Security as a service

Last updated

Security as a service (SECaaS) is a business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis more cost-effectively than most individuals or corporations can provide on their own when the total cost of ownership is considered. [1] SECaaS is inspired by the "software as a service" model as applied to information security type services and does not require on-premises hardware, avoiding substantial capital outlays. [2] [3] These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing, [4] and security event management, among others. [5]

Contents

Outsourced security licensing and delivery are boasting a multibillion-dollar market. [6] SECaaS provides users with Internet security services providing protection from online threats and attacks such as DDoS that are constantly searching for access points to compromise websites. [7] As the demand and use of cloud computing skyrockets, users are more vulnerable to attacks due to accessing the Internet from new access points. SECaaS serves as a buffer against the most persistent online threats. [8]

Categories of SECaaS

The Cloud Security Alliance (CSA) is an organization that is dedicated to defining and raising awareness of secure cloud computing. In doing so, the CSA has defined the following categories of SECaaS tools and created a series of technical and implementation guidance documents to help businesses implement and understand SECaaS. [9] These categories include:

SECaaS models

SECaaS are typically offered in several forms:

Benefits

Security as a service offers a number of benefits, [10] including:

Challenges

SECaaS has a number of deficiencies that make it insecure for many applications. Each individual security service request adds at least one across-the-'Net round-trip (not counting installer packages), four opportunities for the hacker to intercept the conversation:

  1. At the send connection point going up
  2. At the receive connection point going up
  3. At the sending point for the return; and
  4. At the receiving point for the return.

SECaaS makes all security handling uniform so that once there is a security breach for one request, security is broken for all requests, the very broadest attack surface there can be. It also multiplies the rewards incentive to a hacker because the value of what can be gained for the effort is dramatically increased. Both these factors are especially tailored to the resources of the nation/state-sponsored hacker.

The biggest challenge for the SECaaS market is maintaining a reputation of reliability and superiority to standard non-cloud services. SECaaS as a whole has seemingly become a mainstay in the cloud market. [12]

Cloud-based website security doesn't cater to all businesses, and specific requirements must be properly assessed by individual needs. [13] Business who cater to the end consumers cannot afford to keep their data loose and vulnerable to hacker attacks. The heaviest part in SECaaS is educating the businesses. Since data is the biggest asset for the businesses, [14] it is up to CIOs and CTOs to take care of the overall security in the company.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service can be accomplished in a variety of ways, including programming or logical vulnerabilities, improper handling of resources, or by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as on-demand software, web-based software, or web-hosted software.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Cloud storage is a model of computer data storage in which data, said to be on "the cloud", is stored remotely in logical pools and is accessible to users over a network, typically the Internet. The physical storage spans multiple servers, and the physical environment is typically owned and managed by a cloud computing provider. These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment secured, protected, and running. People and organizations buy or lease storage capacity from the providers to store user, organization, or application data.

<span class="mw-page-title-main">Cloud computing</span> Form of shared Internet-based computing

Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often have functions distributed over multiple locations, each of which is a data center. Cloud computing relies on sharing of resources to achieve coherence and typically uses a pay-as-you-go model, which can help in reducing capital expenses but may also lead to unexpected operating expenses for users.

<span class="mw-page-title-main">Microsoft Azure</span> Cloud computing platform by Microsoft

Microsoft Azure, often referred to as Azure, is a cloud computing platform run by Microsoft. It offers access, management, and the development of applications and services through global data centers. It also provides a range of capabilities, including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). Microsoft Azure supports many programming languages, tools, and frameworks, including Microsoft-specific and third-party software and systems.

<span class="mw-page-title-main">Vivek Kundra</span> American government official

Vivek Kundra is a former American administrator who served as the first chief information officer of the United States from March, 2009 to August, 2011 under President Barack Obama. He is currently the chief operating officer at Sprinklr, a provider of enterprise customer experience management software based in NYC. He was previously a visiting Fellow at Harvard University.

Linode, LLC was an American cloud hosting provider that focused on providing Linux-based virtual machines, cloud infrastructure, and managed services.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

<span class="mw-page-title-main">Cloudflare</span> American technology company

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California. According to The Hill, Cloudflare is used by more than 20 percent of the Internet for its web security services, as of 2022.

<span class="mw-page-title-main">Cloud Security Alliance</span>

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.”

Cloud computing is used by most people every day but there are issues that limit its widespread adoption. It is one of the fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. Cloud computing biggest advantage is flexible lease and release of resources as per the requirement of the user. Its other advantages include efficiency, compensating the costs in operations and management. It curtails down the high prices of hardware and software

"X as a service" is a phrasal template for any business model in which a product use is offered as a subscription-based service rather than as an artifact owned and maintained by the customer. Originating from the software as a service concept that appeared in the 2010s with the advent of cloud computing, the template has expanded to numerous offerings in the field of information technology and beyond it. The term XaaS can mean "anything as a service".

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

References

  1. Olavsrud, Thor (April 26, 2017). "Security-as-a-service model gains traction". cio.com. Retrieved 2017-06-22.
  2. "Security as a Service". techopedia. Retrieved 10 June 2017.
  3. Furfaro, A.; Garro, A.; Tundis, A. (2014-10-01). "Towards Security as a Service (SecaaS): On the modeling of Security Services for Cloud Computing". 2014 International Carnahan Conference on Security Technology (ICCST). pp. 1–6. doi:10.1109/CCST.2014.6986995. ISBN   978-1-4799-3530-7. S2CID   17789213.
  4. "Penetration Testing as a Service". PENTESTON. Retrieved 20 June 2017.
  5. "Definition of Security as a Service".
  6. "Security as a service really has become a no-brainer" . Retrieved 2015-09-24.
  7. "cloudbric blog: Who's Behind DDoS Attacks and How Can You Protect Your Website?". blog.cloudbric.com. Retrieved 2015-09-24.
  8. "Security-as-a-service, Cloud-Based on the Rise (Part 1)". Archived from the original on 2014-08-15. Retrieved 2015-09-21.
  9. Cloud Security Alliance. "Defined Categories of Security as a Service" (PDF). Cloud Security Alliance. Retrieved 5 June 2017.
  10. "cloudbric blog: The Newbie's Guide to Security as a Service (SECaaS)". blog.cloudbric.com. Retrieved 2015-09-24.
  11. "The Cloud is Safe and Cost Effective for Critical Data Storage. No, Really. - Peak 10" . Retrieved 2015-09-21.
  12. "Security as a service really has become a no-brainer" . Retrieved 2015-09-24.
  13. "Cloud vs. Data Center: What's the difference?" . Retrieved 2015-09-21.
  14. "Why Security as a Service [SECaaS] Will be the Biggest Asset for Any CIO or CTO Today" . Retrieved 2016-03-22.