As the hype around cloud computing settles, and as organizations begin to evaluate solutions, the ability of security as a service (SaaS) solutions to improve security infrastructure becomes apparent. The decision to add these services does, however, pose new challenges for organizations, specifically with regard to the amount of security that should be trusted to a service provider and the impact the SaaS solution will have on the organization’s existing security posture.
In the culinary realm, salt is added to a dish to enhance flavor; adding too little salt may not be sufficient to change the flavor, but adding too much can ruin a great dish. The same holds true when adding SaaS components to an organization. Too little SaaS may not sufficiently improve its security posture, but too much SaaS can increase risk for the organization, since too many security components will move beyond its control. Having the liberty to choose from a wide range of SaaS “ingredients” is simultaneously a luxury and a challenge for the modern CISO.
A number of SaaS vendors offer innovative solutions for organizations, providing CISOs with an array of security services from which to choose. The new providers range from start-up vendors to established security vendors and managed security service providers (MSSPs) offering new services.
Introducing any managed solution into an organization has significant implications for the overall security posture of the organization. From integration with existing security products to the intricacies of backup and disaster recovery for hosted solutions, there are many factors to consider beyond the specification sheet. Some solutions add critical infrastructure components to the organization through proxies, databases, and other services, which may require extra care, or which may add additional latency. In spite of these potential challenges, there are benefits to cloud-based security that are not easily achieved with traditional hardware and software solutions.
For a discussion of the growing number of hosted services in the market, their different deployment models, and the advantages and potential pitfalls that attend the introduction of these new offerings into enterprises, read the NSS analyst brief, Cloud-based Security Is Here to Stay. Adding SaaS solutions to an enterprise requires careful planning, and just like adding salt to flavor a dish, an organization must determine how much of a SaaS solution to use; if not, the organization may find itself with a bad case of infrastructural indigestion.