By utilizing some very basic listening skills at these discussions (I am sometimes told listening is not my strong suit), even Beethoven would discover that the confident security leaders all follow similar processes to manage the SaaS risk: true information security leaders ask the vendors questions about how they manage security before purchasing the product.
Wow, sounds difficult doesn’t it!
“Due diligence” is all that really separates the men from the boys in the space because if you do not at least ask questions of the SaaS vendors, you will never know their state of security. All the effective security organizations seem to have a process in place in which potential vendors must complete a survey or questionnaire about their security practices. The surveys do differ between organizations, but they should differ to highlight each organization’s key risk and information security compliance requirements. To truly be effective, the assessment should be built into the SDLC or PMO processes so it is required for all new contracts.
Over the past several years, groups like the Cloud Security Alliance (CSA) have progressed this space considerably, but the CSA controls are fairly extensive so it is difficult for both CISOs and SaaS vendors to complete/review the exhaustive list of controls effectively. However, using these security controls as a baseline is a great way to find the areas that are most critical to your industry and organization. Definitely check out the Cloud Security Alliance (@cloudsa).
Once you ask some key questions, you will start to learn some interesting facts about certain SaaS providers. Here are a couple examples I’ve come across:
During one of my past assessments and follow-up meetings with a vendor, I learned that they were running their servers from the owner’s basement with minimal security in place. They did assure me that the owner’s house had a home security system in place though. From this finding, we forced them to move to a hosting provider.
Another review of a vendor revealed that their actual executed DR process during hurricane Katrina was to throw the server in the back of their van and move it to the developer’s house. In this situation, there was great concern on my part because their application processed payroll information (very sensitive). We did not proceed with this vendor.
Without at least asking questions of the vendors, this type of information would never have been exposed. Asking questions is a great start, but the true leaders of cyber security recognize the opportunity to improve security as part of this process. As many of you are aware, sometimes vendor decisions are made regardless of the security findings. At these moments, it is critical for security managers to use their persuasion skills to improve as many security gaps as possible prior to going into production.
Simple improvements can often be made just by making the request. Remember, these vendors want your money, so you have great power to influence their product and underlying security at the time of negotiations. Some simple examples below:
You say you don’t support strong passwords, but will you add the capability to enforce Upper/Lower/Number?
Your response says you don’t encrypt your backups, but can you do this for us?
You don’t perform vulnerability assessments, so we plan on running a scan against your environment and expect you to resolve the issues prior to go-live.
Your login page doesn’t use SSL. Please get a certificate and use SSL throughout the site for us.
Influencing change from vendors is the sign of a true leader, and it really isn’t that difficult. Yes, they may actually respond that some of your requests will cost money, but then you can at least evaluate the risk/reward of your desired security enhancements. Remember, it never hurts to ASK but it can really hurt if you DON’T ASK.
Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at https://twitter.com/ryawarr