As organizations automate more and more of their
manual processes, the Internet is increasingly
becoming an important tool in the delivery of IT
services. Several years ago, organizations
purchased software on CD-ROMs and DVD media.
Today, users have the choice of downloading
software from the Internet or using their
browser to access software that runs outside the
organization on Internet servers. The use of
external software on Internet servers is called
Software as a Service (SAAS).
Instead of writing software for a
workstation, software developers are now writing
software programs that run on Internet servers.
This software may run on servers outside the
organization on other companies’ data centers.
Some examples include web sites such as
Amazon.com and Salesforce.com.
In the past, individual applications ran in
the Internet cloud. Now, entire data centers are
moving to the cloud, accessible by a wide range
of users. Cloud computing describes a grouping
of service offerings that includes application
software, data storage, and computing. The
computing can be delivered over the Internet
(public cloud computing) or within an
organization (private cloud computing).
Cloud advantages over desktop software
Many SAAS applications are available at little
to no cost. In addition to lower software costs,
IT administration labor costs are reduced as
software does not need to be installed and
constantly patched. SAAS applications tend to be
supported by paid advertisers, thus subsidizing
the cost to the software user.
Another benefit is group collaboration. In
the past, software was loaded on many
distributed devices. With the Internet cloud,
software and data can be stored on centralized
servers facilitating access to data by a large
group of users.
Cloud computing offers almost unlimited
storage of applications and data. No longer must
users and IT staff be concerned about collecting
and archiving volumes of data.
Employees want functionality and access to data
from a number of different locations. The
Internet cloud allows hand held Personal Digital
Assistants (PDAs) and laptop users to access
applications and data from a variety of
locations. Internet cloud computing allows
information to be accessed by a number of
different devices (desktop, laptop, mobile
phone, GPS, etc.) since the applications and
data are stored at Internet data centers.
Mobile computing will drive more applications
to the Internet cloud. The cloud is an ideal way
of supplying software and data to small
computing devices that don’t have the storage
and processing power to hold volumes of
applications and information.
Internet applications leverage the power of end
user devices by introducing to browsers features
commonly found in the graphical interfaces on
desktop applications. Better software
development tools support applications that can
run on a wide range of devices from desktop
browsers to smart phones.
Pubic cloud computing risks
As with any other form of technology,
organizations must address a wide range of cloud
- User traffic – in the past, applications
and data were stored locally. With Internet
cloud information accessed via Internet
lines, connectivity and bandwidth usage may
become a critical issue if Internet users
create Internet access bottlenecks.
- Internet connectivity – connectivity to
the Internet increases in importance. If
Internet connectivity is down for an
extended period of time, employee
productivity will drop. Redundant high speed
Internet lines may be needed to help
mitigate this risk.
- Employee productivity – applications and
data that are stored on user hard drives
tend to have fast response times with little
impact on the employee. Internet
applications may experience delays and not
be able to manage volumes of data. Service
Level Agreements (SLAs) with the cloud
computing vendors can provide response time,
throughput, and other metrics that help
protect the organization.
- Lack of availability – there are risks
related to having a critical software
application programmed and managed by an
outside entity. If a vendor’s software
application ceases to function, the
organization may experience financial losses
as well as damage to its image and
- Confidentiality – SAAS vendors may store
data in a central repository. This
repository may hold data from many different
businesses, even competitors. The
organization should determine if it is
appropriate to store the type of information
(client lists, pricing, intellectual
property, etc.) on external servers.
- Integrity – since data is stored on
outside servers, the organization must
ensure information integrity. Balancing
controls, managing information stored on
external servers, monitoring, and other
controls must be used to protect the
- Compliance – information collected,
stored, archived, and secured must meet
In exchange for lower cost service delivery,
users may have to provide personal information.
This information is often used to deliver custom
advertisements. The cloud model may require
sharing of information with other marketing
alliances in exchange for the convenience and
low cost of using Internet cloud applications.
Many SAAS vendors focus on one area of
specialty, storage, e-mail applications, on-line
backups, etc. Organizations must rely on the
vendor’s security solutions to protect their
information. Unfortunately, for many SAAS
vendors, their focus is on service
functionality, not security.
Private cloud computing
Organization data centers adopting the
technologies and practices of public cloud
infrastructures can be considered private
clouds. Private clouds are data centers within
the corporate perimeter, within the firewall.
Software applications can be designed for
both the public and private cloud
infrastructure. Tools such as systems management
software, clusters, grid technology, and load
balancing permit private clouds to employ
utility like environments with computing
resources and applications provisioned with
Cloud computing service delivery
IT managers should take professional care and
due diligence when evaluating cloud computing
applications. Organizations should consider the
risks to their data including loss, disclosure,
- Design – since a service provider can go
out of business, create a network design
diagram showing the data that is outsourced
and how information flows from your
organization's network to the service
provider. This document can also be of
assistance in the event of e-discovery and
- Service levels - your organization
should determine if the outsourced provider
has professional, high performance
infrastructures that can guarantee levels of
- Support – user and technical support
must be determined up front. Will first
level user support be provided by their
staff or yours?
- Redundancy – organizations should have
redundant solutions that allow systems to
continue operating even during single
component failure. This includes the
Internet software application as well as the
organization’s connectivity to the Internet.
- Backups – make arrangements with the
service provider to provide periodic
physical backup media to your organization
or to an external third party.
- Contingency plans – business continuity
and disaster recovery plans must be updated
and tested on a regular basis.
- Private clouds – IT departments have the
administration costs and responsibilities of
acquiring, installing, managing, and
securing data centers.
- Security – public and private clouds
must ensure information availability,
confidentiality, and integrity.
While outsourcing software applications to the
Internet cloud isn’t for every organization,
many firms have found that cloud computing can
be a simple, reliable, and cost effective
Both the Internet cloud vendors (SAAS) and
the organization should have audits performed on
a periodic basis.:
Risk assessments and
network security audits help organizations identify, manage, and reduce their risks.
Formal and documented
a top down approach to managing cloud related
- SAAS vendors - audits help ensure system
availability, information confidentiality,
and data integrity.
- Organizations - audits ensure
organization management that the firm is
managing its cloud computing risks.
Security Blog menu
Tags: cloud computing | risk assessment | software as a service | saas