A 10-point plan to vet SaaS provider security

Using a software-as-a-service provider means giving up some control over security, so close vetting of SaaS security during vendor evaluation is critical.

cso ts cloud  by ivanastar getty and sam schooler via unsplash
Ivanastar / Getty Images / Sam Schooler

For a growing number of enterprises, software-as-a-service (SaaS) has become the primary means of accessing vital business applications. The strategy makes sense from a business standpoint because of the potential benefits: cost savings, increased agility and easier scalability to name a few.

Any cloud-based offering comes with security risks, however. How can an organization know for sure if its SaaS providers’ security provisions are up to its own standards?

“The challenge we have is gaining visibility into what the SaaS vendor is doing to secure their infrastructure, their change management procedures, and incident response process,” says Patrick Hevesi, vice president and analyst at research firm Gartner.

Not all SaaS providers are transparent about their security, according to a 2019 Gartner report. Organizations need to understand both the risk they’re taking by putting important user data in a cloud service and the trust they must place in the provider, the report said.

SaaS providers are vulnerable to many of the same malware and hacking attacks that plague any other organization. These threats can impact companies using the services. Focusing your SaaS provider evaluation process on the following areas will minimize that risk.

1. Review SaaS patching policies

One concern for executives is security patching. “Typically, SaaS providers lag on patching, especially if they are multi-tenant and your organization is one of many customers segmented on the service,” says Bernie Pinto, senior manager of security at Asurion, a firm that provides insurance for smartphones, tablets and other products.

2. Check alignment of SaaS and internal security controls

When evaluating SaaS providers, the main concept companies need to understand is the shift in security control responsibilities, says Kurt John, chief cybersecurity officer at communications equipment company Siemens USA. Using SaaS offerings requires that security teams focus on the interface between their organization’s security environment and that of the SaaS provider. “You will want to have a firm grasp on how the provider’s security features align with your corporate information security policies,” he says. “Any gaps should be addressed early in the process.”’

John sees three key areas where control alignment is important:

  • Identity and access management (IAM): Problems might include the inability to integrate an existing enterprise IAM platform with the SaaS provider’s offering; conflicting authentication policies, which can cause confusion and technical headaches from a usability perspective; and the SaaS provider’s lack of support for single sign-on (SSO).
  • Encryption and key management: Problems here include the SaaS provider insisting on maintaining control over encryption, allowing it to access the customer’s information at any time, and data being stored outside of the corporate security perimeter, increasing the reliance on adequate encryption management.
  • Security monitoring: Concerns here include the inability to provide access to security event log data from the SaaS environment, limiting the transparency into potential security risks. “One of the challenges to overcome is to make sure the logs cannot be manipulated,” John says. “The preferred option would be having an adequate digital connection with the SaaS provider [that] can feed log data into your existing security operations center in real time,” John says. “This promotes a holistic view and allows you to extend your on-premises security operations capabilities into the cloud.”

3. Make sure you own your data

Companies should also pay close attention to privacy policies or terms of service pledges by providers to not share personal information. “Although that sounds promising, it’s a glaring omission,” says Kayne McGladrey, cybersecurity strategist at IT consulting firm Ascent Solutions and IEEE member. 

It's a red flag if the vendor “does not state that the SaaS provider will not sell your business data or sell pseudonymized aggregate data about your organization’s use of the service for ‘market research’ or similar purposes,” McGladrey says. If it’s not spelled out, confirm that the provider will not resell your data.

4. Ensure the SaaS provider complies with relevant regulations

Another cause for concern is if the privacy policy does not include a statement of compliance with specific regulations such as the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), McGladrey says. “These are well established, and the omission may indicate that the SaaS provider is not keeping up with laws and regulatory trends,” he says.

“The SaaS vendor should be upfront about data sovereignty and optional localization,” McGladrey adds. “While this is particularly important for multinational organizations selecting SaaS solutions, those organizations bound to a single geography would likely want to avoid awkward situations, such as [personal information] for Americans being intentionally processed and stored in a foreign data center.”

5. Know where the data is stored

From a security, compliance and privacy standpoint, it is ultimately all about the data, says Robert Walden, CIO at Epsilon, a marketing technology provider. “Understanding what kind of data is being stored or transported through the SaaS solution, who has access to the data, who owns the data, how the data is being protected, and who is liable in the event of a security breach” are all important, Walden says.

“Many companies are not even aware of the kind of sensitive data that is being inadvertently stored in SaaS solutions, or who has access to it,” Walden says. “Furthermore, companies often don’t understand that if a standard click-through agreement was executed during the setup of the SaaS solution, that provider often has ownership rights to the data.”

6. Check for data loss or corruption provisions

From a data protection perspective, many companies do not realize that while a SaaS agreement may have disaster recovery provisions, those provisions do not cover data loss or corruption, Walden says.

7. Involve security in the SaaS procurement process

A member of the security and risk team should always be engaged with the procurement team during the procurement process, Pinto says. “The procurement team should be in lock step with the security team and engaging them to quantify risks [during] the process. Most procurement teams still do not realize that identity and access management is a specialty.”

Information security teams should be present for all key discussions to ensure non-technical topics with a data security implication are addressed, John says. “In our organization, unresolved cybersecurity concerns can potentially take the provider out of consideration.”

8. Identify sub-services the SaaS provider uses

Among the topics to discuss are the sub-service organizations the SaaS provider might be using. “This is critical to address before any contracts are signed,” John says. “This may have an impact on any data storage location requirements your organization may have.”

When evaluating the SaaS security reports, “it will be important to verify that the report scope includes the locations and sub-services that are part of your contract,” John says. “This requires a crosscheck of the contract and applicable security report to ensure adequate coverage and reliability of the audit results.”

The discussions should also cover the SaaS provider’s approach to ensuring regulatory compliance. “In addressing this, it’s important to understand what features from the provider support regulatory compliance and any related activities, such as e-discovery, data privacy, and incident response reporting,” John says.

9. Test thoroughly during free SaaS trials

IT and security should test capabilities, including maximum capacity and surge usage, during a free SaaS trial. “There should be several administrators and super users utilizing the tool at the same time, and during the same windows when evaluating performance,” Pinto says.

Also, test concurrent and multi-process activities. “Users should be cognizant of how well the program responds when busy calculating or moving information and creating reports,” Pinto says.

As part of internal testing, “evaluate the ability to integrate your key security processes with the SaaS provider’s solution,” John says. “This will help determine the level of effort that may be needed and cost projections to ensure adequate security once the solution is implemented.”

10. Review SaaS provider’s third-party audits

It’s important to request and review the provider’s most recent third-party audit reports, including any penetration testing results that will confirm the suitability and effectiveness of the security controls, John says. “Requesting evidence of either a national or an international certification can also be helpful in determining the maturity of the organization’s enterprise level controls.”

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.