In software purchasing, cybersecurity is often overlooked: 50% of subscriptions are taken by a department other than IT, according to a recent Microsoft report.
Yet, 70% of organizations hosted in the public cloud did indeed experience at least one security incident in 2020. With the rise of SaaS (Software as a Service) applications in business, it is crucial to take steps to protect your data and infrastructure.
Fortunately, there are simple ways to ensure the security of your SaaS purchases. In this article, we present a four-step checklist to help you navigate this complex field.
Why Establish a SaaS Security Checklist
At one time, applications were installed directly on computers, on-premise: thus, it was up to the buyer to manage their own security internally. At the end of the 1990s, SaaS came onto the scene and created a digital world, a cloud world.
SaaS and the Cloud have changed the game by allowing us the same functionality, or in many cases more efficient functionality, without the need for dedicated servers, internal security, and labor resources to install physical software on user machines. The technology works in the same way for everyone, regardless of the machine an employee uses.
This type of technology has given our organizations more efficiency, more flexibility, and greater economies of scale, all in real time.
However, this also means entrusting the security of one’s information to a third party. According to a survey by Hacker News, the verification and maintenance of SaaS security were in the hands of the SaaS provider in 52% of cases. Therefore, it is vital that SaaS buyers adopt a proactive approach to SaaS cybersecurity.
1. Assess your security needs
Before you start looking for SaaS solutions, it is essential to understand the specific security needs of your business. This involves identifying the types of data you will store in the SaaS, the necessary access, and potential risks.
- Asset Management: Where is your company at regarding SaaS user authentication? In other words, who should have access and to what?
- Data Security: Quel type de données sera stocké ou partagé avec le produit SaaS, et quelle est la position de l’entreprise sur la protection de ces données ? What incident management procedures need to be put in place in the event of a data breach? Similar considerations apply to cloud security.
- Network Security: Where does your company stand on firewalls, VPNs, and other network security controls?
- Scalability: What are your company’s expectations regarding vertical and horizontal scaling for this SaaS product?
- Reliability: What type of disaster recovery (DR) plan does your company’s IT security team require for SaaS products?
2. Collaborate with IT Security
The IT team is your ally in implementing an effective SaaS security strategy. Involve them from the beginning of the purchasing process (RFI, RFP) to obtain their advice, expertise, and avoid last-minute surprises.
Security collaboration is crucial: it provides an additional layer of security protection for SaaS purchasing, but it also gives your technical teams the opportunity to organize their resources ahead of a potential SaaS deployment.
3. Use a risk and security assessment questionnaire
For each potential SaaS provider, require them to fill out a detailed questionnaire about their security practices. This questionnaire should cover aspects such as asset management, data protection, network security, scalability, and reliability.
- Asset Management
Asset management delves into the specifics of access controls within the application. For instance, who has access to the system, how is access controlled, and what method is used to verify credentials? These are critical considerations for asset management.
Here are some common questions related to cloud application asset management that you could include in your security questionnaire:
- Who will have access to the production environment and company data?
- How is their access to the production environment and data controlled and monitored?
- Will there be any third parties with access to the system or integrations?
- Describe the authentication (e.g., Active Directory, ADFS, Shibboleth, SAML, etc.).
- Does the product support multi-factor authentication?
- How are accounts provisioned?
- How are user roles managed, and by whom?
- Data Protection
At the very least, there is typically one-way data transfer in most SaaS products. Among these data could be personally identifiable information (PII) of end users, financial data such as banking information, HIPAA information, and other types of sensitive data depending on your business nature.
To detail upfront:
- How are data protected? Describe the controls for data integrity.
- Are the company’s intellectual property rights and information about trade secrets maintained?
- Describe the data rights if the company deletes data or if the relationship with the provider ends.
- Are data flows or transfers manual or automated?
- Describe the necessary APIs.
- What measures does the provider implement to prevent data leaks?
- Network Security
Regarding external security threats, network security controls are the first line of defense. Here are some common network-related questions to ask providers:
- Does the company use firewalls? If so, which ones?
- Does the company have written network policies?
- Does the company have network monitoring and alerting in place?
- Is any part of the company’s network management outsourced?
- Is VPN required to access the company’s network?
- Scalability and Reliability
One must always anticipate future needs, to determine if the purchased product is suitable not only at a given moment, but also in 6 months, 12 months, 2 years…
A few points to consider:
- Is the proposed product scalable?
- What are the scalability limits of the product? (loading times, license limits, etc.)
- What does customer support provide in case of product issues?
- What are the SLAs (Service Level Agreements)?
4. Implement regular security audit processes
SaaS security isn’t a one-time subject that you address once and for all; it’s an ongoing process that is regularly reviewed based on your internal security criteria, external requirements (vendors, suppliers, partners, regulations, etc.).
Therefore, it’s necessary to regularly:
- Update your checklist:
- Audit your application landscape to detect cybersecurity risks and Shadow IT
Conclusion
By following these simple steps, you can ensure that your SaaS purchases are made securely and your data is protected.
Key Takeaways:
- 70% of organizations hosted in the public cloud experienced at least one security incident in 2020.
- SaaS products continue to grow: As the SaaS world evolves, so do security threats, and therefore, security controls must evolve with them.
This way, you can protect your business against cyber threats and ensure the success of your SaaS deployments.