SaaS Security: Evaluating a Cloud-Based Sharing Service
Before trusting your company’s data to a SaaS provider make sure they match and exceed your company’s requirements. When selecting your SaaS provider prepare the questions you need to ask and understand what to look for from their answers. Research the multiple security layers of cloud-based sharing services; understand the multiple security layers of cloud-based sharing. Your companies IT department has standard procedures for enforcing security policies and evaluating vendors. When selecting your SaaS provider focus on the most important aspects of what a secure sharing service looks like. Doing your research helps you to streamline your selection process and get a step ahead.
Information Security Program
In the SaaS layer lays the Information Security Program, which dictates how a company sees information security. Looking at how a company prepares for and how it ensures that security practices are enforced. To understand the cloud provider’s information security program ask the following questions:
- What is your IRP (Incident Response Plan)?
- What are the staff’s qualifications?
- What is the InfoSec Organizational structure?
- What are your InfoSec policies?
- Do your employees sign a confidentiality agreement for your company’s policies?
- What is your change control process?
- What are your company’s certifications or 3rd party attestations?
- Does your company have a Disaster Recovery Plan?
- What are your company notification procedures?
Encrypting data in transit and at rest
Before deploying to the cloud make sure your cloud provider offers encryption for protecting your sensitive data. Never assume all SaaS vendors will provide your company with multiple layers of encryption. Your SaaS provider should be able to demonstrate they use multiple layers of encryption provided by SSL or TLS, but after your data is stored on their SaaS platform encrypting the data can be complicated.
Many SaaS providers have problems encrypting architects and database driven data because the technology for encrypting this data is difficult and SaaS provider finds it difficult to encrypt databases. Some SaaS providers don’t encrypt stored data because of the multitenancy architecture that makes it harder for them to have data completely encrypted and still be able to do their redundancy backups and optimization.
Compensating controls: what are the alternatives to encryption?
If a SaaS provider doesn’t encrypt your sensitive data they need to prove what internal security measure they take to protect your data from unauthorized access and misuse. Therefore, before signing a contract look for what the alternative is that your SaaS provider offers for encryption and key management. If the encryption method is a problem you need to fully understand what the provider has to offer your company in compensating controls.
Your SaaS provider can offer your company different alternative controls that include authorization server that use XACML protocols, application firewalls, access policies, fine-grained access controls, and policies that can create a firewall between processes and people.
Your SLA needs to include incident response
Deploying your sensitive data to a SaaS provider, security control is critical for your company. However, it is still possible that a data breach can occur at the provider’s location. It is critical to your company to fully understand what your SaaS provider would do in the event of a security breach.
Before signing a contract, make sure your SaaS provider can help your company meet the compliance requirement in case of an incident. This needs to be part of your agreement when you sign your contract. You need to ensure that your SaaS provider can comply with state breach notification laws. Therefore, if you are obligated to notify your customers of a security breach you have to be certain that your SaaS provider can provide you with timely data and the proper information so you can perform your own incident-handing procedures and reporting.