Cloud is available everywhere
I find it strange that some people don’t immediately see the other implication of “access from anywhere”. That being, it really is accessible from anywhere, it leaves your data/services open to a wider array of security threats (and as expected, from anywhere). Hence, you need specialized security around your “accessible” services. I believe we are just one step away from a security revolution since the rules are being changed by the cloud revolution. CipherGraph Cloud VPN can secure your cloud infrastructure from unauthorized and malicious access, while still allowing authorized people to use it from anywhere.
Do I need to understand security even for using SaaS?
Yes! The only person who understands your data’s worth, is you. For everyone else, its just a payload of bits.
You must choose your data’s location/accessibility wisely. You have to determine how and where your data gets accessed. This is the same reason why you have been investing in security all these years, the cloud does not implicitly address security, in fact its ubiquity makes it even more important.
There are certain things you cannot trust someone else to understand and decide, your security is one of them. Nobody will accept liability for the real loss your business incurs because of any operational failure.
If you are putting your data somewhere, you need to understand who else has access to it and how it is protected from unauthorized people. Cloud is not a bottomless pit of capacity and power, it too reacts badly to usage spikes and other adverse scenarios. Vendors are not really liable for any damage of any kind, you are solely responsible for making sure your business does not suffer.
Your Cloud/*aaS choice may be binding, choose wisely the first time!
Extended *aaS use often locks you down to one vendor, make an informed choice the first time. *aaS is meant to be mass produced and mass-consumed, the implication is that there will be little flexibility. It is up to you to ensure you understand your vendor’s policy. Security and backup policy are also a must when considering a vendor.
Migration can be very difficult and expensive (if not impossible), so be extra sure of your choice and its implications. Self hosted or cloud hosted virtualization can may be a less painful and more flexible choice. It is not a coincidence that legacy systems are the hardest to maintain, they usually get that way because they locked your data and could not be migrated. After all, you know its not easy to migrate terabytes of data or replicate any working setup of one vendor with another.
SaaS gets incredible press these days, it has a lot of romance associated with it. “Cloud” seems to be the magic elixir that will solve all the problems of any business. Its not everyday that security gets a mention in the SaaS context. Lets face it, people are just beginning to talk about it seriously. Security issues/considerations do not go away magically when software is hosted on the cloud. Often, it brings with it new set of issues that were non-existent in the traditional model of hosting servers.
I have often come across companies who have told me that they don’t need security because they do everything in cloud. I do understand that security is not something most people think about everyday. Most don’t really realize how security applies to their business model. Unfortunately I believe they are in a bubble, data breaches/attacks on cloud setups are making the news all the time.
*aaS model relies on “One size fits all” policy, where they can reuse the same infrastructure and same kind of service for all users. This mass consumption allows them to reduce the costs and ultimately make the service available at a cheaper rate. What they do not do is comply with your specific security policy, they have their own, which may not be aligned to yours. Before you use any IaaS/SaaS/Cloud service for your business, consider all options with security in context. Even if it does not have implicit security by themselves, they should be flexible enough for you to be able to use their own or a third party’s solution (I personally prefer Amazon’s AWS because of its higher flexibility).
Did you pay for security?
You will get only what you paid for. So if your SaaS vendor is charging you peanuts, they are optimizing (cutting corners) somewhere. You’ll see that when something bad happens, till then you are in a bubble. Security and secure access is a specialized field and needs specialized attention, your vendors own the infrastructure and is tuned to give maximum performance not necessarily to be fully secure.