The topics of Security MSSPs, SaaS (Security as a Service), and Cloud Computing are hot right now. I’ve always thought I understand MSSPs and SaaS very well. In my opinion, you frequently outsource the entire project to Security MSSPs. You often don’t have someone on staff who is concerned with firewall logs if you outsource your firewall security, for example, and you rely on your MSSP partner to keep you secure, at least with regard to the firewall. The MSSP gathers, archives, and evaluates the logs. Using the same firewall example as before, SaaS allows you to outsource the delivery of the capability, including the logistics of the data collection and storage activities as well as the software and hardware that make them possible, but you still retain IT people who are in charge of the firewall protection. These individuals run the reports, examine the logs, etc. No matter the security task—email security, firewall, SIEM, etc.—this general description applies.

 

So far, so good. It’s all easy to understand.

 

Then, when cloud computing is included, everything becomes somewhat hazy. People begin to interchange ideas freely, and when you discuss cloud computing with someone, you’ll often learn that their definition is very different from your own. I always try to clarify by asking: Do you mean security IN the cloud, that is, hiring an outside provider to handle some of the gatherings, storing, and processing of your security data (if so, go to SaaS or MSSP)? Or are you referring to the management and gathering of security data from enterprise apps that are offered via SaaS (Software as a Service; for example, Salesforce)?

 

Since you may be importing data from applications like Salesforce into a security solution you own and host, the latter instance truly has nothing to do with either Security SaaS or MSSP. It’s a completely separate issue altogether. Consider how to gather and correlate data from third-party applications that you have no control over, or how these applications may affect your compliance needs. You are frequently required to examine access to particular types of crucial data by compliance laws. How do you achieve it if you have no control over the assets? Do you only have faith in the service provider to perform the task correctly? And when your auditor arrives to do an audit, what will they do? When you have no control over how, when, or where log data was created, how can you ensure chain of custody? There are suddenly a lot of questions that arise for which there do not seem to be simple solutions.

 

So, the following observations:

 

  • The majority of compliance rules do not include compliance in a cloud computing environment.
  • The cloud’s security is unclear.
  • Smaller businesses are now subject to more stringent compliance requirements, and SaaS for corporate applications is growing more and more popular with businesses of all kinds.
  • People frequently mistake “it’s in the cloud” with “I have no responsibility” when thinking about cloud computing, and as vital data and programs transfer to the cloud, this won’t be acceptable.

 

If nothing is done, the aforementioned issues would most likely compound and eventually block the adoption of cloud computing. Still confused and want to know more about the topics? Feel free to talk to a CYB3R-X expert today or email us at demo@cyb3r-x.com for a demo.