SAAS (security as a service) is security management which utilizes an outsourcing service model. This includes not only anti-virus software, but also in-house security management that has been outsourced to an external organization. As SAAS moves towards the cloud, this has raised many concerns. Because a cloud service holds so much data in a virtual bank, this poses a grave threat to customers of SAAS security services.

Weak Cloud Security Standards : The two most widely-known benchmarks to security standards in the cloud are SAS 70 and ISO 27001. Service providers usually openly advertise that they have passed these audits and that customers therefore do not need to worry about potential data breaches. However, completing an audit does not necessarily guarantee your data will be safe. A company can be compliant with ISO 27001 standards yet still flout practices involving privileged user management. For example, administrator accounts may be shared among multiple people, or may be given to those who are undeserving of it.

Mitigation – Transparency : In order to assuage public concern about their security practices, cloud service providers can openly release details about what they are doing to keep data safe. Firms can follow in Microsoft’s stead and publish their cloud security models. This will allow customers to step in as a check and balance, and provide necessary feedback or criticisms about existing security models. From there, firms can tweak their security practices to better protect their customers’ data.

Accessibility Increases Risk : SAAS allows its customers to access services anywhere as long as you have an Internet connection. However, this poses a huge security loophole given that users may log in on an unsecured computer or network.

Mitigation – Greater Control : All is not lost. By implementing certain policies and procedures, firms can still ensure that data is being kept within its walls. For example, firms can place a restriction to ensure that the service is only accessible or compatible with specific IP addresses. Firms can also block access to certain service functionality when users are logging in from an unsecured location, ensuring that data is not leaked out.

Legal risks : Cloud vendors use virtual machines that may be located anywhere in the world. Data moves between these machines in response to balancing needs. Ordinarily, this seems like a great and convenient solution for fast access to data. However, this can trigger legal issues. The Federal Information Security Management Act (FISMA) is a regulation which holds that sensitive data must be kept within the country. Other countries such as Switzerland have similar laws as well. As a result, SAAS may infringe on jurisdictional and international laws.

Mitigation – Tracking and Verifying : Certain companies such as Google and Symantec have procured FISMA certification and guarantees. More innovation needs to be kick started to allow customers to track and verify the location of SAAS’ virtual machines in order for them to be able to fall within regulatory requirements.

Conclusion : Security has been cited as the key reason firms have rejected moving to SAAS. Security risks must be appropriately dealt with before using a SAAS service.