Until SaaS providers improve on delivering the highest SaaS security standards, that being visibility and control to their clients, users will still have to take total control of potential compliance risk. It has been observed that whenever business applications are moved outside the enterprise perimeter, security is greatly compromised.
Without proper visibility into user activity, nonexistent monitoring and limited access controls, SaaS can prove to be a serious challenge that the CISO has to deal with, especially the compliance responsibility. Therefore, to mitigate these security concerns, the security team (the enterprise in particular) must do a number of things, including:
- Be actively involved in procurement, taking a proactive role and vetting all SaaS relationships
- Be fully aware of the data compliance issues surrounding each prospective SaaS application
- Be willing to turn down those vendors unable to supply adequate visibility, activity monitoring or access control.
SaaS Security Standards Checklist
Because SaaS is an industry at its youthful stage, changing rapidly, no two providers are exactly the same. Therefore, customers must ask the right questions if they want to assess security vulnerabilities or capabilities of their third-party SaaS providers. For instance:
How granular are the various access controls?
Apparently, the most widespread mechanism for data breaches in IT today is via either malicious or unintentional misuse of user credentials, especially the log-in information. Therefore, effective data protection requires visibility into the activity of users, as well as administrative changes
What metrics are there and can be used for reporting?
You should consider if you will be able to create the reports that will not only satisfy the CIO and auditor, but also the board. Does your enterprise data security meet the regulatory requirements? It should.
- Ask yourself if the data is provided in such a way that can be integrated easily into internal monitoring tools to prevent data silos. For you to simply compliance and make it foolproof, you will have to monitor internal enterprise and SaaS applications side-by-side, all from a centralized dashboard.
Lastly, for every SaaS application, you must understand the business critically, especially the data involved. In addition, you must know if the application is handling confidential customer information and not just job postings. And that’s when you can perform an inventory of the relevant compliance issues.
SaaS Security Issues
It is the SaaS provider’s job to keep multiple users from viewing each other’s data. The following are some of the SaaS security standards and measures: data security, data locality, network security, data segregation, data confidentiality, data breach, web application security, and authentication and authorization.
Customer Security Concerns
From an industry’s point of view, there are numerous attributes of computing to look at, particularly from the security perspective. To begin with, customers have very high expectations when it comes to security. They do not approve of data they give providers to be hosted in a shared environment. What this means for providers is that that must stop looking at public cloud solutions and focus on private cloud solutions.
In addition, customers are concerned about compliance and would like to know if the provider is compliant with SAS 70, SOC 2, SOC 3 and SSAE 16 auditing standards. Sometimes, they want you to give the option of inspecting the facility physically, which a number of SaaS vendors do not allow. This can be a deal breaker. In the long run, the more control you give your SaaS vendor the more risks you could be exposing yourself to. However, once you understand your requirements you can just match them to one of the many cloud offerings to become satisfied with the security level, just as if you were running things in-house.
Dimensions of SaaS Security
Security in cloud computing is perhaps one of the most talked about subjects today. While not all may be discussed here, take into account that SaaS security is multidimensional, with complex relationships, and therefore you must consider a larger, global context (physical/application/network security). Normally, SaaS cover software. However, IaaS/PaaS, combined with scalability/ availability/performance/integration are also an integral part to consider.
Rapid deployments and customization/recovery/multitenancy are on another dimension, while policies and procedures are on another. Since it is nearly impossible to obtain the best outcome in each of the above mentioned domain all at once or at any given time, security can be determined or defined by the level of compromise the user is willing to accept.
In fact, the user will normally define his/her own security metrics after considering all the previous aspects and then selects the appropriate security technologies or mechanisms. Therefore, it is recommended to look at all the efforts that try to aggregate, as well as promote, the application of best practices for offering security assurance within cloud computing.
Cloud security issues bring together various aspects and tools.
Some of the issues involved include:
- Hacking devices (routers, computers, IoT devices(Internet of Things) and many others);
- Failed change management;
- Manipulation and/or interception of data in transit;
- Social engineering; and
- Internal personnel illegal access
The above-mentioned are some (not all) of the areas. Unlike internally deployed apps and clouds, public clouds add two additional security points namely: the internet and the internal (but externally managed) cloud itself.
Today’s third-party cloud vendors provide limited information to their customers. Unfortunately, they may be unable to provide precise answers to specific questions regarding user access anomalies. SaaS vendors, for instance, cannot answer this one vital question in a straightforward manner: “Who in the organization has the capacity or capability to modify permissions?” yet such information is key when investigating internal attack.
In addition, the industry lacks standards that would properly guide SaaS vendors and providers toward simplified customer reporting. And even with availability of log data enterprise customers can still face challenges and expensive integration process if there is no agreement on the format.
Conclusion
SaaS providers have a difficult task as they have to improve on delivery of security visibility and control to clients for users to trust that they can properly manage potential compliance risk. Moving business applications outside the enterprise perimeter often compromise security.
Therefore, CISOs have a compliance responsibility to mitigate security concerns. There is a security checklist that customers must have, including questions to ask. SaaS security standards are the most talked about today and SaaS vendors have to address them accordingly in order to win customer trust.
