In my last blog, “Enterprise-Grade Security for Your Cloud Part 1: Defense in Depth,” I discussed how CallidusCloud uses a “defense-in-depth approach” to secure your data in the cloud. Today, I’d like to continue that discussion specifically around the Software-as-a-Service (SaaS) model and how CallidusCloud addresses some security issues that typically arise for companies exploring the use of SaaS applications.
In cloud computing solutions, information security and data protection issues are intensely debated and examined, far more critically than on-premise solutions. This is because organizations are afraid they will lose control of their data once it moves to the cloud. Cloud vendors must, therefore, take reasonable precautions to protect their customers’ data, such as personal information (personally identifiable information, protected health information) from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These vendors should also take reasonable steps to ensure that the data is reliable – meaning that it is accurate, complete, and current – for its intended use. The vendors should also ensure that the data is available all the time and when the customer needs it. The CallidusCloud technology addresses all these issues, as you will see below.
CallidusCloud: Controlled and Secure
CallidusCloud provides the security measures and transparency that build customer trust while controlling data privacy through services in the CallidusCloud solutions. Where your data is stored and backed-up is transparent. How it is secured at all times, and who can access or process data at all layers at any given time and for what purposes, is also transparent.
One of the reasons SaaS is so affordable is because this model is built on multi-tenancy, which primarily differentiates it from in-house applications or the application service provider (ASP) model. For instance, with SaaS, just one software instance can serve many customers (or tenants). But this multi-tenancy raises questions about security, in particular around identity management, data storage location, systems operations, data transmission and flow controls. The multi-tenant delivery and application architecture found in CallidusCloud solutions ensure data privacy for customers - around the service as well as within the service.
On top of that, strong data encryption at all relevant layers, as well as advanced infrastructure protection, ensures that unauthorized users are kept away from the protected data.
To comprehensively protect data, it is important to not only protect it from unauthorized access from outside the cloud, but also from inside the service. In this manner, only provisioned authorized users can access data based on the principles of “least privileges” and based on business needs as determined by the company’s security policy. CallidusCloud’s policy ensures that upon termination of an employee or a contractor, the user access privileges are terminated immediately and HR is engaged to brief the terminated employee on the continuing responsibilities for confidentiality and privacy. CallidusCloud also performs user access reviews once a quarter to actively monitor and verify the appropriateness of a user’s access to systems and applications based on an understanding of the minimum access necessary for users to perform or support business activities or functions.
Full confidentiality, integrity and non-repudiation
Below you’ll find some of the other security requirements of the SaaS model and information on how the technology in CallidusCloud responds to these questions and secures the cloud for CallidusCloud customers.
• Data storage and location. In an ASP model, each customer has unique hardware that keeps data segregated at all times. In a SaaS model, heterogeneous data may reside within a single instance of a database. To address information privacy concerns, CallidusCloud provides a logical isolation within our SaaS applications that extends down to the virtual server layer.
In addition, cloud solutions from CallidusCloud segregate heterogeneous data by using measures such as dedicated database servers, encrypted data storage, and movement of data controls.
• Identity management. Modern SaaS architecture usually involves a Web-based application and communication that occurs over the Internet. To protect identities, the communication between customers and cloud solutions from CallidusCloud leverages Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. Our solutions also support dedicated encrypted communication channels (WAN and VPN) for better access and integration.
Upon embracing cloud solutions from CallidusCloud, companies have a choice: they can let us manage security from top to bottom, or they can integrate CallidusCloud solutions with their own industry-standard identity management solutions. Our solutions also include high-level security measures for internal authentication, federated authentication (single sign-on), separate authorization and authentication modules, and password protection.
• Data transmission and data flow control. SaaS uses the public Internet to transmit data, requiring that transmission security, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), be designed into the system. The use of SSL and TLS at CallidusCloud creates secure tunnels for information transmissions.
• System operations. SaaS providers must ensure that the general capabilities of a secure and stable IT operation comply with industry standards and technology best practices. This is achieved by certifications such as ISO27001, and SSAE 16 SOC1 and SOC2.
Cloud solutions from CallidusCloud help organizations meet these requirements by providing industry-standard certifications (SOC 1, SOC2) and ITIL-based operational processes that include specific security management and governance functionality. This functionality includes processes such as identity management, system lifecycle management, change and configuration management, security patch management, security incident management, vulnerability management, activity logging, asset management, virus and malware protection, and network isolation.
Within the CallidusCloud Lead to Money portfolio, the controlled cloud methodology guarantees that there is transparency in process, trust in management, and substantiation though audit. We provide the measures and transparency necessary for the customers to trust us and keep control of their data.