SaaS Security: Evaluating a Cloud-Based Sharing Service

SaaS Security

Before trusting your company’s data to a SaaS provider make sure they match and exceed your company’s requirements. When selecting your SaaS provider prepare the questions you need to ask and understand what to look for from their answers. Research the multiple security layers of cloud-based sharing services; understand the multiple security layers of cloud-based sharing. Your companies IT department has standard procedures for enforcing security policies and evaluating vendors. When selecting your SaaS provider focus on the most important aspects of what a secure sharing service looks like. Doing your research helps you to streamline your selection process and get a step ahead.

Information Security Program

In the SaaS layer lays the Information Security Program, which dictates how a company sees information security. Looking at how a company prepares for and how it ensures that security practices are enforced. To understand the cloud provider’s information security program ask the following questions:

  1. What is your IRP (Incident Response Plan)?
  2. What are the staff’s qualifications?
  3. What is the InfoSec Organizational structure?
  4. What are your InfoSec policies?
  5. What is your company’s privacy policy?
  6. Do your employees sign a confidentiality agreement for your company’s policies?
  7. What is your change control process?
  8. What are your company’s certifications or 3rd party attestations?
  9. Does your company have a Disaster Recovery Plan?
  10. What are your company notification procedures?

Encrypting data in transit and at rest

Before deploying to the cloud make sure your cloud provider offers encryption for protecting your sensitive data. Never assume all SaaS vendors will provide your company with multiple layers of encryption. Your SaaS provider should be able to demonstrate they use multiple layers of encryption provided by SSL or TLS, but after your data is stored on their SaaS platform encrypting the data can be complicated.

Many SaaS providers have problems encrypting architects and database driven data because the technology for encrypting this data is difficult and SaaS provider finds it difficult to encrypt databases. Some SaaS providers don’t encrypt stored data because of the multitenancy architecture that makes it harder for them to have data completely encrypted and still be able to do their redundancy backups and optimization.

Compensating controls: what are the alternatives to encryption?

If a SaaS provider doesn’t encrypt your sensitive data they need to prove what internal security measure they take to protect your data from unauthorized access and misuse. Therefore, before signing a contract look for what the alternative is that your SaaS provider offers for encryption and key management. If the encryption method is a problem you need to fully understand what the provider has to offer your company in compensating controls.

Your SaaS provider can offer your company different alternative controls that include authorization server that use XACML protocols, application firewalls, access policies, fine-grained access controls, and policies that can create a firewall between processes and people.

Your SLA needs to include incident response

Deploying your sensitive data to a SaaS provider, security control is critical for your company. However, it is still possible that a data breach can occur at the provider’s location. It is critical to your company to fully understand what your SaaS provider would do in the event of a security breach.

Before signing a contract, make sure your SaaS provider can help your company meet the compliance requirement in case of an incident. This needs to be part of your agreement when you sign your contract. You need to ensure that your SaaS provider can comply with state breach notification laws. Therefore, if you are obligated to notify your customers of a security breach you have to be certain that your SaaS provider can provide you with timely data and the proper information so you can perform your own incident-handing procedures and reporting.

Image: flickr.com

Recommended Posts | Cloud Computing

Turnkey Cloud: The Newest Cloud Platform

Turnkey Cloud: The Newest Cloud Platform

Cloud is the new and convenient data infrastructure for businesses. In order to fit business needs the cloud must be provisioned and deployed to deliver value. Enterprises and IT executives must make a choice of either using a single-vendor turnkey solution or use a combination of multiple soutions ...
 Small Business Security Tips

Small Business Security Tips On The Cloud

Maintaining a small business isn't an easy job. Many companies are creating different content managing software's on Cloud-based technology. Cloud computing has a number of advantages all need is an internet connection. Cloud computing is extremely effective and economical ...
Cloud Computing Demystified

Cloud Computing Demystified

"Cloud" computing must surely be the technology of the future in the computing field, due to its many advantages. It may however come as a big surprise to many people that it actually does not have anything to do with clouds, space, aircraft, or the high-altitude positioning of devices ...
 Cloud Computing Benefits

6 Cloud Computing Benefits Worth Knowing

Cloud computing is very popular and necessary in the business world today, mainly because of its vast benefits. With the help of cloud solutions, businesses find it so easy transitioning from a fixed cost structure to a variable one. Moreover, it helps cut down total costs too ...