Business Application Lease Security

    Today in Russia there are about a hundred services that provide the ability to use a wide variety of software in SaaS mode and the number of these services is constantly growing. At the same time, SaaS market indicators (turnover, customer base, etc.) remain rather low.

    The most important stopper for the development of this market is the issue of ensuring information security of user data. In everyday language, the questions are formulated something like this: “How will I place the key data for my business somewhere with the provider?” , “What happens if the provider stops providing these services?” , “What guarantees that the data will not be lost are transferred to a competitor? ” etc.

    I want to give answers to these questions in an accessible language, sort out the security questions, and describe the “inside out” of the SaaS provider.


    Comparison with hosting providers


    There are at least two widely used hosting services (in fact, these are almost SaaS services, it’s simply historically not called that) that already today collect, process and transmit data critical for any business over the network. Hundreds of thousands of customers use these services in Russia ! and for some reason they don’t wonder about security, and there are not so many real security problems. I am talking about email services and rental (hosting) of online stores , which are located mostly among providers.

    All business correspondence is conducted by e-mail, stored and transmitted in an open form.. The provider can receive any information on any contacts, contracts and transmit it, for example, to competitors. With online stores even more interesting. In the databases of online stores, information is collected about all customers, their contacts, all their orders, possibly commodity balances in warehouses, unique descriptions and images specially prepared by you. All this lies with the provider, and how is it protected ?

    Try to raise a contract with a hosting provider and see if it often contains any guarantees not only of security, but in general of the quality of the service? Should the provider compensate you if the mail does not work for a couple of days. Do you know what kind of infrastructure the provider has, can it technically ensure the operability and security of your data?

    So, the security problems of SaaS services are no more than the security problems of standard hosting services and the level of this security suits a huge number of customers.
    However, the approach “ Panikovsky was pleased with the realization that there are people even smaller than him in the world ” is not correct in this matter, so let's get into the details.

    Information Risks


    What are users really afraid of? We list the main issues of ensuring information security and ways to minimize these risks.

    Loss of data privacy

    Confidentiality of data is the inability of third parties to access data without the consent of its owner.

    Ensuring confidentiality is a complex task that includes both technical and administrative measures, such as:
    • authorization of users (both directly when accessing services, and when contacting support services);
    • confidentiality of data storage, including separation of access rights, application of security policies on servers and configuration of external network security systems (firewall);
    • data confidentiality during transmission (channel encryption, VPN construction);
    • ensuring confidentiality of data on backups;
    • legally correct relationships with administrative staff who have access to confidential client information.

    In the case of fierce competition, competitors try to “hack” the enterprise’s local network to obtain information and / or seek outlets for employees and administrators of the enterprise. When placing information with the provider, employees and administrators of the enterprise not only do not have the physical ability to access, but it is not always known that this information exists at all.

    Data Inaccessibility

    If the application is critical for the daily work of the enterprise, then the availability of data for users is a key task, including:
    • ensuring the availability of server hardware, duplication of components, clustering;
    • ensuring the operability of the network equipment of the local network and high-quality Internet connection (if external access to the application is needed);
    • ensuring sufficient performance, forecasting and upgrading the hardware platform;
    Accessibility can also include network protection, for example, from DDoS attacks.

    Data integrity violation

    Data integrity - ensuring the completeness and correctness of data changes when performing any operations with them.

    Ensuring integrity includes:
    • ensuring transactionality at the application level (maintaining the correctness of the relationships between data, for example, in the database) when they change;
    • operability of physical media, duplication, use of RAID arrays;
    • a backup and recovery system that guarantees the timely creation, availability and deployment of backups;
    Also, violation of data integrity is possible from the outside using “gaps” in the security of the software application (the so-called injections), which is also provided by special software and hardware systems.

    Comparison with the incoming administrator


    For large companies, information security issues are resolved by their own sufficiently powerful IT and IS divisions, the construction and operation of their own fault-tolerant data processing centers (DPCs), etc., but what about small and medium-sized businesses?

    Most often, small businesses do not have permanent IT specialists on staff and order services to support the operability of their local network to external companies or individuals (order outsourcing of these services).

    Let's try to compare the information security when using business applications in the following options:
    • placement of a business application in the local network of the enterprise with ensuring information security by the incoming administrator
    • Hosting a business application in SaaS mode with a service provider.

    The question immediately arises. In both cases, an employee external to the enterprise has access to the confidential information of the enterprise.
    Then why should the trust in the incoming administrator differ from the trust in the service provider a priori?

    A visiting administrator is also an external organization, and sometimes just an individual who can disappear for a huge number of reasons (call, illness, session, unexpected love in another subject of the federation, etc.).

    Incoming administrators usually have very good experience in performing standard tasks of ensuring the operability of workstations, printers and scanners, file and other servers on the local network, connecting to the Internet, etc., but rarely have experience supporting complex business applications, such as Microsoft Exchange, Microsoft Dynamics CRM, portals on Sharepoint Server, Live Meeting, third-party applications and often just do not undertake to support them and guarantee their performance.

    What is the reaction rate of incoming administrators to a problem. Probably everyone has different ways, but often emergency trips are either impossible or quite expensive. The provider guarantees round-the-clock incident processing and the terms of serviceability stipulated in the Service Level Agreement (SLA).

    Incoming administrators do not like to wake up and provide support at night, and this can be very important for business !!!

    Backup and monitoring are two very difficult to configure and maintain the system. In the memory of every director of the enterprise there are stolen (lost) laptops “with all the information”, collapsed hard drives, failed flash drives and unreadable CDROMs with “very important information”. Work is paralyzed, nerves to the limit. And once this problem can not be solved, it is necessary to establish a backup system and monitor its performance.

    Not all incoming administrators are engaged in this and have the appropriate experience, while the provider is one of the main functions. In addition, good backup systems are quite expensive. The same applies to installing updates that close gaps in the security system of the operating system and application software. If you do this the next time the administrator arrives, the attacker will have enough time to take advantage of the vulnerability.

    The provider constantly monitors information about security gaps and has the ability to quickly install updates immediately for all clients.

    Not all employees sign labor contracts or they do not contain sufficient conditions for maintaining confidentiality. This clause is not always present in the contract with the incoming administrator, and this contract does not always exist on paper, that is, it will not be possible to make a legal claim. For the provider, this should be a mandatory annex to the contract.

    The physical infrastructure of the LAN of a small enterprise is usually used to the maximum, computers and servers work until the head wipes a hole in the hard drive and until the network wires crumble from old age. This is normal from the point of view of business efficiency, but in the case of the introduction of a new business application, there may simply be no resources, which means buying a server, or even several, putting it somewhere, where it is not hot, that is, it may also air conditioning will have to buy, etc. There will be no place for backup of this new system on the backup server (if there is one) - you need to buy a hard drive - now they do not do this - you need to change all the hard drives, etc. In other words, it may be necessary to perform a large number of actions, spend a significant amount of money, spend some amount of time. The provider takes care of all these issues. You may not even know what equipment your service is running on, it’s important that it is reliable, productive and will be updated in case of increased load or obsolescence. And this does not affect your costs of using the solution.

    External Firewalls covering LANs are rarely reliable, productive devices because they are expensive. Systems for detecting and preventing attacks do not exist at all. In a local area network almost never duplicated anything. The provider has powerful systems and he can afford it, since they are used simultaneously for all customers, which means that the cost per client is disappearing.

    Security policy, as a coherent system, is most often absent in small and medium-sized enterprises. It is not always that the user is deleted upon dismissal or the password is changed, or not everywhere, because the list of used software is either not there or it is not kept up to date. The provider closes access automatically when a user is deleted. For this, the provider does not even need to remember this, everything is done automatically by the resource management system. The provider simply could not control it manually and is obliged to systematize and automate these functions.

    This is all explainable. To establish an information security system, knowledge and resources are needed, but you don’t want to spend them at all. There is a solution - use the knowledge and experience of the provider.

    Compare the table Admin VS Provider
    ParametersAdministrator (incoming)Service provider
    ResponsibilityYur. or Fiz. faceYur. face
    ExperienceLevel of personal knowledgeProfessional methods
    Service qualityEfficiency,
    backup, monitoring ???
    Measurable parameters fixed in SLA
    ConfidentialityAn employment contract?Confidentiality - NDA
    ExpertiseMay not take up support for ERP, CRM ...Expertise in business systems
    Physical infrastructureunreliableprofessional


    The correct providers


    Confidence in the provider is a complex issue and consists of many factors.
    When choosing a business application rental service provider, the following information should be considered:
    • history of the provider, how many years have existed in the market, reputation;
    • existing customers, success stories;
    • open policy in the field of physical infrastructure (the number and quality of data centers, duplicated air conditioning and power supply systems, modern fire extinguishing systems, physical access, video surveillance). Not bad if you can go on an excursion;
    • server hardware used;
    • availability, description and quality of an external information security system (Firewall, system for detecting and preventing attacks);
    • the number and qualifications of staff;
    • availability of a service level agreement (SLA) that describes the parameters for the provision of services, the timing and responsibility for their violation;
    • availability of confidentiality agreement (NDA) and its parameters;
    • confirmation of the competence of the provider from software manufacturers on the possibility of providing rental services for this software. For example, when providing Microsoft business application rental services, it is important to have the competency of Hosting Solutions , Advanced Infrastructure Solutions, etc .;
    • mode of operation, reaction speed and friendliness of the support service, the possibility of "escalation" of problems;
    • paperwork in accordance with the legislation of the Russian Federation.


    Instead of a conclusion


    I am not at all against incoming administrators as a class. They play a crucial role in supporting workstations, servers and the infrastructure of local networks of small and medium-sized enterprises, and it is impossible to do without their services. Providers do not stretch and are unlikely to ever reach for the provision of such services.

    At the same time, it is easier and safer to use many business applications remotely (in SaaS mode), because this mode, in addition to resolving security issues, provides many more other advantages:
    • uniform small payments instead of a one-time expensive software purchase;
    • due to small payments, it becomes possible to use more expensive and more functional applications that were not previously available;
    • no need to buy servers and other hardware to deploy software;
    • automatically receive all necessary updates and use the latest versions
    • use (and pay) only when necessary;
    • and much more

    Also popular now: