As small and midsize businesses (SMBs) leverage software-as-a-service (SaaS) to scale more quickly, they can end up with disparate applications that do not integrate. This gives rise to security issues as companies will bypass security protocols governing these software, and result in data residing in silos in different cloud services.
The integration of Web-based applications used to provide customers more functionalities becomes complicated as SMBs migrate to a SaaS business model, explained Pavan Joshi, Web security solutions product manager at Akamai Asia-Pacific and Japan. These applications exist in different environments, resulting in different data security and verifications as well as complicating data management, Joshi noted.
Vic Mankotia, solutions strategy vice president at CA Technologies Asia-Pacific, observed that many companies in Asia are still running in a hybrid environment where on-premise applications are integrated with SaaS components.
This integration is expected to become more complexas companies start adopting more public cloud services, along with greater consolidation in data centers, Mankotia noted.
Traditional security, corporate policies bypassed
In addition, as end-users collaborate globally with external customers and partners from multiple devices, traditional IT security perimeters are overlooked, Mankotia said.
Elaborating, Glenn Johnson, senior vice president of Magic Software Enterprises, said services available to handle cloud integration securely tend to be expensive and complex. As a result, companies start resorting to manual programming which bypasses security protocols that were implemented on these applications, he explained.
"Self-programmed integration is also more likely to use exposed transport protocols without encryption, and decryption of messages and data within the cloud, which poses a security risk as a result of the disparity," he said.
Mankotia added that IT policies, governance, and identity management will become much harder to enforce in a disparate environment.
Users who consume data across various cloud and social services, through the enterprise network, create a security loophole as they share sensitive data across the network infrastructure while network administrators need to ensure identity access and management are in place, he explained.
Joshi noted security also takes a backseat, and new vulnerabilities are introduced as companies are faced with time pressures to take functionalities to market. Even if the vulnerabilities are known it takes several weeks to fix them, giving attackers an extended period of time to exploit those weak points, he added.
Jim Liddle, CEO of Storage Made Easy, said as organizations move their IT functionalities to the cloud, they will also have to place more trust in an external provider with both their data and the need to comply with their security requirements. Security requirements such as ensuring data is stored in a certain geographic region, fulfilling storage best practices for data security, and providing security certifications, Liddle noted.
Companies are also using different providers for different services, such as Google Mail for e-mail, and Amazon Web Services S3 or Dropbox for file and folder storage. This results in a "cloud sprawl" which further complicates management of these different components, he said.
This again links back to the risk of having data and information silos in different cloud services, he pointed out.
Authenticate, ensure cloud components integrate
While meeting compliance standards is a good first step, Joshi advised that this does not guarantee the infrastructure is secure. Enterprises must do more to implement strong multi-layered security controls.
According to Mankotia, strong identity authentication is the new perimeter as it emphasizes the need to reduce risk at the authentication point.
Liddle added that enterprises should also choose cloud components or services that can integrate with one another to overcome security issues. This can be done by making sure they use common authentication, offer fine-grained access control, and provide auditing, he said.