SaaS, APTs and Asymmetric Risk Take Spotlight at Security Threats 2012

I had the opportunity to speak at a new security conference last week, Security Threats 2012. I presented on the topic of balancing business benefits with risks in the cloud (more on that later), but the event touched on a wide range of pertinent IT topics, provoking stimulating discussions of some of the most pressing challenges business leaders are facing.

I have to give a tip of my hat to the organizers of the conference. Not only did the event have an outstanding agenda with a bevy of top-notch speakers, but the attendees also brought a lot of value based on their varied backgrounds and senior roles in their companies.

Here are a few of the prime topics and perspectives I took away from the event:

The March of SaaS

Several speakers described the aggressive moves their companies are making toward the adoption of SaaS solutions. In many cases, it is the business units that make these decisions, with little notification to IT, let alone the security group. The motivations for moving to SaaS are about what you'd expect: time to value, cost-effectiveness, avoiding the IT organization.

Justin Kwong, senior director if IT operations and security with 24 Hour Fitness, described his company's rapid growth and concomitant reluctance to purchase and implement on-premises solutions. With such quick expansion and rapid change in its business opportunities, 24 Hour Fitness saw SaaS as an opportunity to achieve enterprise functionality at SMB pricing.

Given that Kwong's group isn't going to be implementing on-site CRM, what have they chosen to focus on instead? Kwong outlined their move to federated identity management, leveraging Active Directory as a way of supporting SSO for the user base. Not only does this increase user satisfaction by removing the need to log in repeatedly, it also ensures that one central change can remove login privileges from all of the SaaS applications once an employee leaves the company. So one could say that Kwong's group works on central infrastructure to support the SaaS-forward strategy. But lest you conclude that such a move is the province of the SMB market, Gene Fredrickson, chief information security officer of Tyco, a Fortune 500 perennial, said that his company is also backing a user-led, SaaS-forward strategy.

So how can security become aware of various SaaS initiatives throughout a company? Chet Loveland, global information security and privacy officer at MeadWestvaco, a packaging solutions company, summed up his strategy as "have friends in other places." By cultivating relationships with employees in human resources and procurement, Loveland can learn about SaaS decisions through the company grapevine. As a result, he can involve himself in SaaS initiatives and help ensure that contracts with vendors address items that are critical to the company.

Your Perimeter Is Swiss Cheese

At a conference devoted to evolving security threats, many presenters argued that the traditional strategy of hardening the perimeter of the data center is outmoded. They explained that external threats can almost certainly penetrate your defenses and set up persistent software agents that can rifle through your files at will. These so-called advanced persistent threats (APT) are commonly sponsored by criminal enterprises and foreign states.