Business Application Lease Security
Today in Russia there are about a hundred of services that provide the ability to use the most diverse software in the SaaS mode and the number of these services is constantly growing. At the same time, the SaaS market indicators (turnover, customer base, etc.) remain rather low.
The most important stop in the development of this market is the issue of ensuring the information security of user data. In everyday language, questions are formulated like this: “How will I place the key data for my business somewhere at the provider?” , “What will happen if the provider stops providing these services?” , “What guarantees that the data will not be lost, transferred ? to a competitor? "
I want in an accessible language to give answers to these questions, decompose security questions, describe the "wrong side" of the SaaS provider.
')
There are at least two widely used hosting services (in fact, they are almost SaaS services, just historically it is not called that), which already today collect, process and transmit data critical for any business over the network. These services in Russia are used by hundreds of thousands of customers! and for some reason they don’t ask themselves a security question, and there aren’t a lot of real security problems. I'm talking about e-mail services and renting (hosting) online stores , which are mostly located at providers.
All business correspondence is e-mail, stored and transmitted in the clear . The provider can receive any information on any contacts, contracts and transfer it, for example, to competitors. With online shopping more interesting. The databases of online stores collect information about all customers, their contacts, all their orders, perhaps stock balances in warehouses, unique descriptions and images you have specially prepared. All this lies with the provider, and how is it protected ?
Try to raise the contract with the hosting provider and see if it often contains any guarantees not only of security, but of the quality of the service in general? Should you compensate something provider if the mail will not work a couple of days. Do you know what infrastructure the provider has, can it technically ensure the efficiency and security of your data?
So, the security problems of SaaS services are no more than the security problems of standard hosting services and the level of this security suits a huge number of clients.
However, the approach “ Panikovsky was pleasantly aware of the fact that there are even smaller people in the world than himself ” in this matter is not correct, so let's get into the details.
What are users really afraid of? We list the main issues of information security and ways to minimize these risks.
Data confidentiality is the inability of third parties to access data without the consent of their owner.
Confidentiality is a complex task that includes both technical and administrative measures, such as:
In the case of tough competition, competitors are trying to “hack” the local network of the enterprise and / or are looking for ways to reach the employees and administrators of the enterprise to obtain information. When placing information with the provider, employees and administrators of the enterprise not only do not have physical access, but it is not always known that this information exists at all.
If the application is critical for the daily operation of the enterprise, then the availability of data for users is a key task, including:
Data integrity - ensuring the completeness and correctness of data changes when performing any operations with them.
Ensuring integrity includes:
For large companies, information security issues are resolved by their own fairly powerful IT and IS departments, the construction and operation of their own fault-tolerant data processing centers (DPCs), etc., but what about small and medium-sized businesses?
Most often, small business companies do not have permanent IT specialists on their staff and order support services for their local network to external companies or individuals (they order the outsourcing of these services).
Let's try to compare information security when using business applications in the following options:
Immediately the question arises. In this and in another case, an employee external to the enterprise has access to confidential information of the enterprise.
Then why should a priori be different confidence in the incoming administrator from the trust in the service provider?
A visiting administrator is also an external organization, and sometimes just an individual who can disappear for a huge number of reasons (call, illness, session, unexpected love in another subject of the federation, etc.).
Coming administrators usually have a very good experience in performing standard tasks for maintaining workstations, printers and scanners, file and other local network servers, connecting to the Internet, etc., but rarely have experience supporting complex business applications such as Microsoft Exchange, Microsoft Dynamics CRM, Sharepoint Server portals, Live Meeting, third-party applications and often simply do not undertake to support them and ensure their operability.
What is the reaction rate of incoming administrators to the occurrence of a problem. Probably everyone has different ways, but often emergency trips are either impossible or rather expensive. The provider guarantees round-the-clock handling of incidents and the deadlines for recovery of services fixed in the Service Level Agreement (SLA).
Coming administrators do not like to wake up and provide support at night, and this can be very important for business !!!
Backup and monitoring are two very complex to set up and maintain the system. In memory of every company manager there are stolen (lost) laptops “with all the information”, collapsed hard drives, failed flash drives and unreadable CDROMs with “very important information”. The work is paralyzed, the nerves to the limit. And this problem cannot be solved once, it is necessary to set up a backup system and monitor its performance.
Not all incoming administrators are involved in this and have the relevant experience, while the provider has one of the main functions. In addition, good backup systems are quite expensive. The same applies to the installation of updates that close the gaps in the security system of the operating system and application software. If you do this on the next arrival of the administrator, then the attacker will have enough time to take advantage of the vulnerability.
The provider constantly monitors information about security gaps and has the ability to quickly install updates for all clients at once.
Not all employees sign employment contracts or they do not contain enough confidentiality clauses. This clause is not always present in the contract with the incoming administrator and this contract does not always exist on paper, that is, it will not be possible to make a legal claim. At the provider, this should be an obligatory annex to the contract.
The physical infrastructure of the local area network of a small enterprise is usually used to the maximum, computers and servers work until the head wipes a hole in the hard drive and until the network wires become loose from old age. This is normal from the point of view of business efficiency, but if a new business application is implemented, there may simply be no resources, which means buying a server, or even a few, to put it somewhere, where it is not hot, that is, it can also air conditioning will have to buy, etc. On the backup server (if there is one) there will be no place for backup of this new system - you need to buy a hard drive - now they don’t do it - you need to change all the hard drives, etc. In other words, it may be necessary to perform a large number of actions, spend a significant amount of money, spend some amount of time. The provider takes all these questions on itself. You may not even know what equipment your service is running on; it is important that it is sufficiently reliable, productive and will be updated in the event of increased load or obsolescence. And this does not affect your costs of using the solution.
External firewalls covering local networks are rarely reliable, high-performance devices because they are expensive. There are no systems for detecting and preventing attacks. In the local network almost nothing is duplicated. The provider also has powerful systems and he can afford it, since they are used simultaneously for all customers, which means that the cost per customer is decreasing.
Security policy, as a coherent system, in small and medium-sized businesses most often absent. It is not always when a user is dismissed that the user is deleted or the password is changed, or not everywhere, because there is either no list of software being used or it is not kept up to date. The provider closes access automatically when the user is deleted. To do this, the provider does not even need to remember this, everything is done automatically by the resource management system. The provider simply could not control this manually and must systematize and automate these functions.
This is all explained. To set up an information security system, knowledge and resources are needed, and they don’t want to spend it at all. There is a solution - use the knowledge and experience of the provider.
Compare in the table Admin VS Provider
Trust in the provider is a complex issue and consists of many factors.
When choosing a business application rental service provider, consider the following information:
I am not at all against incoming administrators as a class. They play an important role in supporting workstations, servers and infrastructure of local networks of small and medium-sized businesses and it is impossible to do without their services. Providers do not stretch and hardly ever reach out to provide such services.
At the same time, many business applications are simpler and SAFE to use remotely (in SaaS mode), because this mode, in addition to solving security issues, provides many other advantages:
The most important stop in the development of this market is the issue of ensuring the information security of user data. In everyday language, questions are formulated like this: “How will I place the key data for my business somewhere at the provider?” , “What will happen if the provider stops providing these services?” , “What guarantees that the data will not be lost, transferred ? to a competitor? "
I want in an accessible language to give answers to these questions, decompose security questions, describe the "wrong side" of the SaaS provider.
')
Comparison with hosting service providers
There are at least two widely used hosting services (in fact, they are almost SaaS services, just historically it is not called that), which already today collect, process and transmit data critical for any business over the network. These services in Russia are used by hundreds of thousands of customers! and for some reason they don’t ask themselves a security question, and there aren’t a lot of real security problems. I'm talking about e-mail services and renting (hosting) online stores , which are mostly located at providers.
All business correspondence is e-mail, stored and transmitted in the clear . The provider can receive any information on any contacts, contracts and transfer it, for example, to competitors. With online shopping more interesting. The databases of online stores collect information about all customers, their contacts, all their orders, perhaps stock balances in warehouses, unique descriptions and images you have specially prepared. All this lies with the provider, and how is it protected ?
Try to raise the contract with the hosting provider and see if it often contains any guarantees not only of security, but of the quality of the service in general? Should you compensate something provider if the mail will not work a couple of days. Do you know what infrastructure the provider has, can it technically ensure the efficiency and security of your data?
So, the security problems of SaaS services are no more than the security problems of standard hosting services and the level of this security suits a huge number of clients.
However, the approach “ Panikovsky was pleasantly aware of the fact that there are even smaller people in the world than himself ” in this matter is not correct, so let's get into the details.
Information risks
What are users really afraid of? We list the main issues of information security and ways to minimize these risks.
Data privacy loss
Data confidentiality is the inability of third parties to access data without the consent of their owner.
Confidentiality is a complex task that includes both technical and administrative measures, such as:
- provision of user authorization (both directly when accessing services and when contacting customer support);
- confidentiality of data storage, including separation of access rights, application of security policies on servers and setting up external network security systems (firewall);
- data confidentiality during transmission (channel encryption, building a VPN);
- ensuring the confidentiality of data in backup copies;
- legally correct relationships with administrative employees who have access to confidential client information.
In the case of tough competition, competitors are trying to “hack” the local network of the enterprise and / or are looking for ways to reach the employees and administrators of the enterprise to obtain information. When placing information with the provider, employees and administrators of the enterprise not only do not have physical access, but it is not always known that this information exists at all.
Unavailability of data
If the application is critical for the daily operation of the enterprise, then the availability of data for users is a key task, including:
- maintenance of server hardware, component duplication, clustering;
- ensuring the operability of the network equipment of the local network and high-quality Internet connection (if external access to the application is needed);
- ensuring sufficient performance, forecasting and upgrading the hardware platform;
Data integrity violation
Data integrity - ensuring the completeness and correctness of data changes when performing any operations with them.
Ensuring integrity includes:
- ensuring transactionalism at the application level (preserving the correctness of the relationships between data, for example, in a database) when they change;
- physical media performance, duplication, the use of RAID-arrays;
- a backup and recovery system that ensures the timeliness of the creation, availability and deployment of backups;
Comparison with the incoming administrator
For large companies, information security issues are resolved by their own fairly powerful IT and IS departments, the construction and operation of their own fault-tolerant data processing centers (DPCs), etc., but what about small and medium-sized businesses?
Most often, small business companies do not have permanent IT specialists on their staff and order support services for their local network to external companies or individuals (they order the outsourcing of these services).
Let's try to compare information security when using business applications in the following options:
- placing a business application in the local network of the enterprise with information security provided by the incoming administrator
- placing a business application in SaaS mode with a service provider.
Immediately the question arises. In this and in another case, an employee external to the enterprise has access to confidential information of the enterprise.
Then why should a priori be different confidence in the incoming administrator from the trust in the service provider?
A visiting administrator is also an external organization, and sometimes just an individual who can disappear for a huge number of reasons (call, illness, session, unexpected love in another subject of the federation, etc.).
Coming administrators usually have a very good experience in performing standard tasks for maintaining workstations, printers and scanners, file and other local network servers, connecting to the Internet, etc., but rarely have experience supporting complex business applications such as Microsoft Exchange, Microsoft Dynamics CRM, Sharepoint Server portals, Live Meeting, third-party applications and often simply do not undertake to support them and ensure their operability.
What is the reaction rate of incoming administrators to the occurrence of a problem. Probably everyone has different ways, but often emergency trips are either impossible or rather expensive. The provider guarantees round-the-clock handling of incidents and the deadlines for recovery of services fixed in the Service Level Agreement (SLA).
Coming administrators do not like to wake up and provide support at night, and this can be very important for business !!!
Backup and monitoring are two very complex to set up and maintain the system. In memory of every company manager there are stolen (lost) laptops “with all the information”, collapsed hard drives, failed flash drives and unreadable CDROMs with “very important information”. The work is paralyzed, the nerves to the limit. And this problem cannot be solved once, it is necessary to set up a backup system and monitor its performance.
Not all incoming administrators are involved in this and have the relevant experience, while the provider has one of the main functions. In addition, good backup systems are quite expensive. The same applies to the installation of updates that close the gaps in the security system of the operating system and application software. If you do this on the next arrival of the administrator, then the attacker will have enough time to take advantage of the vulnerability.
The provider constantly monitors information about security gaps and has the ability to quickly install updates for all clients at once.
Not all employees sign employment contracts or they do not contain enough confidentiality clauses. This clause is not always present in the contract with the incoming administrator and this contract does not always exist on paper, that is, it will not be possible to make a legal claim. At the provider, this should be an obligatory annex to the contract.
The physical infrastructure of the local area network of a small enterprise is usually used to the maximum, computers and servers work until the head wipes a hole in the hard drive and until the network wires become loose from old age. This is normal from the point of view of business efficiency, but if a new business application is implemented, there may simply be no resources, which means buying a server, or even a few, to put it somewhere, where it is not hot, that is, it can also air conditioning will have to buy, etc. On the backup server (if there is one) there will be no place for backup of this new system - you need to buy a hard drive - now they don’t do it - you need to change all the hard drives, etc. In other words, it may be necessary to perform a large number of actions, spend a significant amount of money, spend some amount of time. The provider takes all these questions on itself. You may not even know what equipment your service is running on; it is important that it is sufficiently reliable, productive and will be updated in the event of increased load or obsolescence. And this does not affect your costs of using the solution.
External firewalls covering local networks are rarely reliable, high-performance devices because they are expensive. There are no systems for detecting and preventing attacks. In the local network almost nothing is duplicated. The provider also has powerful systems and he can afford it, since they are used simultaneously for all customers, which means that the cost per customer is decreasing.
Security policy, as a coherent system, in small and medium-sized businesses most often absent. It is not always when a user is dismissed that the user is deleted or the password is changed, or not everywhere, because there is either no list of software being used or it is not kept up to date. The provider closes access automatically when the user is deleted. To do this, the provider does not even need to remember this, everything is done automatically by the resource management system. The provider simply could not control this manually and must systematize and automate these functions.
This is all explained. To set up an information security system, knowledge and resources are needed, and they don’t want to spend it at all. There is a solution - use the knowledge and experience of the provider.
Compare in the table Admin VS Provider
| Options | Admin (coming) | Service provider |
| A responsibility | Jur. or fiz. face | Jur. face |
| Experience | Level of personal knowledge | Professional methods |
| Quality of service | Responsiveness
backup monitoring ??? | Measurable parameters are fixed in SLA |
| Confidentiality | An employment contract? | Privacy - NDA |
| Expertise | It may not take up the support of ERP, CRM ... | Expertise in business systems |
| Physical infrastructure | unreliable | professional |
Right providers
Trust in the provider is a complex issue and consists of many factors.
When choosing a business application rental service provider, consider the following information:
- provider history, how many years exist in the market, reputation;
- existing customers, success stories;
- open policy in the field of physical infrastructure (quantity and quality of data centers, duplicated air-conditioning and power supply systems, modern fire extinguishing systems, physical access, video surveillance). Not bad, if you can go on a tour;
- used server equipment;
- availability, description and quality of the external information security system (Firewall, attack detection and prevention systems);
- the number and qualification of personnel;
- the presence of a service level agreement (SLA) describing the parameters of the provision of services, terms and responsibility for their violation;
- availability of confidentiality agreement (NDA) and its parameters;
- confirmation of the competence of the provider from the software manufacturers on the possibility of providing services for the rental of this software. For example, in providing services for leasing Microsoft business applications, the availability of Hosting Solutions , Advanced Infrastructure Solutions, and others is important;
- the mode of operation, the reaction rate and the friendliness of the support service, the possibility of "escalating" problems;
- execution of documents in accordance with the legislation of the Russian Federation.
Instead of conclusion
I am not at all against incoming administrators as a class. They play an important role in supporting workstations, servers and infrastructure of local networks of small and medium-sized businesses and it is impossible to do without their services. Providers do not stretch and hardly ever reach out to provide such services.
At the same time, many business applications are simpler and SAFE to use remotely (in SaaS mode), because this mode, in addition to solving security issues, provides many other advantages:
- uniform small payments instead of a one-time expensive purchase of software;
- Due to small payments, it becomes possible to use more expensive and more functional applications that were previously unavailable;
- no need to buy servers and other hardware to deploy software;
- automatically receive all necessary updates and use the latest versions
- use (and pay) only when there is a need;
- and much more
Source: https://habr.com/ru/post/118663/
All Articles