In a sense, it is understandable why so much business and consumer coverage of tech security is driven by the latest high-profile breach. After all, good security that works and prevents malware and ransomware attacks does not generate headlines. However, to those of us active in information archiving and cloud security and who understand the blessings and dangers of Software-as-a-Service (SaaS) in the cloud, for example, it sure is maddening.
Meanwhile, the drumbeat of hacks continues. It is abundantly clear that many traditional models, from network security to edge protection, are not working. It is time for a fundamental rethink.
That should not be so difficult. The technology discipline is incredibly dynamic: The industry constantly develops capabilities that create rather than meet business and consumer needs, every product is regularly updated with enhancements and fixes, and entire technologies can go from killer app to legacy virtually overnight. The field has radically redefined our basic expectations of forward motion.
However, with technology security, it is often the opposite. High-level decision-making is not insulated from the zeitgeist, and when so much public attention is reactive—the newest significant breach, the latest threat variant, the most recent ransomware payout—then boardroom and top management initiatives follow the same pattern.
However, what if we could drive the agenda differently? Sure, we all know what happened to Colonial Pipeline, LinkedIn, Acer, the Florida water system, and other organizations in just the past few months. But, what is happening between the breaches to help avert such catastrophes, and what should be happening?
Consider one equally important area and also in the news: SaaS.
SaaS companies have been getting lots of love from investors lately. Right around the time of the Colonial Pipeline hack, one SaaS provider with a security focus became the focal point of a massive acquisition—in fact, the most prominent tech security deal in history. And, where one such deal goes, others will surely follow. (Another side effect: We might have to live with acronyms like SECaaS for Security-as-a-Service.)
Before bringing the heat, let us acknowledge the benefits. Almost every entity can derive huge advantages from the cloud, and that is even apart from the digitization of every function mandated by a global pandemic. The cloud is the perfect environment to store and manage critical data, everything from IP to PII. It is remote and secure. . .mostly.
Here is one aspect that does not get enough attention, at least outside the security community. We have made significant advances in encryption and other disciplines to secure sensitive data when it is at rest or in transit. But all that information does not reside in a vacuum (it would be useless if it did). Business users need to access that data, gain insights, and leverage it to drive multiple initiatives. This is where the problems begin and do not necessarily end.
SaaS emerged as a business model before developing as identity as a technology advance—many kinds of software previously developed became available for easy and affordable download. It enabled flexibility and scalability, eased upgrades and cut costs. Moreover, many solutions began life as on-prem tools, then got ported to the cloud. This meant commoditization without security, and that is a severe drawback.
For a start, consider compliance. There is already an alphabet soup of regulations governing the use of data, and we are going to get many more. On the government front alone, watch for CPRA adding to CCPA in California, while Virginia brings CDPA, the debate continues for a national mandate. Then there are the many industry guidelines. In this arena, many SaaS offerings currently lack industry-specific compliance capabilities.
On a related note, the threat matrix is even more dynamic than the legitimate tech discipline, with new strains of malware and other dangers constantly becoming available on the dark web. Meanwhile, many third-party SaaS providers not only share network infrastructures and resources but even network security certificates.
Finally, there are plenty of legitimate tools also being developed, and this process will only accelerate when we get more adaptable use cases with AI/ML. Can the typical commoditized SaaS offering keep pace? So far, the answer is no.
If all this is a severe problem, one possible solution is to enable the running of standard software within an isolated environment: network security, scalability, storage accounts, access controls and more, all configured to meet specific needs. This is a fundamental platform shift—specifically, adopting Platform-as-a-Service, or PaaS.
PaaS brings true isolation, deploying the necessary solution within each company’s dedicated cloud. That means no shared cloud resources, even with greater flexibility to ensure a customer-specific deployment rather than a one-size-fits-all approach. In the ideal cloud arrangement, this makes for a dedicated cloud tenant and specialized software to address specific software needs. It also allows homomorphic encryption, enabling authorized users to search and manage data in the cloud without needing to decrypt it. Companies retain full ownership and management of their encryption keys.
This is real progress—incremental but fundamental, making gains without accruing losses. It will not generate headlines, though it might affect some SaaS provider valuations and affect cybersecurity insurance rates. In the long term, it will enhance security without hurting flexibility or spiking costs. That is different, and it is better.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.