Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to assess the security of SaaS applications

Ken Asher, Sales Engineer, Security, Smartsheet | Jan. 28, 2015
The seven goals a SaaS security review should address.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Enterprises have made many attempts to standardize the security evaluation of SaaS applications, including establishing certifications to improve clarity and normalize risk, purchasing compliance suites, and building frameworks to keep all of the information aligned, but none of these attempts have succeeded in establishing consistency. Organizations need a model that will effectively assess every type of SaaS application so comparisons can be made across the board.

In order to develop a comprehensive understanding of risk, there are a few key elements that must be fulfilled. Without these elements, it will be much more challenging for to develop a thorough understanding of risk. Unfortunately, these elements are often the most difficult to fulfill.

The first is corroborating data. Most IT departments conduct vendor security assessment in a vacuum without adequate information.  Each auditor may have a piece of the overall puzzle, but none actually see the bigger picture because they rarely collaborate and typically only assess vendor security once before purchasing a solution, meaning that they make risk conclusions with what amounts to single data points on vendor controls. 

The second element is a comprehensive view of the SaaS vendor's security practices. Some SaaS vendors are reluctant to provide auditors the full details of their security practice for fear it may lead to reduced efficacy of their security controls. For example, exposing the details about an encryption implementation might allow attackers to devise a plan to break the encryption, so vendors are often hesitant to reveal this information. As a result, IT departments don't have a complete understanding of the security controls the vendor has in place.

The final element that is often missing is the means to measure the effectiveness of audit control questions, assessment frameworks, and the auditors themselves. Currently, the only surefire feedback assessors receive is a vendor data breach.

SaaS vendors' perspective on security assessment
SaaS vendors' business often hinges on a successful security assessment outcome so it's in their best interest that their prospects have available an effective evaluation process for security practices. Such a process is likely to lead to appropriate, well-informed risk decisions by buyers. Conversely, inconsistent assessment questions, auditor inefficacy, and inaccurate risk conclusions will be detrimental to widespread SaaS adoption. 

In addition, many SaaS vendors are impacted by a lack of a single agreed-upon method for assessing vendor security, meaning that every assessment has unique questions that must be carefully reviewed and answers must be crafted and considered.  This makes the process much more tedious and labor intensive.

Clearly, it is in the best interest of both SaaS vendors and organizations' IT departments to establish a consistent risk-evaluation process. So how can this be accomplished? First, let's consider the key goals: 

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.