Welcome!

Linux Containers Authors: Flint Brenton, Liz McMillan, Elizabeth White, AppDynamics Blog, Pat Romanski

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Agile Computing, Cloud Security

@CloudExpo: Article

Migrating Apps to the Cloud

Security trade-offs and considerations

Security professionals are constantly negotiating the tension of balancing ease-of-use with data security. Savvy security professionals know that their users will often choose a less secure technology that makes getting things done easier over a more secure technology that makes getting things done more cumbersome. The trick is in aligning the secure choice with the efficient choice - but this comes with much-needed analysis and consideration.

Increasingly, best-in-class applications are being offered in a Software as a Service (SaaS) model; just take a look at the plethora of cloud-based tools available for organizations that need a scalable way to access software across physical locations and a means of enabling their increasingly mobile users. Certainly, the SaaS model offers highly compelling advantages over traditional on-premise solutions such as:

  • Reduction and simplification of license management costs as well as infrastructure procurement and management costs
  • Increased disaster resiliency and improved business continuity driven by the remote nature of SaaS to the workplace
  • Enablement of a remote or mobile workforce

While there are several reasons why enterprises around the globe are moving toward cloud-based software solutions, there are trade-offs in moving from on-premise to hosted SaaS. Control of the infrastructure means control of the security and compliance of the systems. Giving up this control means additional due diligence is required to meet security and compliance objectives.

From full-site SSL/TLS encryption to encryption of customer data at rest, SaaS providers are incorporating best practices in an effort to ensure that the data customers entrust them with remains safe in their hands. Support for single-sign-on (SSO) authentication standards such as Security Assertion Markup Language version 2.0 (SAML 2.0) allows customers to integrate uniform authentication standards (strong passwords or multi-factor authentication (MFA)) across multiple SaaS tools.

When evaluating SaaS technologies for potential adoption by your organization, here are five key questions that you should ask any potential vendor:

  • How are you protecting my data while it's being transmitted to you and while it's stored in your systems?
  • What are you doing to protect your systems against physical threats?
  • What are you doing to defend your application from attack?
  • What are you doing to protect your users from account compromise?
  • How are you protecting the service from disaster and the data from corruption or accidental deletion?

User Management and Single Sign-On
One somewhat hidden challenge of increased reliance on SaaS applications is the potential for user management complexity. User on-boarding and off-boarding, end-user account and password management and privilege accounting are increasingly complex without a unified user management approach.

To solve for this, many SaaS providers now support one or more single sign-on (SSO) standards. Single sign-on allows for the central provisioning and de-provisioning of applications to the user, and a single source of truth for who has access to what.

Some additional benefits for SSO integrations include having a unified user authentication policy across multiple applications with fewer passwords for users to remember and keep secure. SSO also provides support for multi-factor authentication (MFA), which can be used to create a more secure but user-friendly means to log into mission-critical business software.

Whether we like it or not, keeping enterprise systems strictly on-premise isn't a viable or scalable option today. Adapting to the SaaS paradigm and understanding and quantifying both the benefits and risks have become a key skill for CIOs and security professionals. Those who can successfully negotiate this paradigm are the new heroes of IT procurement - delivering ease of use and efficiency while maintaining security and compliance best practices.

More Stories By Ken Asher

Ken Asher is a Sales Engineer, Security, at Smartsheet. He has over 11 years of experience in technical operations, security and regulatory audit controls design and implementation. He currently serves as a sales security engineer at Smartsheet, a collaborative work management tool used by millions worldwide, where he advises Smartsheet's Enterprise customers on security and compliance controls. Previously, Ken served as the director of technical operations and the director of operations at Docusign.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
Ask someone to architect an Internet of Things (IoT) solution and you are guaranteed to see a reference to the cloud. This would lead you to believe that IoT requires the cloud to exist. However, there are many IoT use cases where the cloud is not feasible or desirable. In his session at @ThingsExpo, Dave McCarthy, Director of Products at Bsquare Corporation, will discuss the strategies that exist to extend intelligence directly to IoT devices and sensors, freeing them from the constraints of ...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Technology vendors and analysts are eager to paint a rosy picture of how wonderful IoT is and why your deployment will be great with the use of their products and services. While it is easy to showcase successful IoT solutions, identifying IoT systems that missed the mark or failed can often provide more in the way of key lessons learned. In his session at @ThingsExpo, Peter Vanderminden, Principal Industry Analyst for IoT & Digital Supply Chain to Flatiron Strategies, will focus on how IoT de...
In his session at @ThingsExpo, Kausik Sridharabalan, founder and CTO of Pulzze Systems, Inc., will focus on key challenges in building an Internet of Things solution infrastructure. He will shed light on efficient ways of defining interactions within IoT solutions, leading to cost and time reduction. He will also introduce ways to handle data and how one can develop IoT solutions that are lean, flexible and configurable, thus making IoT infrastructure agile and scalable.
Complete Internet of Things (IoT) embedded device security is not just about the device but involves the entire product’s identity, data and control integrity, and services traversing the cloud. A device can no longer be looked at as an island; it is a part of a system. In fact, given the cross-domain interactions enabled by IoT it could be a part of many systems. Also, depending on where the device is deployed, for example, in the office building versus a factory floor or oil field, security ha...
An IoT product’s log files speak volumes about what’s happening with your products in the field, pinpointing current and potential issues, and enabling you to predict failures and save millions of dollars in inventory. But until recently, no one knew how to listen. In his session at @ThingsExpo, Dan Gettens, Chief Research Officer at OnProcess, will discuss recent research by Massachusetts Institute of Technology and OnProcess Technology, where MIT created a new, breakthrough analytics model f...
Fifty billion connected devices and still no winning protocols standards. HTTP, WebSockets, MQTT, and CoAP seem to be leading in the IoT protocol race at the moment but many more protocols are getting introduced on a regular basis. Each protocol has its pros and cons depending on the nature of the communications. Does there really need to be only one protocol to rule them all? Of course not. In his session at @ThingsExpo, Chris Matthieu, co-founder and CTO of Octoblu, walk you through how Oct...
There are several IoTs: the Industrial Internet, Consumer Wearables, Wearables and Healthcare, Supply Chains, and the movement toward Smart Grids, Cities, Regions, and Nations. There are competing communications standards every step of the way, a bewildering array of sensors and devices, and an entire world of competing data analytics platforms. To some this appears to be chaos. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, Bradley Holt, Developer Advocate a...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
IoT offers a value of almost $4 trillion to the manufacturing industry through platforms that can improve margins, optimize operations & drive high performance work teams. By using IoT technologies as a foundation, manufacturing customers are integrating worker safety with manufacturing systems, driving deep collaboration and utilizing analytics to exponentially increased per-unit margins. However, as Benoit Lheureux, the VP for Research at Gartner points out, “IoT project implementers often ...
So, you bought into the current machine learning craze and went on to collect millions/billions of records from this promising new data source. Now, what do you do with them? Too often, the abundance of data quickly turns into an abundance of problems. How do you extract that "magic essence" from your data without falling into the common pitfalls? In her session at @ThingsExpo, Natalia Ponomareva, Software Engineer at Google, provided tips on how to be successful in large scale machine learning...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, will compare the Jevons Paradox to modern-day enterprise IT, e...
There is little doubt that Big Data solutions will have an increasing role in the Enterprise IT mainstream over time. Big Data at Cloud Expo - to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA - has announced its Call for Papers is open. Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm ...
SYS-CON Events announced today that Roundee / LinearHub will exhibit at the WebRTC Summit at @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LinearHub provides Roundee Service, a smart platform for enterprise video conferencing with enhanced features such as automatic recording and transcription service. Slack users can integrate Roundee to their team via Slack’s App Directory, and '/roundee' command lets your video conference ...
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
Digital transformation is too big and important for our future success to not understand the rules that apply to it. The first three rules for winning in this age of hyper-digital transformation are: Advantages in speed, analytics and operational tempos must be captured by implementing an optimized information logistics system (OILS) Real-time operational tempos (IT, people and business processes) must be achieved Businesses that can "analyze data and act and with speed" will dominate those t...