IAM Myth Busting: SaaS will melt security instantly

The myth in the studio with us today: Cloud based SaaS apps are going to break all your security and provisioning protections.

Change is the world’s only constant. Just when you have all the IT systems set up just so, along comes this SaaS thing to knock over your apple cart. Security, provisioning, auditing, and many other apples are just rolling down into the gutter after you had them perched so nicely. That’s the image that many folks have about SaaS apps. It couldn’t be further from the truth. There are many things about SaaS apps and other cloud services that give you better ways to stack your apples. And it’s likely true that the security in SaaS apps is better than a lot of what you have today. SaaS and cloud may actually raise your overall IT quality instead of ruin it.

A big fear people have with SaaS apps is the provisioning and deprovisioning of users and privileges. Since their apps lie outside the normal boundaries of the IT controlled infrastructure, it’s going to be harder to create these links, right? And since these Silicon Valley cool kids don’t play by the big enterprise rules, they aren’t going to have all the mechanisms traditional, on premise applications had to make these processes easier, right? No. On both counts. Hooking applications up to provisioning systems has always been challenging. Unless you’re lucky enough to be completely centralized, it’s likely a challenge to make any links in your organization. In fact, many folks I’ve spoken to feel like talking to the internet is easier than talking across internal networks. One thing in the fears about the SaaS apps provisioning challenges is right, though. There are little to know standards in place. But here’s the thing: it’s not like there were standards for the on premise apps anyway. Identity experts talk about “the connector problem” for a good reason. But most vendors have cranked out SFDC connectors that are just as reliable as any PeopleSoft connector. And, unlike the big, on premise players, SaaS apps are working on a true standard called SCIM that is coming along nicely. So by this time next year they may be ahead of the game.

The other big fear is around the overall security of SaaS apps in the cloud. Surely they can’t be as well secured as the applications in our highly protected data centers? I’m betting that a few moments of sober reflection on the assumption in that last question will bring you to where I need you to be for this point to be clear. Go ahead. Close your eyes and think about it a moment. If that’s not doing anything for you, then consider a few questions. Do you have a team of professional researchers looking into how to fit more encryption into your networks without any performance impact? Do you have complete control of every piece of code in your infrastructure down to the last mile? Do you have the leverage with your vendors of being one of the largest players in the business in order to get them to move on fixing every fault your team of crack security people finds in any software you use? Do you have the ability to position security to the business as something that can increase revenues? SaaS players tend to have all of that and more on their side. Does that mean they are perfectly secure? Of course not. No such thing. But it does seem to me that they have a very good head start on the problem, and that they’re better off than most of the people I speak to fighting their way upstream to fund and maintain security.

So don’t fear the SaaS. Of course bringing in a new application causes new complexities. Of course anything you do for the first time you will have some new challenges to face. But this new turf is not trudging off into the valley of the damned. It’s just hopping the fence into the neighbor’s yard. It’s not your place, but they might have a pool and good snacks. So give it a try.

Anonymous