Many organizations are moving toward the software as a service (SaaS) model. This allows an organization to focus on its core business as opposed to the information technology aspects. This can provide efficiency for a resource constrained organization, but it does not come without risk.
Outsourcing services is in vogue. As technology continues to push the envelope of complexity outsourcing will most likely increase as well. Although a service can be outsourced, trust should not. An organization should establish the basis for trust through the vendor agreement. The contract for the SaaS is a critical part of the outsourcing process. It is, therefore, important that all necessary security elements be explicitly identified in the agreement.
Consider the consequences of a breach involving the SaaS vendor. Could your organization survive the fallout? Bear in mind the following before pursuing a SaaS agreement:
· Data out of hand is information subject to a loss of control - Your information assets are subject to the security diligence of the vendor. Breaches to the vendor system may expose all of your information assets handled by them.
· Insurance is the primary mechanism to reasonably outsource risk - An organization is hard pressed otherwise to outsource risk. Insurance is the primary medium for loss recovery. Litigation, although justified is time consuming and less likely to result in a sufficient monetary award for damages incurred due to a vendor breach.
The risk of SaaS can be immense. However, it need not be unmanageable. It is possible to institute controls which can reduce SaaS risk. Some options and activities which improve your risk posture include:
· Ensure the contract covers all security requirements - Identify all system security requirements for an in-house system. These requirements should be included with the SaaS contract which provides the vendor with security implementation guidance and a means for validating the correct implementation.
· Visit the facility - Determine if the security controls professed to be integrated with the system are in fact enforced. Ask questions of site staff and seek evidence that the security practices are being followed.
· Enable encryption when practical and manage the key where possible - Transmission encryption should be used to protect sensitive information transiting public network. Try to get storage encryption enabled to protect data at rest whether it is in the datacenter or on backup media. Discuss options with the vendor which may provide your organization with the ability to manage the associated cryptographic keys.
· Ensure provisions exist to conduct your own assessment of the controls - The crux of information security is the validity of its implementation. Don't simply trust the vendor that they have implemented all necessary controls. Include a provision in the contract which gives your organization the right to periodically review the controls in place. Minimally, this should include vulnerability scanning and checks on access control and account management. Ideally, each security requirement in the contract should be subject to review by the customer. The openness of the vendor to allow verification of security control should be used as a basis for trusting their service.
· Agreement to correct vulnerabilities identified - Weaknesses noted through your review, or that of others, should be corrected in a timely manner. Ensure the agreement identifies a timeframe for correcting noted vulnerabilities.
· Have a security architect evaluate the system design - Enlist the help of an outside security expert if your organization has insufficient resources. The agreement should have a provision which allows the customer to bring in outside assistance to verify the system security controls.
· Require auditing to be in place for activity which could indicate or cause a data breach - The customer should have the option to review audit activity in the system. Also, it is important that auditing be enabled for critical aspects of the system where abuse might occur. Auditing provides vendor accountability and supports trust in their operations.
Desirable security attributes of a SaaS agreement are summarized as:
· The inclusion of all necessary security requirements.
· Security provisions for the confidentiality, integrity, and availability of the data.
· A customer's right to periodically review and validate system security controls.
Risk associated with SaaS may be high, but it does not necessarily need to be prohibitive. Implementing appropriate controls coupled with diligent monitoring enables trust in the vendor. We can trust our SaaS vendor, so long as we can verify the appropriate controls are implemented as required, operating as intended, and producing the results desired. In this regard, a service is outsourced, but management of risk is retained where trust is established through appropriate conditions and monitoring.
More...