In general, do Cloud Computing and SaaS based applications improve IT Security? How do I ensure vendors offer best in class IT Security?

Cloud/SaaS providers should be taking security to a much higher level than most emerging and midsize companies could afford to do, but this is not always the case. Depending on the sensitivity of the data/application to your business, you should invest the appropriate diligence up front to avoid surprises downstream. For services critical to your business I recommend having an experienced security engineer/consultant interview the service provider to ask questions a business person wouldn’t think of and assess their answers. Nothing is every completely secure, but with a little diligence you can quickly make an educated assessment of your risk.

Many SaaS/cloud providers will offer security certifications such as SAS 70 (helpful if the service involves processes relating to SOX/financial audit) or PCI (required for payment card data) as evidence of their security. These demonstrate a level of maturity and investment in security practices and should be considered in your selection criteria, but they are no guarantee. Security audits capture the state of security at a snapshot in time, but the practices may not be carried out consistently between audits. Many large security breaches have occurred in companies with all the right security certifications. Do your web research on the provider’s reputation and talk with current and past customers.

In your assessment of a provider’s security first consider the service level agreement (SLA – uptime, response time, recovery time, etc). They need to demonstrate that their infrastructure and practices can actually support the SLA they are promising. (Their claims may be “forward looking” – based on planned rather than current infrastructure.) If you can’t access your application or data when you need it, it isn’t secure. How do they achieve high availability and what are their single points of failure? You may be surprised to know that some leading SaaS providers do not have redundant data centers that would automatically fail over in case of a local disaster.

You also need to know that data is being encrypted when transmitted over the internet, and that sensitive information like payment card data or personally identifiable customer information is also encrypted when stored. They should have deployed a host of security technologies including an intrusion prevention system, anti-DOS (denial of service) measures, log management and review, processes for managing access permissions, and have their networks properly architected for security.

You should also note that certain types of cloud services are by their nature not able to pass specific security certifications. For example, cloud computing providers may not allow security scans of their network, a requirement of PCI certification. Some security requirements and technologies are designed to address pre-cloud architectures and have not necessarily caught up to the current offerings.

Feel free to contact me if you would like to discuss your specific situation in more detail.