5 Security Questions for your SaaS provider

used by permission from ky_olsen's Flickr stream


Software as a Service is seeing sustained growth and sustained adoption in both enterprise and in the home. According to a Gartner release in July 2011, Software as a Service revenue reached $10 billion in 2010 and is still growing. In fact Gartner estimate growth of over 20% 10 $12.1 billion on 2011.
 
The Gartner definition of Software as a Service is software that is “owned, delivered and managed remotely by one or more providers. The provider delivers an application based on a single set of common code and data definitions, which is consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on use metrics”. The example that is cited in almost every article and presentation on the subject is Salesforce.com, and while they are a major provider in the SaaS arena it is important to recognise that SaaS comes in many different flavours. Customer Relationship Management, Human Resource Management, Cloud backup, Collaboration platforms, accounting platforms, helpdesk management, managed services and web or email filtering to name but a few.
 
The economic benefits, to providers and customers alike are relatively obvious to spot, the cost of user provisioning (the SaaS model) when compared to the cost of application acquisition, licensing and rollout (the on-premise model) is extremely attractive. The SaaS provider is able to more quickly and easily update and manage the software and service due to its centralised nature, application improvements are easier to make as a result of the visibility the provider has of customer usage patterns and the scalability and pay-per-use is attractive for both customer and provider. In addition the possibilities for integration and open interfaces are greater, with many SaaS providers already offering social media-like collaboration functions or open interfaces (APIs).
 
While SaaS may offer a flexible and cost-effective alternative to a traditional application environment, it is not without risk. By moving to a hosted platform, as opposed to in-house, enterprises must necessarily sacrifice a large element of control over parts of their operating environment. With SaaS in particular, almost the only choice you have is whether you upload certain data or not, the rest is largely out of your hands. You do of course retain the legal and regulatory accountability for the security of your data.
 
The risks in a SaaS environment are many, and largely related to the benefits offered. As I mentioned previously, your provider has access to your usage habits of the platform, normally through some kind of web analytics, they also have the capability of accessing all of your data and this in itself presents the risk of unauthorised access or monitoring by an insider.
 
The centralised nature of the system and the “one configuration fits many” model of the multi-tenanted environment means that, should a vulnerability affect one customer, there is a strong possibility that other customers will be equally affected. The Epsilon breach is one of the more recent examples and it affected many Fortune 500 companies using the same SaaS provider. The scope for exploits of vulnerabilities is wide. Common protocols and the software stack are used by most SaaS providers (HTTP, XML/SOAP, JSON, CSS and JavaScript) and these are readily and regularly exploited if not correctly engineered, implemented or configured. Additionally, the more scope a platform offers for customisation and external integration (a key selling point for SaaS vendors), the more chance there is that some other customer will introduce a vulnerability from which another may suffer the consequences. Such is the nature of a multi-tenanted environment.
 
5 Key security questions to ask your SaaS provider:
 
1 – Penetration testing – How is the environment pen tested, how often and do you have the ability to independently pen test your own part of the environment? Without regular, in-depth pen testing you have no visibility of your current security posture.
 
2 – Data Security – How is data encrypted in storage and in transit across the shared resources of the SaaS provider data centre? Who has access to the keys? Is separation of duties and separation of keys and data maintained? Can the provider offer you a SAS 70 report?
 
3 – Multi-tenancy – Is there an option that provides for single tenant hosting? Also explore whether this single tenancy comprises simply the application or also the data storage?
 
4 –Disaster Recovery – In the event of catastrophic failure, or external intrusion and data loss what backup and recovery procedures are in place? Where is backed up data stored (and encrypted again) and how is it effectively restored?
 
5 – User Authentication – What is the sign on procedure for the SaaS application? Are multiple factors in use? Is it possible to integrate sign-on with authentication structures already in use by the customer?
 

One thought on “5 Security Questions for your SaaS provider

  1. @98pm

    Rik,

    Good read. From a technical security perspective, I agree that these are the 5 key questions to cover with SaaS provider, but from a business security view, I would add data portability and SLAs (with financial penalties based on application’s criticality considering you mention Epsilon in the article) as two of the higher priorities prior to engaging with a provider. SLA is required for when the controls fail at the service provider and data portability is obviously when the service just doesn’t work for the business.

    Regards,
    -pm

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*