Reviewing Your SaaS Security
Software as a Service (SaaS) offerings have transformed the way businesses operate – delivering scalability, flexibility, and innovations. Your organization is probably already using many of these services and will likely implement more.
But this introduces new security challenges. When SaaS applications are being used for critical business functions or for processing and storing sensitive data, an organization must extend the same level of security oversight and controls that they apply to their internal systems, often with additional considerations tailored to the cloud.
Here are some things to consider when evaluating SaaS risk:
- Understand the service and the vendor. It is critical to have a deep understanding of the SaaS vendor’s “shared responsibility” model – in which the vendor manages some or all layers of security, and where your organization retains responsibility for other layers. Without this understanding, it isn’t possible to develop the appropriate risk-based security program for the SaaS offering.
- Perform risk assessments (RA) prior to implementation of SaaS solutions and regularly afterwards. The standard RAs may not adequately encompass the risks related to SaaS offerings. Evaluate how this service differs and customize the RA to meet the need.
- Execute vendor reviews customized for cloud services. Follow standard due diligence, but additional reviews may be required to meet the additional risks related to the service such as:
- Data security for transmission and storage.
- Incident response and disaster recovery preparedness.
- Data backups and recovery time and recovery point objective capabilities.
- Contracts should include clauses concerning data ownership, breach notifications, right to audit, and more items specific to the service offering.
- Enforce secure access management.
- Verify that multi-factor authentication (MFA) is available for all user types.
- Confirm that password policies follow minimum requirements for length, complexity, lockout, and expiration.
- For privileged accounts (e.g., admins, cash management functions), confirm that additional security measures are available (hardware tokens, biometrics, conditional access policies etc.)
- Verify session timeouts for inactivity.
- Account management processes and auditing should be in place. This is often overlooked but should match or exceed what is currently being done for internal account management.
- Regular reviews of accounts, roles, and least privilege access should be done.
- Repeatable and documented account management processes should be created for new user setups, changes, and terminations.
- Monitoring and alerting systems should be available.
- Alerts for events such as changes to administrative accounts, authentication requirements, and configurations.
- Dashboards and reports on availability and service level performance.
- Historical logging to support forensic reviews or audit.
- Documentation specific to the services should be developed.
- Data flow diagrams are useful for identifying the data, how it flows, and the components required.
- Other documentation could include DR testing procedures and change management processes.
As organizations increasingly rely on SaaS providers to store, manage, and process their sensitive data and critical business processes, it is imperative that they implement adequate controls to secure their data. An organization is still responsible for safeguarding information – even when it is managed by a third-party vendor. Ensure your team follows a risk-based, well documented, security-first approach to SaaS usage.