Gaining SaaS Capabilities Without Jeopardizing Security

Like organizations in many industries, banks and other financial services organizations are finding that cloud-based Software as a Service (SaaS) solutions provide an efficient and cost-effective way to leverage a wide-range of enterprise applications, relieving IT of the burdens often associated with deploying and maintaining on-premise software.

One area where SaaS applications can deliver significant benefits in banking is customer communication management (CCM). Because of compliance regulations, financial firms typically face inflexible formatting requirements for these communications. Often, the processes in place to ensure timely compliance under tight deadlines is manual and labor intensive. Manipulating individual file structures, engaging with outside agencies and managing duplication of content all make the process even more complex. Much is at stake if these hurdles are not met, as there is a significant risk that the organization may have to pay penalties or face legal action.

An automated SaaS workflow can replace these time-consuming, expensive and error-prone manual tasks with accurate, preset processes. Dynamic formatting can replace manual layouts, eliminating the need for dedicated internal staff or outside agencies to accomplish this workflow. Centralizing content with a SaaS solution streamlines data management, adds control and provides visibility into the workflow process while also significantly reducing costs. All of this will have a positive impact on time-to-market for the financial organization.

But what about data security?

While the ease with which SaaS applications can cost-effectively accelerate the adoption of new capabilities is very attractive, the benefits must be counter-balanced by a consideration of data protection in banking and similar regulated industries where applications are likely to involve the use of sensitive data, such as a customer’s personal and account data, credit card holder and other payment data, etc.

While it is possible for internal IT departments to ensure security for SaaS applications, the reality is the task is often not adequately handled for a number of reasons. A survey by the Ponemon Institute found that enterprises storing sensitive or confidential business data in the cloud environment made a number of common mistakes when it comes to ensuring security, including:

  • IT is in the dark about cloud services in their organizations. Instead, procurement and business users are responsible for SaaS decisions.
  • Most companies are not evaluating SaaS applications for security prior to deployment.
  • Cloud deployment strategies often neglect the use of security technologies in the cloud environment.
  • Inspection of data in the cloud rarely happens.

Ninety percent of survey respondents said SaaS will be important to meeting IT strategies over the next two years and 79 percent said security is an important consideration in their cloud migration decision. Despite these views, only 33 percent of survey respondents believe their organization is achieving necessary objectives for cloud security.

In light of these numbers, banks and other financial institutions should take steps to mitigate the potential for making the kinds of common security mistakes identified in the survey. However, attaining a secure cloud posture can be very difficult. As cloud security solution provider Armor notes, it involves procuring, integrating and managing dozens of point security products, as well as making all the necessary changes to processes, staff training and resource utilization. Once achieved, the secure cloud environment must be maintained through constant monitoring, periodic risk reassessments and other techniques. (Armor white paper, “Inside the 6 principal layers of the cloud security stack”.)

The IT resources needed to ensure security for SaaS applications are daunting and, as the survey results showed, unlikely to be provided by a bank’s internal IT team given that it may not even participate in the selection or know about the SaaS applications used within the organization. That means that business users and, by default, their organizations, are relying on the SaaS provider to ensure that adequate security protections are in place, which may or may not be the case.

A better way to ensure security for SaaS applications

Banks can greatly improve this situation by proactively vetting whether cloud infrastructures that store their data workloads, applications and assets are secure. When it comes to SaaS, a financial organization would do well to evaluate whether the SaaS provider is partnering with a secure cloud hosting provider that has the talent, expertise and tools to ensure proactive protection of the organization’s sensitive data. The secure cloud hosting provider should have the ability to maintain security for all applications and data that the organization accesses through the cloud. This approach has the potential to be more cost effective, efficient and comprehensive for the organization than attempting to handle cloud security using internal IT resources.

In order to achieve a secure cloud environment, banks and other financial organizations should confirm that the following three objectives are met:

  • The organization has gained complete visibility within the cloud environment.
  • Dwell time—the amount of time that a threat actor remains undiscovered and unmitigated within the environment—should be reduced from weeks or months to days or even hours.
  • Lesser threat actors should be automatically blocked so that the security controls—including technology and trained personnel—can focus on finding and stopping the most sophisticated threats. (Armor white paper)

Combining a cloud-based SaaS solution for key workflows, such as generating highly-regulated customer documents, with secure cloud hosting of all deployments of SaaS platforms has the potential to provide the best possible security while enhancing a bank’s agility to meet the demands of the marketplace.

This approach can truly be a win-win situation when it comes to ensuring security of data and accessing cloud-based solutions that enhance business results.


Waqar Ahmad is Chief Information Security Officer for Elixir Technologies; he is a senior advisor to the solutions architect group and managed Elixir’s development team as a vice president of engineering for 10 years. Contact Ahmad at, and for information on Elixir Technologies, visit

Written by Waqar Ahmad