Security practitioners have learned the hard way that contract negotiations are critical if their SaaS, cloud and security goals are to work. A report from CSO Perspectives and SaaScon 2010.

The term Software as a Service (SaaS) has been around a long time. The term cloud is still relatively new for many. Putting them together has meant a world of hurt for many enterprises, especially when trying to integrate security into the mix.

During a joint panel discussion hosted by CSO Perspectives 2010 and SaaScon 2010 Wednesday, five guys who’ve been there sought to help attendees avoid the same ordeal. Perhaps the most important lesson is that contract negotiations between providers is everything. The problem is that you don’t always know which questions to ask when the paperwork is being written.

Panelists cited key problems in making the SaaS-Cloud-Security formula work: SaaS contracts often lack contingency plans for what would happen if one or more of the companies involved suffer a disruption or data breach. The partners — the enterprise customer and the vendors — rarely find it easy getting on the same page in terms of who is responsible for what in the event of trouble. Meanwhile, they say, there’s a lack of clear standards on how to proceed, especially when it comes to doing things in the cloud.

Add to that the basic misunderstandings companies have on just what the cloud is all about, said Jim Reavis, co-founder of the Cloud Security Alliance.

“It’s important we understand there isn’t just one cloud out there. It’s about layers of services,” Reavis said. “We’ve seen an evolution where SaaS providers ride atop the other layers, delivered in public and private clouds.”

Somewhere in the mix, plenty can go wrong.

“If you’re in a public cloud situation and Company B is breached, a lot of finger pointing between that company and different partners will ensue,” Reavis said. “If this isn’t covered in the terms of agreement up front, you have no hope of recovering data (or damages).”

Security vendors can be part of the problem as well. In a recent CSO article about five mistakes one such vendor made in the cloud, Nils Puhlmann, co-founder of the Cloud Security Alliance and previously CISO for such entities as Electronic Arts and Robert Half International, noted that the vendor — who was not named — did “everything you can possibly do wrong” when rolling out the latest version of its SaaS product, leading to users uninstalling their solution in large numbers.

Customers using a particular version of the SaaS product were caught unaware when the vendor decided to roll out a new version through the cloud. It was done in a way where, at the moment of the upgrade, any new endpoint that was added to be managed automatically got the new version. Customers were not asked or notified, and were forced into a mixed-version environment as a result. “In the past, I as a customer was able to choose if I wanted to do this, and I could choose the timing,” he said at the time. “Here, there was no control, no timing or notification.”

Keith Waldorf, VP of operations at Doctor Dispense, a point-of-care medication and e-prescription dispensing provider, said one of his company’s most painful experiences in this area was on the contract side. “The lack of common standards really surprised us,” he said.

Around 2005-06, Doctor Dispense started running its own virtual environment. The company knew it couldn’t manage it alone, but had to burn through five service providers before finding the right one. One challenge, he said, is that every vendor seems to do things differently with no common framework. “We thought the fine print in the contracts had no real relevance, but that thinking ultimately came back to bite us,” he said. The company ran into trouble migrating to a new platform. When switching from one service provider to the next, the company would find the old provider still trying to attempt network log-ins.

Another challenge, Reavis said, is that cloud providers aren’t always good at providing log information that’s critical during a data breach investigation. “A contract with very clear provisions on the level of logging required of the provider is very important,” he said.

Ed Bellis, CISO of Orbitz, said his company is just starting to use a virtual development grid and build its own cloud. If it uses SaaS externally within the cloud, it needs to federate all the identity information between partners. “It’s a challenge, working with partners to get on same page,” he said. “Early on there were many things we didn’t expect. Federation of identities in our internal systems became a challenge because of differences between our internal procedures and those of the SaaS provider.”

One thing that has helped is that his organization developed internal baseline questions to ask of itself in terms of whether a service really fits the need and if it makes sense to have A and B in cloud. That self-questioning can help a company avoid the pain that comes with rushing in, he said.

“In your SLAs, you need to have clear language for how data will be handled and encrypted and, in the event of a security breach, the contract must have clear language on who is responsible for specific aspects of the investigation,” Bellis said. “Build these considerations into the contract side.”

Jeff Spivey, president of Security Risk Management, noted that with SaaS there can be many hidden third-party relationships, and a good contract must account for that.

“Build data portability into your contracts,” he said. “Remember that one business relationship is actually 10 and you may even need multiple contracts with multiple assurances.”

CSO Online

he software-as-a-service (SaaS) security market is booming, according to a report by Infonetics Research, announced on Monday.

SaaS security services accounted for 10 percent of the estimated $9.4 billion managed services market in 2010, according to Infonetics. That share is expected to grow to 22 percent by 2014. The report predicts that the SaaS security market will continue to grow as both enterprise and small-to-medium businesses deploy managed security services to fight off growing Web-based security threats.

Infonetics analyst Jeff Wilson predicts “strong growth” in SaaS security over the next five years. However, meeting enterprise needs for SaaS security is still a bit behind the curve, he noted in an e-mail.

“It’s a work in progress, and it depends on the security technology in question,” Wilson wrote. “The security technology itself is there, but many of the ancillary capabilities [that enterprises need] are still under development.” Those capabilities include management, logging and reporting, he explained.

Wilson noted that security on the Internet has always been a big question for businesses of all sizes. The answers businesses will get “will vary based on the [service] provider you talk to,” he said.

“The equation generally boils down to the provider showing that moving to SaaS improves a company’s level of security over what they’re doing right now, and then the buyer building trust over time with the provider,” Wilson added.

For its study, Infonetics tracked major telcos (including AT&T, T-Systems, China Telecom and more), large hosting providers offering security services (such as Google), specialized service providers and security SaaS vendors such as Cisco/ScanSafe, Symantec and McAfee. The report, “Managed Security Services and SaaS,” provides market forecasts through 2014.

The study’s results showed that worldwide revenues for SaaS security services were up by 70 percent in 2009. Those revenues were boosted by demand for content security services that address, Web, e-mail and antivirus security.

From a SaaS revenue standpoint, customer premises equipment (CPE)-based security still dominates the security space, with a more than 60 percent market share. Next in line, in terms of SaaS revenue, are cloud-based security offerings with more than 20 percent of the market, followed by current SaaS security services, according to the report.

Wilson noted that cloud-based services, such as firewall services in hosting environments, are typically provided by a traditional service provider with network or datacenter facilities. These providers typically do not develop their own security technology, but instead add solutions from third-party security software vendors.

“SaaS offerings are developed and sold by one entity. The technology is branded with the name of the SaaS provider and, in most cases, they don’t own their own network facilities,” Wilson said. He noted that SaaS providers are a mix of focused service providers, such as zScaler, and technology/product suppliers such as Cisco, McAfee, Symantec and others.

Full Source

Cloud computing offers significant benefits, but will account for only a fifth of overall enterprise IT by 2012 and will leave many businesses disappointed, a Gartner analyst has claimed.

Speaking at Gartner Symposium ITxpo in Cannes, Gartner vice president David Cearley said that by 2012, 20% of businesses would be using cloud computing for part of their IT infrastructure — a figure which contrasts sharply with the build-up surrounding the concept of on-demand, elastic computing services.

“Cloud computing is one of the most hyped terms in the industry right now,” Cearley said. “In many ways it’s overhyped. In the next 12-18 months, it’s going to crash into the trough of disillusionment. But we do think cloud computing is going to be a very important long-term phenomena.”

“You hear a lot about cloud computing today, and we do think we’re going to see rapid growth over the next few years. By 2012, about 20% of user organisations will rely on the cloud model for significant parts of their IT environment. Even a few years from now, it’s not necessarily going to be the dominant form of comp in your environment. It’s going to be a broad, long-term phenomenon. ”

Read Full Story

Network equipment giant Cisco Systems is feeling good enough about the economy to rev up its acquisition engine, pledging to spend more than $6 billion in a single month on smaller companies.

Cisco on Tuesday announced its third acquisition this month and its sixth acquisition so far this year. The company said it plans to buy Web-based security software company ScanSafe for about $183 million in cash.

Two weeks ago the company announced plans to buy wireless equipment maker Starent Networks for $2.9 billion. And at the beginning of the month, it said it would buy Norwegian video conference equipment maker Tandberg for $3 billion

After a brief acquisition hiatus the past year during the economic downturn, Cisco is back in the merger and acquisition saddle. In all of 2008, Cisco bought five companies, all well below the $1 billion price tag. In 2007, it bought a total of 11 companies, including the $2.9 billion purchase of WebEx.

Read Full Story