Discover Performance

HP Software's community for IT leaders // June 2012

Keep SaaS secure from the start

Until SaaS application providers do a better job of delivering security visibility and control to their customers, those users will have to take action against potential compliance risk. 

When business applications get pushed outside the enterprise perimeter, security tends to take a hit. With poor visibility into user activity, including limited access controls and nonexistent monitoring, SaaS can be a direct challenge to the CISO's compliance responsibility.

To mitigate these SaaS security concerns, the enterprise security team must

  • be involved in procurement, assuming a proactive role in vetting all SaaS relationships;
  • be actively aware of the data compliance issues involved in each prospective SaaS application; and
  • be willing to reject those vendors who cannot supply adequate access control, visibility or activity monitoring.

SaaS security risk checklist

SaaS is a young industry and changing rapidly. Thus, no two providers are alike. To assess the security threats or capabilities of third-party SaaS providers, customers must ask the right questions:

  • How granular are the access controls?
    The most prevalent mechanism for data breaches today is through malicious or unintentional misuse of user log-in credentials. Visibility into the activity of individual users, including administrative changes, is essential to data protection.
  • What metrics are available for reporting?
    Will you be able to create the reports you need to satisfy the board, the CIO and auditors that enterprise data security meets regulatory requirements?
  • Is the data provided in a manner that can be easily integrated into internal monitoring tools, thus preventing data silos?
    To make compliance reporting simple and foolproof, you'll need to monitor internal enterprise applications and SaaS applications side-by-side, from a centralized dashboard.

Finally, for each SaaS application, you must know the business criticality of the data involved. Is the application handling confidential customer information or just job postings? From there, you can perform an inventory of the applicable compliance issues.

Not good enough

By and large, today's third-party SaaS vendors are behind on this curve. Most provide very little information to their customers. When asked, they may not be able to answer specific questions about user access anomalies. For example, one common concern is that few SaaS vendors can inform customers about who in the organization can modify permissions, despite the fact that such information is vital to the investigation of an internal attack.

Also lacking are industry standards that would guide SaaS vendors toward simplified customer reporting. Even when log data is available, with no agreement on the format, enterprise customers may face a difficult, expensive integration process.

Rising to the challenge

Fortunately, downward pressure on enterprise cloud providers to expose data security tools and options is beginning to have an effect. Newer companies are raising the competitive bar, providing first-generation tools to help customers see and control aspects of data security.

HP has developed a program to assist enterprises in finding SaaS application vendors who are already taking an early lead in addressing the security injunction. HP Cloud Connections is a select affiliation of SaaS providers who have demonstrated best-of-breed customer security features. These features include visibility into user activity and authorization, monitoring of critical control points and a commitment to making integration simple for customers.

A higher standard

The Cloud Security Alliance publishes a detailed guide to help enterprises practice strategic management of cloud services. This year's guide addresses the downward pressure on cloud providers to deliver more security information to their customers. Download it at

For more on securing your hybrid IT enterprise, visit HP’s cloud solutions page.


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity