Cookies help us display personalized product recommendations and ensure you have great shopping experience.

By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    sales and data analytics
    How Data Analytics Improves Lead Management and Sales Results
    9 Min Read
    data analytics and truck accident claims
    How Data Analytics Reduces Truck Accidents and Speeds Up Claims
    7 Min Read
    predictive analytics for interior designers
    Interior Designers Boost Profits with Predictive Analytics
    8 Min Read
    image fx (67)
    Improving LinkedIn Ad Strategies with Data Analytics
    9 Min Read
    big data and remote work
    Data Helps Speech-Language Pathologists Deliver Better Results
    6 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-25 SmartData Collective. All Rights Reserved.
Reading: Cyber Security: How to Cover Your SaaS
Share
Notification
Font ResizerAa
SmartData CollectiveSmartData Collective
Font ResizerAa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > IT > Cloud Computing > Cyber Security: How to Cover Your SaaS
Cloud ComputingSecurity

Cyber Security: How to Cover Your SaaS

ryanward
ryanward
6 Min Read
Image
SHARE

ImageWhile attending various conferences, roundtables and other information security gatherings, a common theme that often presents itself is the concern over security of software-as-a-service (SaaS) vendors. Another common theme seems to be that IT cyber security teams are either very confident with how they are managing this particular “cloud” risk or they are completely baffled at how to discover and deal with the risk.

ImageWhile attending various conferences, roundtables and other information security gatherings, a common theme that often presents itself is the concern over security of software-as-a-service (SaaS) vendors. Another common theme seems to be that IT cyber security teams are either very confident with how they are managing this particular “cloud” risk or they are completely baffled at how to discover and deal with the risk.

By utilizing some very basic listening skills at these discussions (I am sometimes told listening is not my strong suit), even Beethoven would discover that the confident security leaders all follow similar processes to manage the SaaS risk: true information security leaders ask the vendors questions about how they manage security before purchasing the product.

Wow, sounds difficult doesn’t it!

More Read

5 Essential Steps To Take After A Data Security Breach
DHS wants to stop the rise of large-scale DDoS attacks
The Pivoting Role of Internet Safety Rules in the Era of Big Data
How Will The Cloud Impact Data Warehousing Technologies?
10 Tips for a Successful Implementation of Cloud Computing

“Due diligence” is all that really separates the men from the boys in the space because if you do not at least ask questions of the SaaS vendors, you will never know their state of security. All the effective security organizations seem to have a process in place in which potential vendors must complete a survey or questionnaire about their security practices. The surveys do differ between organizations, but they should differ to highlight each organization’s key risk and information security compliance requirements. To truly be effective, the assessment should be built into the SDLC or PMO processes so it is required for all new contracts.

Over the past several years, groups like the Cloud Security Alliance (CSA) have progressed this space considerably, but the CSA controls are fairly extensive so it is difficult for both CISOs and SaaS vendors to complete/review the exhaustive list of controls effectively. However, using these security controls as a baseline is a great way to find the areas that are most critical to your industry and organization. Definitely check out the Cloud Security Alliance (@cloudsa).

Once you ask some key questions, you will start to learn some interesting facts about certain SaaS providers. Here are a couple examples I’ve come across:

During one of my past assessments and follow-up meetings with a vendor, I learned that they were running their servers from the owner’s basement with minimal security in place. They did assure me that the owner’s house had a home security system in place though. From this finding, we forced them to move to a hosting provider.

Another review of a vendor revealed that their actual executed DR process during hurricane Katrina was to throw the server in the back of their van and move it to the developer’s house. In this situation, there was great concern on my part because their application processed payroll information (very sensitive). We did not proceed with this vendor.

Without at least asking questions of the vendors, this type of information would never have been exposed. Asking questions is a great start, but the true leaders of cyber security recognize the opportunity to improve security as part of this process. As many of you are aware, sometimes vendor decisions are made regardless of the security findings. At these moments, it is critical for security managers to use their persuasion skills to improve as many security gaps as possible prior to going into production.

Simple improvements can often be made just by making the request. Remember, these vendors want your money, so you have great power to influence their product and underlying security at the time of negotiations. Some simple examples below:

You say you don’t support strong passwords, but will you add the capability to enforce Upper/Lower/Number?

Your response says you don’t encrypt your backups, but can you do this for us?

You don’t perform vulnerability assessments, so we plan on running a scan against your environment and expect you to resolve the issues prior to go-live.

Your login page doesn’t use SSL. Please get a certificate and use SSL throughout the site for us.

Influencing change from vendors is the sign of a true leader, and it really isn’t that difficult. Yes, they may actually respond that some of your requests will cost money, but then you can at least evaluate the risk/reward of your desired security enhancements. Remember, it never hurts to ASK but it can really hurt if you DON’T ASK.

Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at https://twitter.com/ryawarr

Share This Article
Facebook Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

sales and data analytics
How Data Analytics Improves Lead Management and Sales Results
Analytics Big Data Exclusive
ai in marketing
How AI and Smart Platforms Improve Email Marketing
Artificial Intelligence Exclusive Marketing
AI Document Verification for Legal Firms: Importance & Top Tools
AI Document Verification for Legal Firms: Importance & Top Tools
Artificial Intelligence Exclusive
AI supply chain
AI Tools Are Strengthening Global Supply Chains
Artificial Intelligence Exclusive

Stay Connected

1.2kFollowersLike
33.7kFollowersFollow
222FollowersPin

You Might also Like

Image
Cloud Computing

How to Really Make Cloud Computing Work

6 Min Read

The Big Data in Teradata

7 Min Read

2011 Cloud & IT Disaster Recovery Statistics

4 Min Read
Data Storage
Cloud ComputingData Warehousing

What Trends Are In Store For Data Storage?

5 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

ai chatbot
The Art of Conversation: Enhancing Chatbots with Advanced AI Prompts
Chatbots
ai is improving the safety of cars
From Bolts to Bots: How AI Is Fortifying the Automotive Industry
Artificial Intelligence

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-25 SmartData Collective. All Rights Reserved.
Go to mobile version
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?