arenext to impossibleto do themselvesunless you arethe largest of thelarge with 20gigabits ofbandwidth.”
Keith Laslop,vice president of
business development,Prolexic Technologies
SaaS Cloud services
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 26
and staffing expertise, Gartner says.Verizon, via its acquisition of NetSec,
veered away from AT&T’s approach to cloudservices. NetSec’s Finium platform integratesinput from a user device with intelligencegathered from Verizon ’s IP network to priori-tize threats and manage them according topolicy.
“We combine our cloud services withwhat’s happening inside,” says Verizon vicepresident of security Sara Santarelli.
“In pure cloud services, you’re not match-ing up what’s happening inside with thecloud perspective. How do you protect theinside threat as well as the outside?”
Verizon has been offering DDoS mitigationand detection services since June, and it alsooffers an e-mail content service and a WANdefense service, both available since May.
CLEAR OR CLOUDY FORECAST?Gartner’s Pescatore says the carriers’cloud services model resembles what secu-rity managers are used to from bandwidthproviders—services across a shared infra-structure. The difference is that enterpriseswould no longer have to manage expensivehardware or pay licensing fees.
There are several sticking points the carriers
must iron out before cloud services becomeviable, especially for larger enterprises. Prima-rily, Pescatore says, security managers areconcerned about sharing routers, servers andswitches with others on the carrier network,and whether carriers would limit configura-tions or policy options to reach a particularprice point. Security managers aren’t willingto be flexible in most cases and will demand
SaaS Cloud services
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 27
CONSIDERATIONS
Are Cloud Services for You?Pros:• Alerts customers to potentialoutbreaks before they happen
• Cleanses traffic on theirnetworks before it reachesenterprise border
• Blocks unwanted traffic
• Mitigates DDoS attacks
• Eliminates customer premisesequipment (CPE)
• Eliminates licenses, or redeploysdetection and prevention CPEto other areas of infrastructure
• Frees up bandwidth
• Uses familiar service models
Cons:• Limits carrier configurations or policyoptions because equipment is sharedby multiple customers
• Restricts customer control oversecurity devices
• Relies on portals for updates ondevice status and analysis
• Complicates coordination of cloudservices among multiple carriers insame organizationSources: AT&T, Verizon, Perimeter Internetworking,Gartner Inc.
dedicated equipment at the carrier.Control loss is another issue; AT&T offers
customers a portal service where they canmonitor device status and alerts.
Ramsey is an AT&T portal customer andshrugs off the control question. “Trust butverify; we have a stipulation [in our SLA]that we can monitor anytime we want,” Ram-sey says. “You miss something and we’re hitfinancially, you’re partly responsible.”
Carriers must also provide availabilityguarantees, and reporting and auditing
capabilities. The biggest worry, especiallyfor SMBs going with a smaller telco or ISP,is the long-term viability of the provider.
“If a [provider] goes under, now I don’t evenhave a firewall,” Pescatore says. “I’m stuck. It’snot so much an issue of loss of control andnot being able to control policy, but the issueof what happens if the service provider goesaway and I don’t have protection.”m
Michael S. Mimoso is editor of Information Security.
Carriers mustalso provideavailabilityguarantees,and reportingand auditingcapabilities.
SaaS Cloud services
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 28
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 29
OPTIONS
In-the-Cloud ServicesTelecommunications providers are in position to offerthe following security services from the Internet cloud:
Denial-of-service protectionThis chokes off large-scale DDoS attacks, as well as those targetingspecific organizations, before they reach the enterprise edge.
Firewall, IPS managementA natural service because attacks can be stopped before reachinga gateway. Carriers can cheaply price these services because virtualfirewalls are shared from a single device.
Antivirus, antispam filteringMonitoring and blocking unwanted e-mail in the cloud reducesinfrastructure investments for the enterprise. Gartner says one-fifthof the e-mail filtering market already comes from in-the-cloud services.
IDS managementIDS management in the cloud eliminates the need for sensors on the enterprise network edge.
Content filteringThis cuts off unwanted inbound content and prevents the outbound loss of intellectual property.m
Sources: AT&T, Verizon, Perimeter Internetworking, Gartner Inc.
SaaS Cloud services
Firewall IPSMonitoringconsole
Do It Yourself
Option 1
MSSPSOC
MSSP SOC
Portal
Portal
IPSFirewall
MSSPSOC
In the Cloud
Option 2 Option 2
Option 1
With the do-it-yourself configuration, left, an enterprise has the option of either retaining the human and financialresources to manage network traffic (Option 1), or outsourcing it to a traditional MSSP (Option 2). Opting for in-the-cloud security services from a telecommunications carrier or a network services provider, right, frees a com-pany of expensive hardware purchases and license renewals. Moving the DMZ to the Internet cloud enables a carrier(Option 1) or NSP (Option 2) to cleanse traffic inline, re-route it to your network and keep denial-of-service, spamand phishing attacks to a minimum.
AlertLogicUsing SaaS for Security and Compliance: Why On-Demand is in High DemandThis webinar shows how Alert Logic revolutionizes the way PCI DSS compliance and security solutionsare designed, delivered, and utilized through Software-as-a-Service.
Is Mid-Market PCI DSS Compliance the Killer App for Software-as-a-Service?Listen to this podcast to hear why SaaS equals PCI DSS compliance for organizations who do notwant to be in the business of managing messy IT infrastructures.
Log Management meets Software-as-a-Service: Marriage of Convenience or MatchMade in Heaven?In this videocast, two industry heavyweights debate whether SaaS-based log management has anyinherent advantages over traditional on-premise log management.
Log Management in the Cloud: A Comparison of In-House vs. Cloud-BasedManagement of Log DataThis white paper addresses best practices for any log management solutions, questions for theSaaS provider, and considerations for in-house log management.
The Essentials Guide: PCI ComplianceDownload this guide from Rebecca Herold of Realtime Publishers to understand how to usePCI DSS-compliant log management to identify insider access abuse.
MessageLabsBlock Evolving Spam, Secure Your Network
Choosing a Solution for Web-Filtering: Software, Appliance, Managed Service?
Email Security Buyer's Guide: Software, Appliance, Managed Service?
Employee Web Use and Misuse: Companies, Their Employees and the Internet
SaaS Resources from our sponsors
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 30
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 31
Ping Identity
Single Sign-On for SaaS Applications
Secure Internet SSO & User Provisioning for Salesforce CRM (with Tutorial video)
Secure Internet SSO & User Provisioning for Google Apps (with tutorial video)
White Paper: Federated Identity and Software as a Service (SaaS): SingleSign-on to the Cloud
PurewireWhite Paper: Hackers Announce Open Season on Web 2.0 Users and BrowsersUnderstand the complete Web security threat landscape; learn best practices to keep the Webproductive and safe.
White Paper: Security-as-a-Service — How SaaS Can Improve YourOrganization’s SecurityDiscover the shortcomings of on-premise security solutions and how SaaS can improve your organiza-tion’s security posture.
Analyst Opinion: Purewire Vendor ProfileHear from the experts at IDC how to protect your organization from malicious destinations, objects,hackers and attacks.
FREE Interactive Educational Webcast: Why URL Filtering Isn’t Enough!Learn what’s happening in your environment, vulnerabilities facing your organization’s confidential data,and how to defend your users and your network against malicious Web activity.
FREE Trial: Web Security SaaSLearn what’s happening in your environment, vulnerabilities facing your organization’s confidential data,
and how to defend your users and your network against malicious Web activity.
SaaS Resources from our sponsors
Webroot
Why Security SaaS Makes Sense Today
State of the Internet Security: Protecting the Perimeter
Webroot Perimeter Security SaaS
Webroot Customer Case Studies
Go Green with Webroot Security SaaS
SaaS Resources from our sponsors
• TAKING THESaaS PLUNGE
• 7 QUESTIONS TO ASKYOUR SaaS PROVIDER
• OUTSOURCING VM • SECURITY IN THE CLOUD • RESOURCES 32
