IT leaders have been urged to engage with their board, demand more transparency from their service providers and actively think about redeploying security staff as part of a successful approach to secure SaaS implementation.
Gartner research vice president Jay Heiser told attendees at the analyst’s annual Security & Risk Management Summit in London on Tuesday that not moving to the cloud is "no longer" an acceptable position.
Instead, IT needs to think about creating “risk appropriate mechanisms for the assessment” of three use cases: data so sensitive it can’t be moved; processes and data that can be moved with the implementation of controls like encryption; and data that can be moved with little or no controls.
Heiser argued that with some directors now actively asking about SaaS, IT leaders should seize the opportunity to get high-level sponsorship on three key policies.
These are: installing a business unit or department head as “owner” for each SaaS app; conducting a risk assessment based on data sensitivity; and compiling a comprehensive cloud inventory.
Staff skills will also need to be transformed into more of an overseeing, management role, according to the analyst.
“Today we’re managing all of our security technology, we’re managing our directory services, we’re doing a lot of operations that in the cloud we don’t have to do. But what we are going to have to do increasingly…is oversee those things,” he said.
“We’re going to have to manage the integration with those services and … the ongoing viability and suitability of those providers. And we’re going to have to develop some more technical skills, especially for identity and access management and encryption.”
Finally, he urged IT bosses to demand greater transparency from their cloud providers.
“If you’ve got a highly sensitive use case and you want to put it in the cloud, ask the provider for a detailed copy of that [evaluation] report,” said Heiser.
“We’ve got to put more pressure on them to do the third party evaluation and to share the results with us when they want a lot of money from us to fully integrate with our directory service.”
Ultimately, SaaS is a work in progress, with many industry best practices, technology platforms and vendors still evolving.
However, there are a large number of controls security teams can put in place today to safeguard data, as long as they recognize that this may have to change in a couple of years as the industry evolves, he concluded.