Cloud/SaaS : Effects of migration on security landscape

Last week I met an experienced professional from similar domain to mine and we talked at length about SaaS. Most of the time we were talking about how SaaS is the future. Later, I got thinking about what would happens when SaaS gets mainstream and cloud adoption reaches a good ratio.

My last post talked a bit about what the people were not thinking about in all the cloud-buzz ( But this is something a little different.

It is pretty clear to me that a lot of generic services will be SaaS and will find good adoption, alongside, there will be a lot of people like Amazon AWS who will offer both general and specialized infrastructure services. The gaps will be filled by vendors selling stuff on these clouds for ready customization/use (like EC2 paid AMIs). Only very specialized, highly sensitive information will be kept on-premise. Of course there are many who will keep owning large datacenters (because it may be more economical) or have solutions that quite simply do not work well with any acceptable vendor’s offering (and there will certainly be many such things).

There is no “inside” anymore, need ubiquitous security

Its not hard to imagine that in such cases, many offices will really no longer have any on-premise critical servers/services to protect. You’ll need a secure way to connect and use your data even from inside the office. I was fascinated by the notion that we are now heading towards an era where there will be no “inside” network, we are all on the outside, all the time. Thinking back it should have been fairly obvious when we first started having internet on the go, at least to the people who are much smarter and more experienced than me, it probably was, the complication of feasible often beats reasonable!

I digressed. What it probably means is that either all the SaaS (and other *aaS) meant for mass consumption, will have to be fully security compliant for critical service adoption or there will be security brokers and managers who will do it for them. I find the former a dream at best, if you have ever worked on software and had the misfortune of dealing with interoperability issues, you understand. It looks like we’ll have to have security built right into the cloud (like a VPN and other stuff ) if we are to ever adopt a very serious ratio. There are efforts on for this, cloud security is expected to be the next big thing. CipherGraph itself is one such effort to ensure that only the right people will get access to authorized resources. More on this later.

Standards such broker based security SAML and other such things do come to mind, but that paradigm is suited only to certain kinds of services, not all. They do not secure the network anyway, just offer identity assertions, that is only part of security. Also, enterprise standard solutions of this kind are often quite expensive and challenging to maintain (or find compliant services for).

Policy Control

Its a known fact that all security vendors like to control policy, that is after all, the brain of the security infrastructure. But how far can policy go while being disconnected with the corporate identity and role? Not too far, I believe. Ultimately it is all about who is allowed to do what and if you do not keep the actual user’s identity in mind, enterprises are going to find it hard to adopt such systems. The current SaaS vendors rely on simple authentication mechanisms and are often completely corporate-role-agnostic. To be fair, they should not be duplicating security efforts anyway, there are powerful policy enforcers available (and it is a specialized field).

Prevention is the best cure

Security is like a chain, its only as strong as your weakest link. The idea hence should always be to layer security infrastructure not chain-link it. What I mean is that it is one thing to expose your Exchange server to the network and give credentials to authorized users, its another thing to ensure that only the authorized users even get to see the login page. It is hard enough to come up with enterprise class solutions, its even harder to have built-in enterprise class security (economically).

Just a few days back Checkpoint released some EC2 firewall security system. I should have been scared but I was excited since there was unassailable validation that my own effort (CipherGraph Networks) was in the right direction, but I was even more happy when I realized that CipherGraph is the first and probably the only one that caters to on-premise as well as cloud infrastructure.

One of the things I realized is that most of the formulas and fundamental are already in place, we just have to map it to a very different scenario (cloud, in this instance) and forge a fitting solution. It will take a different sensibility since the topology is completely changed and we are dealing with a different set of parameters, but it can be done :-) we’re on the job!


Cloud Tech / *aaS: We are not talking enough about flexibility and security

Cloud is available everywhere

I find it strange that some people don’t immediately see the other implication of “access from anywhere”. That being, it really is accessible from anywhere, it leaves your data/services open to a wider array of security threats (and as expected, from anywhere). Hence, you need specialized  security around your “accessible” services. I believe we are just one step away from  a security revolution since the rules are being changed by the cloud revolution. CipherGraph Cloud VPN can secure your cloud infrastructure from unauthorized and malicious access, while still allowing authorized people to use it from anywhere.

Do I need to understand security even for using SaaS?

Yes! The only person who understands your data’s worth, is you. For everyone else, its just a payload of bits.

You must choose your data’s location/accessibility wisely. You have to determine how and where your data gets accessed. This is the same reason why you have been investing in security all these years, the cloud does not implicitly address security, in fact its ubiquity makes it even more important.

There are certain things you cannot trust someone else to understand and decide, your security is one of them. Nobody will accept liability for the real loss your business incurs because of any operational failure.

If you are putting your data somewhere, you need to understand who else has access to it and how it is protected from unauthorized people. Cloud is not a bottomless pit of capacity and power, it too reacts badly to usage spikes and other adverse scenarios. Vendors are not really liable for any damage of any kind, you are solely responsible for making sure your business does not suffer.

 Your Cloud/*aaS choice may be binding, choose wisely the first time!

Extended *aaS use often locks you down to one vendor, make an informed choice the first time. *aaS is meant to be mass produced and mass-consumed, the implication is that there will be little flexibility. It is up to you to ensure you understand your vendor’s policy. Security and backup policy are also a must when considering a vendor.

Migration can be very difficult and expensive (if not impossible), so be extra sure of your choice and its implications. Self hosted or cloud hosted virtualization can may be a less painful and more flexible choice. It is not a coincidence that legacy systems are the hardest to maintain, they usually get that way because they locked your data and could not be migrated. After all, you know its not easy to migrate terabytes of data or replicate any working setup of one vendor with another.

SaaS magic

SaaS gets incredible press these days, it has a lot of romance associated with it. “Cloud” seems to be the magic elixir that will solve all the problems of any business. Its not everyday that security gets a mention in the SaaS context. Lets face it, people are just beginning to talk about it seriously. Security issues/considerations do not go away magically when software is hosted on the cloud. Often, it brings with it new set of issues that were non-existent in the traditional model of hosting servers.

I have often come across companies who have told me that they don’t need security because they do everything in cloud. I do understand that security is not something most people think about everyday. Most don’t really realize how security applies to their business model. Unfortunately I believe they are in a bubble, data breaches/attacks on cloud setups are making the news all the time.

*aaS model

*aaS model relies on “One size fits all” policy, where they can reuse the same infrastructure and same kind of service for all users. This mass consumption allows them to reduce the costs and ultimately make the service available at a cheaper rate. What they do not do is comply with your specific security policy, they have their own, which may not be aligned to yours. Before you use any IaaS/SaaS/Cloud service for your business, consider all options with security in context. Even if it does not have implicit security by themselves, they should be flexible enough for you to be able to use their own or a third party’s solution (I personally prefer Amazon’s AWS because of its higher flexibility).

Did you pay for security?

You will get only what you paid for. So if your SaaS vendor is charging you peanuts, they are optimizing (cutting corners) somewhere. You’ll see that when something bad happens, till then you are in a bubble. Security and secure access is a specialized field and needs specialized attention, your vendors own the infrastructure and is tuned to give maximum performance not necessarily to be fully secure.

Tele-commuters and VPN Remote Access

Given today’s fast and global life, being tied down to a location for certain task is often too much to ask for. You have smartphones that don’t require you to go home or office to check your email. Your Phone/MP3 player is in your pocket always at your disposal for music/video. You are carrying Kindles for reading books (and not just a few, all of them).

Your office at your fingertips

People now understand that it is counter-productive to always be in needed in office for every little work related thing. Technology is allowing you to govern your time the way you want. Never before has the problem of physical presence in office been more constraining than now when you are often deal with people in different time zones. People often take conference calls from home at night, taking down notes of little things to do next day. Now you can take your office (not just the phone) to your home and be fully functional. Your documents, your office network should be there when you need them.

Gone are the days when it was acceptable to hear, “I am not in office at this time, I’ll send you that important document tomorrow”. Companies need to be nimble all the time. Telecommuting via VPNs, is here to stay. It is not just the ability to work from outside the office, it puts your entire office at your fingertips. Companies are fast recognizing the importance and benefits of enhanced productivity of remote workers (full time or part time). Some analysts even say that remote workers can often be up to 40% more productive, it is a surprisingly large number, something your company should not ignore.

Ubiquitous Productivity

I have read many articles (like IT Business’s Telecommuting benefits both employees and employers) that give a glimpse into how telecommuting is increasing productivity. It is seen as a perk for some offices, but in others it is indispensable, especially those that have a lot of workers on the road or working from other locations.

VPNs allow fully functional remote connectivity to your office. Some good solutions (like CipherGraph :-) allow access on mobile phones and tablets too. This is incredible flexibility and power that you just handed to your employee. Little things like generating a report or creating an invoice can be done from anywhere, even the client’s office. Speed is critical to all business, loss of time is loss of money. If your office does not provide a solution for remote connectivity, you are lacking the pace that your competition can (and will) take advantage of. Everyone knows the price of moving slower than the competition, “going out of business”.

Morale, Flexibility and Employee Retention

Importance of morale is another critical thing that any seasoned professional will be able to tell you about. Little perks that benefit both the company and the employees equally, go a long way. Telecommuting (even few days) makes your workplace seem that much more flexible and trusting of their employees. Good workers recognize and appreciate that. When I was working at my previous company, I used to work one or two days from home in a week. That saved me a total of four hours of commute time weekly (in horrible traffic) and on those days I had a jump-start because I was fresh when I start work. I was more productive in general and not just on the days I was not in office. Not to mention that I got more hours of my life into useful work than looking at tail lights in a traffic-jam. There is no simpler way to add more hours in a work day.

Incredible flexibility and Savings on External Contractors/Consultants/Others

Remote workers are not the only things that VPNs can enable. In my company I often hire external consultants to do some part-time work. Sometime they are not from the same city, but this never prevented me from hiring them. I would just give them access on my VPN (access limited to the parts of my network that they would need to access), when the contract is over, I can just suspend their login. This means that I can hire based on talent alone, their location is immaterial. I also saved a bunch of money since I no longer have to pay temporary relocation for them.

There are other cases where you might want to use a VPN, every once in a while there are people you have to work with but you cannot accommodate them in your office (or don’t want to) because of some reason (possibly office capacity). This may be some audit team or customers or some other people who may need access to limited portions of your company resources. VPNs are pretty much designed for this scenario. Some companies have to hire financial auditors who need access to company’s payroll portal and leave management portal, they often work in teams and are working on sensitive financial data that is meant for executive/board staff only. You do not want your meeting rooms blocked for days (non-stop) and certainly do not want them discussing company financials among your employees.

Efficient Office Space Use and Savings

I myself operate from a much smaller space than I would need, to if all my employees had to come to office every day. Earlier, all my employees were working from home and I operated out of a virtual office (paying just $80 as office rent per month). In both cases I saved thousands of dollars by using a VPN. It is not just the seating space; I am talking about all the resources I save (including energy, cooling etc.). A good article that explains this is Plantronics smartens up its headquarters for remote workers

VPNs are loved by everyone

The best part of being in my business: We are not an additional liability / process, we are 360 degree facilitators. We make work easy, enhance productivity of companies and no one feels burdened, not the employees or the IT or the corporate executives. In fact, they all appreciate the freedom, peace of mind and savings (and not just in the same respective order :-)

Related Articles:

Telecommuting benefits both employees and employers:

Telecommuter-Friendly Office Leads to Happier Workforce:

Remote Workers:

Plantronics smartens up its headquarters for remote workers: