Cookies help us display personalized product recommendations and ensure you have great shopping experience.

By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    cybersecurity efforts
    How Behavioral Analytics and AI Are Redefining Cybersecurity for Boca Raton Businesses
    14 Min Read
    data driven risk management in heatlhcare
    How Data Analytics Is Changing Healthcare Risk Management
    17 Min Read
    big data and customer service outsourcing
    How Data Analytics Improves Customer Service Outsourcing
    18 Min Read
    How a Specialized Marketing VA Improves Campaign Analytics
    How a Specialized Marketing VA Improves Campaign Analytics
    11 Min Read
    New Data Analytics Breakthroughs Give eCommerce Startups a Fighting Chance
    New Data Analytics Breakthroughs Give eCommerce Startups a Fighting Chance
    6 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-25 SmartData Collective. All Rights Reserved.
Reading: Cyber Security: How to Cover Your SaaS
Share
Notification
Font ResizerAa
SmartData CollectiveSmartData Collective
Font ResizerAa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > IT > Cloud Computing > Cyber Security: How to Cover Your SaaS
Cloud ComputingSecurity

Cyber Security: How to Cover Your SaaS

ryanward
ryanward
6 Min Read
Image
SHARE

ImageWhile attending various conferences, roundtables and other information security gatherings, a common theme that often presents itself is the concern over security of software-as-a-service (SaaS) vendors. Another common theme seems to be that IT cyber security teams are either very confident with how they are managing this particular “cloud” risk or they are completely baffled at how to discover and deal with the risk.

ImageWhile attending various conferences, roundtables and other information security gatherings, a common theme that often presents itself is the concern over security of software-as-a-service (SaaS) vendors. Another common theme seems to be that IT cyber security teams are either very confident with how they are managing this particular “cloud” risk or they are completely baffled at how to discover and deal with the risk.

By utilizing some very basic listening skills at these discussions (I am sometimes told listening is not my strong suit), even Beethoven would discover that the confident security leaders all follow similar processes to manage the SaaS risk: true information security leaders ask the vendors questions about how they manage security before purchasing the product.

Wow, sounds difficult doesn’t it!

More Read

5 Innovative and Diverse Uses of Big Data
6 Reasons to Boost Data Security Plan in the Age of Big Data
Why a Chargeback Model for Private Cloud May Be Problematic
2012 Tech Predictions
CIA Releases Its Maps, DHS Secretary Doesn’t Use Email, and More

“Due diligence” is all that really separates the men from the boys in the space because if you do not at least ask questions of the SaaS vendors, you will never know their state of security. All the effective security organizations seem to have a process in place in which potential vendors must complete a survey or questionnaire about their security practices. The surveys do differ between organizations, but they should differ to highlight each organization’s key risk and information security compliance requirements. To truly be effective, the assessment should be built into the SDLC or PMO processes so it is required for all new contracts.

Over the past several years, groups like the Cloud Security Alliance (CSA) have progressed this space considerably, but the CSA controls are fairly extensive so it is difficult for both CISOs and SaaS vendors to complete/review the exhaustive list of controls effectively. However, using these security controls as a baseline is a great way to find the areas that are most critical to your industry and organization. Definitely check out the Cloud Security Alliance (@cloudsa).

Once you ask some key questions, you will start to learn some interesting facts about certain SaaS providers. Here are a couple examples I’ve come across:

During one of my past assessments and follow-up meetings with a vendor, I learned that they were running their servers from the owner’s basement with minimal security in place. They did assure me that the owner’s house had a home security system in place though. From this finding, we forced them to move to a hosting provider.

Another review of a vendor revealed that their actual executed DR process during hurricane Katrina was to throw the server in the back of their van and move it to the developer’s house. In this situation, there was great concern on my part because their application processed payroll information (very sensitive). We did not proceed with this vendor.

Without at least asking questions of the vendors, this type of information would never have been exposed. Asking questions is a great start, but the true leaders of cyber security recognize the opportunity to improve security as part of this process. As many of you are aware, sometimes vendor decisions are made regardless of the security findings. At these moments, it is critical for security managers to use their persuasion skills to improve as many security gaps as possible prior to going into production.

Simple improvements can often be made just by making the request. Remember, these vendors want your money, so you have great power to influence their product and underlying security at the time of negotiations. Some simple examples below:

You say you don’t support strong passwords, but will you add the capability to enforce Upper/Lower/Number?

Your response says you don’t encrypt your backups, but can you do this for us?

You don’t perform vulnerability assessments, so we plan on running a scan against your environment and expect you to resolve the issues prior to go-live.

Your login page doesn’t use SSL. Please get a certificate and use SSL throughout the site for us.

Influencing change from vendors is the sign of a true leader, and it really isn’t that difficult. Yes, they may actually respond that some of your requests will cost money, but then you can at least evaluate the risk/reward of your desired security enhancements. Remember, it never hurts to ASK but it can really hurt if you DON’T ASK.

Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at https://twitter.com/ryawarr

Share This Article
Facebook Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

Turning Monitoring Data Into Customer-Facing Incident Communication
Turning Monitoring Data Into Customer-Facing Incident Communication
Big Data Exclusive
business owner's dashboard
Eliminating Financial Blind Spots With A Business Owner’s Dashboard
Infographic News
reverse logistics
Reverse Logistics: Optimizing The Flow Of Returned Goods
Infographic
mapping hidden profits
Mapping Hidden Profit Leaks Across Distribution Operations
Business Rules Exclusive Infographic News

Stay Connected

1.2KFollowersLike
33.7KFollowersFollow
222FollowersPin

You Might also Like

6 Tips to Improve the Accuracy and Efficiency of Sales Planning
Cloud ComputingSoftware

6 Tips to Improve the Accuracy and Efficiency of Sales Planning

4 Min Read

Why you should be Vigilant against Top OWASP Security Risks

7 Min Read
AI usage in supply chain
Artificial IntelligenceExclusiveSecurity

How Does AI Help Secure The Supply Chain?

8 Min Read
Image
Security

Protecting Your Data Wherever It Goes [INFOGRAPHIC]

4 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

giveaway chatbots
How To Get An Award Winning Giveaway Bot
Big Data Chatbots Exclusive
ai chatbot
The Art of Conversation: Enhancing Chatbots with Advanced AI Prompts
Chatbots

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-26 SmartData Collective. All Rights Reserved.
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?