product security, product management, software as a service, saas, enterprise, business, quality, authentication, hardening, operations, features, single signon,
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community
You Must Be Logged In
You must be a member of this group and logged in to rate this post. Please see the links above on joining this group and/or logging in.

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Subscribe to this Podcast
via iTunes!

A series of audio sessions to help you get the most out of the Streetwise Security Zone

Streetwise Safe Web Surfing - Audio Training Program (1 hour)
Product ID: 00000003

Learn how to avoid loss of time and money caused by computer infections and the many online risks you face every day at work and at home. With all of the risks associated with Web Surfing these days, you really need a simp ... More »

Non-Member Price: $5.99 $4.99

November 2009 Posts

Archives
  The Streetwise Security Zone Podcast
Blog Entry

009 - Securing Software as a Service (Saas) with Peter Hanschke - Product Management Consultant

Wednesday, November 11th 2009 @ 11:24 AM (not yet rated)    post viewed 962 times

click to download this audio file

The Streetwise Security Zone Episode 9 - November 12, 2009

This Episode's Topics -

1 - Moving from isolated software products to offering them as a service (Software as a Service - or SaaS)
2 - Basic considerations for securing services, assurance for customers
3 - Separating data between clients who could be competing with each other
4 - User login security considerations
5 - Who administers users, and who administers the system?
6 - The big picture - communicating new kinds of risks to senior management

SHOW NOTES

This special episode is dedicated to the single topic of securing Software as a Service, from a Product Manager's point of view. If you are responsible for developing and marketing software products for business use; OR if you are using or looking for an outsourced solution of any kind for your business, this podcast episode is for you.

Peter Hanschke is an experienced Product Manager who has been responsible for transitioning what was considered On-Site Enterprise software solutions into the modern realm of outsourcing. It often makes sense to do this - in fact Gartner is telling us it's inevitable for almost every kind of Enterprise software solution. You have to have a SaaS play.

But, as Peter points out, this is much easier said than done - especially when it comes to all the security considerations for launching a web-based product offering. It's a whole new world.

Product managers will get a new perspective, and hopefully some ideas for strategies, while customers can learn about what questions to ask if you are looking to procure a SaaS solution for your business.

In this episode of the podcast, Peter tells us what the challenges are that Product Managers face, and I  offer advice on how to deal with them from a security professional's viewpoint.

Please listen in as Peter and I spend close to an hour discussing the following issues in more detail...

1 - Moving from isolated software products to offering them as a service (Software as a Service - or SaaS)

There are a whole new set of problems for Product Managers when you decide to set it up as an operational system to offer as an outsourced solution for your customers.


2 - Basic considerations for securing services, assurance for customers

Securing an operational service requires a great deal of planning for what we call "hardening the environment" - to make sure the bad guys can't break in. They will try, eventually. Customers have to be confident that you can keep their data secure.


3 - Separating data between clients who could be competing with each other

How much you have to spend on maintaining logical and physical separation of clients' data depends on its sensitivity,  the cost-benefit trade-offs. Customers should be asking things like, "How do I know my data won't be visible to my competitors?"


4 - User login security considerations

Again, the sensitivity of data and cost-benefits can be used to determine how strong the user login - or authentication - methods must be for a service.


5 - Who administers users, and who administers the system?

User provisioning is often best delegated to the customers, so they can manage the people, and their accounts directly. But system administration must be separated so you can maintain Service Level Agreement (SLA) terms.


6 - The big picture - communicating new kinds of risks to senior management

In the end, your service is supposed to be profitable - that's what senior management expects. So, you have to set their expectations on the risks, and the costs to address them - preferably before you commit to service launch dates and budgets. It may help to treat security the same way you treat quality. Obviously, management wants to be proud of the quality solution they are offering. Security flaws are really quality flaws, and they will become very visible, very quickly,  if they are significant.

You can find Peter's website and contact information at the Ateala Management website:

http://www.ateala.com

If you found this episode to be useful, please let us know by entering a comment after these show notes on The Streetwise Security Zone website; or you can rate the episode or subscribe to The Streetwise Security Zone Podcast from the website as well. This episode and its show notes have been posted at:

http://www.streetwise-security-zone.com/podcasts.html

Until next time, stay streetwise...

- Scott

Would your organization be interested in obtaining the right to use my security awareness eLearning content or articles in your enterprise security program? Or would you like help with strategy, risk assessment, program development or training? Please call or email me at the coordinates below...

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Web Analytics

 rate this post: very bad poor average good fantastic!
Comments