Cloud Computing
Cloud computing and Software as a Service (Saas) are quickly replacing software vendors in today’s marketplace. Industry veterans such as Gartner are saying that over 25% of new software purchases will be using SaaS and not the traditional model. The power of communications, support, cost and deployment ensure this into the future.
How does this affect the information security professional? Substantially, but not necessarily in a bad way. What does all of this mean to the security expert? It means that we had better be prepared EARLY in the process of choosing of the SaaS vendor and not as an afterthought. To accomplish this task, let’s take a look at the Top 8 items to ensure that your SaaS vendor has appropriate security:
-
- Security is a process not technology or checklists.
John Sawyer had it right in his article in DarkReading, security IS a process and not a checklist. Make sure that the SaaS vendor’spolicies clearly articulate
this. It is not simply a check box stating that they PCI DSS compliant, or Verisign Compliant. It is a process and a procedure for all to follow.
- Does Service Level Agreement (SLA) include Security
SaaS SLA’s offer you, the client, a financial recourse if there are any availability issues surrounding their service. Do those include security breaches? If your SaaS vendor loses a tape containing your client data, do you have recourse against them? Make sure that security is included in the SLA that you sign with them.
- Disaster Recovery TESTING
Many companies, especially SaaS companies have a clearly d
esigned and documented Disaster Recovery policy and procedure. If they do not, then I wouldn’t even CONSIDER doing business with that company. However, the real issue in any disaster is not whether or not they backed data up, but how fast can they put YOUR data and software back online. You are now tied to their success. Make sure that they provide clear evidence that they TEST their procedure and know that it will work and more importantly, how fast can they recover.
- Encryption and Compartmentalization of Customer Data
Ensure that your SaaS vendor has clear policies and technologies to ensure that data that should be encrypted is and effectively encrypted. Simple hash algorithms for a record or row in a data table are not sufficient.
- Auditing vs Technical Controls
According to Eric Maiwald of the Burton Group, technical controls, such as for content or rights management, typically don’t work as well in an outsourced environment. When you entrust your data to SaaS, “audit replaces your day-to-day management controls and technical controls,” he asserts. Ensure that your vendor has appropriate auditing from application to network vulnerability. Audit is your key to ensuring security with your vendor.
- Secure Software Development Life Cycle (SDLC)
Does your SaaS vendor follow a standard practice for developing secure code? Your data is only as safe as the code itself. If your SaaS vendor does not subscribe to secure coding practices and standards, it is only a matter of time before data is compromised. Take a look at the following two standards from Microsoft and the Department of Defense as examples of Secure Software Development Life Cycle:
o Department of Defense Information Analysis Center’s Secure Software Development Life Cycle
o Microsoft Trustworthy Computing Security Development Lifecycle
- Can I get it Back?
So you have taken the plunge, and started using SaaS to handle yo
ur aspects of your business? What happens if they go away? What happens if you chose the wrong vendor and they constantly miss their SLA’s? Does your contract stipulate the ability to extract your data back from the SaaS vendor so that you can use it elsewhere? Work with your legal department to ensure that your contracts include appropriate language to retrieve your data given these and other scenarios.
- Transparency
Does your SaaS vendor provide transparency in security, availability and performance? The SaaS vendors that do well and succeed do already. Look at SalesForce.com and their rollout of the Trust Platform. Salesforce.com realizes that transparency in security, performance and availability is an essential component to a SaaS vendor. Pressure your vendors to ensure that you have access to this data, since their business is servicing YOUR data, afterall.
As you can see, it is important for the Information Security team to be involved early in the process when reviewing potential SaaS partners. A great relationship with your legal team is also helpful. The proper balance of security and the financial savings of the SaaS vendor can really be a great asset to many companies during these turbulent times. Don’t get caught left behind when reviewing your SaaS vendors, ensure that you are leading from the front.
Do you have an opinion? Did I miss any of YOUR top SaaS security issues? I’d love to hear it!
- Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
- Using Analytics to Measure InfoSec Success Introduction As today's companies become leaner and meaner, I see the use of performance metrics...
- The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...
Related Websites
