Article Options

Does your SaaS and third party off-site storage put you at security risk?

MichaelDocDeady| September 11, 2012
1 Comments
0

thCA6IIOVD.jpgIs your off-site data secure? If you have to undergo a Sox's, PCI or HIPPA audit, does the audit include your vendors that supply data storage, SaaS or cloud services? Most medical providers, banking industry and publicly- traded companies are bound by one or more of those acronyms listed above. However, your service provider may not be bound by these same regulations.  They may try hide behind the statement of intellectual property, copyright or patent pending as reasons to not maintain the same security compliance you have to. Smokescreens like these can put you and your customers at risk.

 

Let’s say a small, privately-owned company comes up with a way to compress and store data—it can restore data 4-times faster than any competitors can. A decision is made to sell the product as a service instead of packaging it as software. This is because the application is still immature and it is easier to fix any problems then support it. Every piece of data stored on the system is well encrypted... All that is left is the means of transport for the data and the creation of the hack2.jpguser interface.

 

Just remember that your security is only as strong as your weakest link. In this case, the company had an unencrypted password and login that existed for years before it was fixed. This was an issue that only a handful of people knew, and it was going to be fixed. But at the moment it was a lower priority then the data. Would you trust a company that knew of a major glitch but didn’t fix it simply because it wasn’t a “high enough priority at the moment”?

 

Do you put your security in their hands?

 

Some of the biggest banks and hospitals need services like the one mentioned above to store the ever-growing document and images libraries now required to stay in business. I've worked in publicly-traded organizations, banks and in the medical industry. I have gone through audits several times, and not once have I seen service providers face anything but a glance.

 

This example isn’t a true story and I hope the attitude about security isn’t found now. But this fictional scenario should encourage you to make sure gg60870988.jpgyour third-party vendors scan and test for security volubility. Make it a requirement that they supply your company with periodical detailed reports of software or keep them on file for third-party review.

 

Does your company hold their service provider to the same security standard that they hold internal IT groups? I would like to hear your story and hints.  Or have you experienced any security loopholes like the fictional one described?

 

U.S. Bank Vendor Epsilon Interactive Hacked

Amazon and Sony Cloud Hacking Raises SaaS Concerns

Orlando company: Hackers stole Apple IDs from us, not FBI

Cyberattack Hits Sony Mobile Unit

 

new logo.jpg

Tags: audit| cloud| hippa| HP| PCI| View All (10)
0
Comments
Honored Contributor | ‎11-01-2012 05:15 AM
Options

Yes, I agree 100%. SaaS environments is both an issue to the data itself and test environments. Here are two of my articles which I describe both issues: 'Preparing for testing applications in the cloud' and 'Planning for cloud computing services: Is quality 'up in the air?'.

 

Well done!

John Scarpino, D.Sc.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)
  • I have more than 12 years in IT, with over 10 years working with the HP Quality Management suite of tools—seven as a Professional Services consultant for Mercury/HP. Additionally, I am the Regional Practice Lead for the Quality Management Strategy and Solutions organization which helps drive inovation in the areas of Best Practices and constancy of delivery.
  • Bruce Randall has 18 years of experience in technology product management and product marketing, has authored numerous articles, whitepapers and other content, and has presented in multiple technology forums. More importantly, Bruce has enjoyed working with thousands of customers and technology stakeholders to better understand their problems and to address them with technology solutions and services.
  • This account is for guest bloggers. The blog post will identify the blogger.
  • Kelly has over 20 years experience with enterprise systems and software in individual contributor and manager roles across product management, business development and product marketing. A majority of my focus has been in areas directly related to applications spanning from developer environments, enterprise Java, integration middleware, SOA infrastructure, SOA Governance and now application lifecycle management. Kelly has a B.S. in Computer Science from California Polytechnic State University, San Luis Obispo and an MBA from the University of Santa Clara.
  • Malcolm is a functional architect, currently focusing on best practices and methodologies in automated testing.
  • Matthew Morgan is Vice President of Product Marketing for HP Software and serves as the marketing business owner for the Hybrid IT and Cloud product lines. His 20 year tenure in the Application Lifecycle Management industry includes a decade at Mercury Interactive, where he led product management and product marketing teams that created and commercialized many generations of Quality and Performance Center products. You can follow Mr. Morgan on twitter @forwardtension, connect with him on LinkedIN., or check out his personal blog at http://forwardtension.com
  • Michael Deady is a Pr. Consultant & Solution Architect for HP Professional Service and HP's ALM Evangelist for IT Experts Community. He specializes in software development, testing, and security. He also loves science fiction movies and anything to do with Texas.
  • HP IT solution architect in the Product Development IT organization. Working on HP internal usage of ALM and SDLC processes and tools.
  • WW Sr Product Marketing Manager for HP ITPS VP of Apps & HP Load Runner


Twitter Stream
Follow Us