This is a guest post by Gaurav “GP” Pal, CEO at stackArmor
I recently had an opportunity to present at the Boston AWS Boston Meetup on a topic that’s been in my sights for a while now – “State of SaaS Security, Common mistakes and AWS Security Best Practices”. The entire presentation is up at the Slideshare link at the end of this post.
Why should we care about SaaS security? More businesses are moving online than ever before.
- Statista reported that the annual revenue from the public cloud would go up from $80 billion last year, to $116 Billion in 2016. More businesses are rolling out SaaS-based offerings every day. So much so that IDC predicts as many as 27.8% of ALL enterprise applications will be SaaS-based by 2018.
- With so much business data moving to the cloud – what about security? Well, identity protection vendor CSID reported recently that the average cost of a data breach was $6.53 Million per incident and as much as $ 217 per compromised record. The costs add up fast when you consider Identity Theft Resource Center’s revelation that in the first 10 months of 2015 alone over 175 million such records had been exposed.
It’s no wonder that the regulators, like the SEC and the FTC are taking notice and claiming jurisdiction in cases where corporate entities have (potentially) exposed customer data because of poor security practices. All this has, of course, meant that security has now become a key concern of the board. They are worried not only about Compliance, which is onerous in itself but also about the effectiveness of their security policies.
One would think that with security so much in focus, and the recent data breaches at large firms like Target, Sony and many others would cause everyone to take notice and start taking security seriously. But clearly this is still work in progress. Based on my experience here are some underlying reasons for a weak security posture:
- An expectation that when one moves to cloud operated by a large cloud service provider (CSP) such as AWS – that the CSP will “take care of everything”. The concept of a shared security model and “full-stack” security is not well understood.
- The emergence of DevOps practices are too heavily focused on the “Dev” aspect and do not adequately address the “Ops” part. Most SaaS shops are stronger on the development side and do not have the same level of skill and focus on platform operations and security
- Systems engineering skills are generally weak around Network engineering, Security zoning, Boundary protection and Enclave hardening
I presented a set of common security mistakes that such organizations make (this is reproduced below)
As you can see, several of these are easily fixable and ironically, at very little cost too. The key, in my opinion, is for security to be seen in the organization as a core business issue rather than as a problem for the “IT guys” to handle. The CEO has to proactively provide the direction and make security an ongoing effort rather than wait for the time when firefighting becomes inevitable.
The audience within the Meetup was extremely engaged and the following key themes emerged from the discussion:
- Many members in the audience seemed to indicate that IT operations was not taken seriously enough within the new SaaS organizations leading to a lack of funding and shortage of talent
- Cybersecurity risk and compliance with questionnaire’s is increasing as risk-averse customers are asking SaaS operators to fill out compliance questionnaire’s to assess and contain third-party risk.
- While many organizations have acquired tools, there is a critical shortage of skilled and knowledgeable security engineers
- Executive management does not adequately understand security risks and does not provide adequate levels of funding
Clearly, as the recent court cases and fines levied by regulators such as SEC and FTC have shown, the cost of lax cybersecurity procedures and policies is going to start hurting the bottom line.
So, go ahead and visit the Slideshare link below for the full presentation, or better yet write to me at gpal at stackarmor dot com if you have any inputs or questions. Let me leave you though with an appropriate quote from H Stanley Judd, “The ultimate security is your understanding of reality.” He was probably not talking of the Cloud but there is no denying it makes sense.
http://www.slideshare.net/sgpal/aws-security-best-practices-saas-and-compliance