0:03
In this lesson I'll talk about SaaS.
By the end of this lesson you'll be able to explain to me what SaaS is and
how it's used today.
We'll discuss security risks surrounding SaaS and understand that organizations
must learn to accept that using SaaS in some capacity is inevitable.
0:28
What is SaaS?
SaaS, if you recall from one of the previous lessons when we
talked about the cloud, is Software as a Service.
Many organizations use this model to provide services that they can't provide
themselves.
What it does is it helps eliminate the need to run hardware or
software on-premise.
Maybe you just can't run the software.
Maybe it's too expensive to purchase the hardware.
Third parties run the software on their own
infrastructure to provide the service for you.
There is also hybrid models out there where we have some systems on campus,
and we have, or on-premise and some software out in the cloud.
CrashPlan is one of these type of services where we can actually put some data for
local repository on campus, or on-premise, and then we can also back up to the cloud.
It's a great model or a hybrid model.
1:35
Some SaaS examples that you're probably familiar with.
G-Suite which is Google's offering, or Office 365 which is Microsoft,
provides Exchange Online, provides Office, Word out in the Cloud.
Dropbox, Salesforce, Slack, Docusign and
WebEx these are all SaaS example that you probably use quite often.
Anywhere where you're going out to another provider that
host some kind of software is a SaaS service.
2:13
Many organizations use SaaS because of a number of different reasons.
Let's talk about some of these.
Lower total cost of ownership is a primary one.
Organizations may have a hard time purchasing hardware or software,
fully blown hardware and software, and have somebody to manage it as well.
A good example of this is Exchange to Office 365,
where running Exchange on-premise can be very costly.
Whereas moving to Office 365 may be a much lower cost.
Lack of, inexperienced, or lack of experienced staff,
I'm sorry, is one of those where organizations may choose to use SaaS.
Maybe they're not a full-blown Windows system administrator or
Exchange administrator to manage Office 365 for example.
Lack of technical resources such as a data center might
be another reason why we may use SaaS applications.
Deployment time, setting up for example,
exchanges are very difficult thing to do where we maybe able to just
click a couple of buttons on Office 365 and get it to do what we want.
Lack of knowledge of what can be accomplished with existing tools
is another reason organization use SaaS.
For example Slack, Slack versus Jabber versus Skype for
Business versus, really you name it any instant communication chat tool.
Well chances are one of those tools is sanctioned and
one of those tools is not sanctioned that you're employees are using.
Slack for example maybe one of those that is an unsanctioned insecure
communication process.
But, it's a SaaS mall so, people are using it because you know what?
I can buy it in five minutes and I can start using it within that time.
4:38
Whatever cloud provider that you go to, or SaaS provider, could sell your data.
What if they lose the data?
Or what happens if they have a data breach?
This could impact your information or your data.
What about if it's only in once place instead of in multiple places?
Do you understand what your SaaS provider is offering?
What about risks based off of compliance?
I-TARF for example or FISMA compliance.
If you're doing government research, are all the servers
of the SaaS provider hosted in the US or are they hosted overseas?
This is something that you need to be concerned with if you're moving
information back and forth between Cloud providers.
How is your data secured?
What if the hosting provider or
SaaS provider has poor security practices and your data is leaked somehow?
5:42
Another risk is instability or flawed business models.
SaaS providers usually do updates without notice, they may have service outages,
they may remove features or add features that you weren't intending.
Or perhaps they just have a flawed business architecture, or
a flawed technical architecture as well, where the may have outages constantly.
Competition between cloud providers or
SaaS providers may also force companies that you've gone
into business with to go out of business, and what happens in that case?
What if you have a lot of data with the service provider and you put all your eggs
in one basket and you're unable to continue with that Cloud provider?
6:37
One of the other risks with SaaS Applications is SaaS Provider Security.
You don't always understand and
you don't know how a SaaS provider is treating security, unless you really ask.
A lot of cloud providers are going to say that they are SOC 3 certified.
Well, that usually just means that their data center is SOC 3 certified.
It doesn't mean their business practices are, okay?
So you have to ask the service provider, ask the SaaS provider.
What audits have you done lately on your data?
What security audits have you performed?
Can I perform my own security audits?
What about the transparency of security vulnerabilities or
the remediation of those vulnerabilities?
Are they transparent about those?
What about secure protocols?
Does the cloud provider use, or the SaaS provider use secure
protocols to transfer data back and forth, for example?
What about transferring data back and forth between their own systems?
What have been the results of their last compliance check?
Like their SOC compliance, or their NIST compliance, or FISMA,
or PCI, or whatever compliance that you have that
you need to make sure that you're in compliance with.
We see this quite a bit with PCI.
There's a lot of SaaS providers out there that need to be PCI compliant.
8:21
There's also organizational risk involved in going with a SaaS provider.
You may be unfamiliar or restricted by their terms of use.
What if their terms of use says that you can't
own your own data or they own your own data.
What about long term contracts that locks you into an organization?
Shadow IT is another organizational risk where we see other
departments within an organization bring up cloud providers
because you can't offer, or IT can't offer the thing that it needs.
Paying for similar architecture that the company already sanctions
is another risk that we may have, where it's a financial risk,
because you're now paying for two providers, or it's shadow IT.
9:27
Understand that SaaS is inevitable.
Going to a SaaS provider in some size, shape, or form is inevitable.
For example, we have at the university,
we have a bunch of sanctioned SaaS applications.
Office 365, Blackboard, Canvas, LastPass, WebEx,
those are some examples of sanctioned SaaS applications.
Some other unsanctioned SaaS applications that
provide shadow IT, organizational risk.
There's a lot of them, too, such as Slack, Dropbox, Gmail, Carbonite, CrashPlan.
All of those don't fit into our organization but
departments use them because of a variety of different reasons.
Now if you're an organization you have to look at these and determine whether or
not you actually need to provide these services to your end users or
to your customers.
10:34
How do we develop in an organization a response to SaaS?
We have to understand, if you're in IT, or in IT security,
you have to understand what SaaS is, and where it is.
That is the most important thing.
You have to understand where you have these SaaS applications, so
that you can start looking at them closely.
Understand that you as IT security cannot control everything or
use senior management can't control everything.
Meet your stakeholders which are your internal customers,
other organizations within the company in the middle.
Make sure that you're providing what the organization needs.
Understand that the needs for others in the organization maybe important.
This is interviewing your stakeholders for example.
And is the use of unsanctioned SaaS because of lack of awareness,
lack of features, or inadequate functionality in general?
Understanding those will help you get a better understanding of how SaaS is used.