Given the ease of signing up for cloud application services and the real needs they fill day-to-day, many non-IT department end users have been the ones to adopt SaaS apps into corporate networks. Whether or not you have done so yourself, in today’s “app economy,” it is more important than ever for everyone to assume some level of responsibility for security.
To assess the baseline security of a new SaaS app, start with the app itself. Especially, as we noted in this previous article, the areas of authentication, encryption and policy. Beyond that, pay attention to these two additional topics: basic infrastructure and cybersecurity citizenship.
SaaS infrastructure
A SaaS provider often makes information about their own physical infrastructure, network and operational practices public. What should you be looking for? At a minimum, the security profile of your SaaS provider should approximate that of your own company. Ideally, and even better, it exceeds your standards. Try to find the answers to these types of questions:
- Where do they store your data? Do the servers reside within the company’s own data center or that of a public cloud provider? If private, is the data center on-premise or hosted in an off-site facility? Or in a cloud provider? If public, which one(s)?
- Do they use firewalls? Determine whether they are leveraging network hardware or virtual devices, and whether they are focused on the network or application layer. Firewalls are there to control and monitor incoming and outgoing traffic, but their implementation and configuration can vary significantly.
- How do they support Data Loss Prevention (DLP)? Just as important as the tactics they use to prevent the loss of sensitive data, especially personally identifiable information (PII), in their overall DLP strategy.
- Do they regularly test for security holes and vulnerabilities? The most secure IT infrastructures undergo vulnerability assessments and penetration testing on a regular basis, based upon current threat scenarios and known vulnerabilities.
- How do they detect and prevent network intrusions? An intrusion detection system (IDS) identifies malicious activity, usually from signatures or anomalies; an intrusion prevention system (IPS) responds to those threats through enacting rules or policies to mitigate what was detected (from the IDS).
- What is the tiering and historical performance of their data centers? A stable and secure facility will feature a high level of physical control, as well as redundant subsystems, such as power, cooling and network entrances for diverse and multiple providers.
- Do they use geographically separate and redundant servers and storage? Relative to a provider’s backup, replication, storage and restoration policies, a distributed server/storage strategy provides protection in the event of catastrophic failure at one site.
Good SaaS citizenship
The last area to consider is how the SaaS provider interacts with the security community at large, such as its membership in industry organizations, contributions to industry standards and groups and maintenance of regulatory compliance.
The range and severity of cybersecurity threats has led to a healthy degree of industry collaboration and information sharing. The Cloud Security Association, as one example, counts more than 90,000 individual members, 400 corporate members and 34 working groups, including several that are SaaS-specific.
Even if a SaaS provider does not disclose corporate memberships to any such organization or standards group, it can still be a positive sign when employees participate individually, or engage in relevant best practices, such as those promoted by the Open Web Application Security Project (OWASP), which promotes the development of trusted apps, or the Web Application Security Forum Consortium, which tracks and reports on many common vulnerabilities.
Then there are also industry specifications. A SaaS vendor should be able to provide a SOC reports, which outline compliance to internal controls for security, availability, processing integrity and confidentiality. The ISO/IEC 27000 level standards provide additional benchmarks for audited information security practices. Critical for some apps is alignment with the Payment Card Industry Data Security Standard (PCI/DSS), which includes firewall, authentication, IDS and other security requirements when infrastructure carries credit card information.
Finally, a SaaS vendor can demonstrate its compliance with government regulations or policies. A medical or health-care app, for instance, may need to adhere to the security terms within the U.S., for example Health Insurance Portability and Accountability Act (HIPAA). Today, any app may be subject to EU’s General Data Protection Regulation (GDPR), which governs the processing and movement of personally identifiable information (PII) and other sensitive information, as defined by this new standard.
Applications geared toward the U.S. Federal government may also need to comply with specific security controls. The National Institute of Standards and Technology (NIST) Special Publication 800-53 catalogs these controls, except those related to national security.
End users, take action
In the Pre-SaaS world, assessing a vendor’s security profile was a job for the IT department. Now everyone can—and should—assume some ownership of IT security. That should be the case not only with being smart about passwords, settings and the app itself, as discussed previously, but also with knowing something about a SaaS provider’s infrastructure and industry engagement.
The primary concern is not so much with the well-vetted and best-known services. Although even apps created by cloud giants can have vulnerabilities, too. The more pervasive risk derives from the sheer size of today’s SaaS market, which has grown from hundreds to a multiple of thousands of apps, adding significant additive potential for vulnerability. Do they all offer a minimum standard of security? What level do they offer? And what level do you require? Like it or not, in this world of democratized IT, as a SaaS end user you now bear some responsibility for answering those questions.