To help remedy this situation, CSA has published a white paper that provides consensus definitions of what SecaaS means, categories of different types of SecaaS, and guidance for organizations on reasonable implementation practices.
The CSA Security as a Service Working Group noted that there has been limited research into the provision of security services in an elastic cloud model that scales as the client requirements change.
The white paper explained that SecaaS refers to the provision of security applications and services through the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems.
“The paper focuses on providing cloud-based security services. Most research up until now has focused on security in the cloud. This is looking at the other side”, explained Kevin Fielder, co-chair of the working group.
The white paper breaks down SecaaS into the following 10 categories: identity and access management, data loss prevention, web security, email security, security assessments, intrusion management, security information and event management, encryption, business continuity and disaster recovery, and network security.
For each category, the white paper provides a description of the category, services, core functions, optional features, threats addressed, and implementation challenges.
For example, the white paper defines cloud-based email security services as providing “control over inbound and outbound email, thereby protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam, and providing business continuity options. In addition, the solution should allow for policy-based encryption of emails, as well as integrating with various email server solutions.”
Cloud-based email security services are content security, anti-virus/anti-malware, spam filtering, email encryption, data loss prevention for outbound email, web mail, and anti-phishing. Core functionalities include filtering to block spam and phishing, protection against viruses and spyware, flexible policies to define granular mail flow and encryption, real-time reporting, content scanning to enforce policies, option to encrypt some/all emails based on policy, and integration with various email server solutions. Optional features include security archiving and digital signatures.
Threats addressed by the service are phishing, intrusion, malware, spam, and address spoofing. Implementation challenges include portability, storage, use of unauthorized webmail for business purposes, management of logs and access to logs, and ensuring no access to emails by cloud provider staff.
The white paper will help cloud customers and providers in two ways, Fielder told Infosecurity. First, it provides an overview of what the services are in this new area, and second, it provides clear definitions of the emerging services. “It clarifies services being offered and enables people to talk in a single language”, he said.
The working group is planning a follow-up white paper examining implementation guidance and reference models for the various categories, along with how they can be used to mitigate key threats, Fielder said. He could not provide a timetable for when the follow-up work would be available.