A checklist for SaaS vendors

Our manager’s company uses a lot of third-party vendors, and some of these relationships have been in place for years. What will happen when he goes back to assess their security risks?

It seems like only yesterday when most of a company’s corporate applications ran on servers within its own data centers. I remember, at previous jobs, having teams of application engineers and administrators building, managing and administrating all of the applications that allowed the company to operate — for email, HR, finance, sales, customer relationship management, learning management, marketing and more.

My current company has just two in-house applications, which run in a closet-size data center: source code management and a bug tracking system. Even those operations might be moved to a SaaS provider, as has been done for other things that now rely on more than 40 corporate-sanctioned and cloud-based applications. Many of the applications were put into service years before my arrival, and I’m just now getting around to evaluating the security risk of each of them. My top priority is the applications that process the most sensitive data for the company, such as Salesforce and ADP, which manage customer information, sales forecasting, personnel data and payroll.

I recently met with our IT department to discuss vendor management. We agreed that no new corporate applications will be allowed without first identifying risks by assessing the vendor and its service or application. To help with this, I created a spreadsheet for capturing answers to security-related questions. Such standardized information-gathering (SIG) questionnaires are nothing new, of course, so I was able to review SIG and other vendor questionnaires that I found on the Internet and pull out what I felt were the most important security questions and controls. I then applied weighted calculations to them.

For example, if the application processes sensitive data, I placed a higher weight on encryption than I would for an application that does something relatively innocuous like calculate tax or foreign currency conversions. For those tax and currency applications, I deemed items such as “restore point objectives” and “restore time objectives” to be less important and therefore in need of a lower weight than items such as applications that store business-critical data, such as those used by finance and sales, or even sites we use to store corporate documents, such as Google Docs and Box, where data backup and disaster recovery are critical risk factors. The resulting scores will be useful in choosing product and establishing compensating controls. For example, if an application that processes sensitive data isn’t compatible with our single sign-on solution but nonetheless offers the ability to control access in other ways, we might decide to use the application anyway, possibly doing something like restricting access by IP address as a compensating control.

We recently upgraded our PCI compliance, so for any applications or service providers that process credit card data or touch on our PCI compliance in any other way, I have revised requirements. The vendor might have to provide a current attestation of compliance or a contractual statement that it is responsible for the security of our data. These requirements have already come in handy. A content delivery network (CDN) provider we were considering would have been in scope for PCI because it decrypts network traffic and inspects that traffic for application security issues, and our network traffic may contain credit card data. As it turned out, that vendor was not PCI-compliant, and so it was out of the running.

As we start to evaluate the risk of existing applications and services, there is a good chance that some that have been in use for many years will have security issues that are just too difficult to address, and changing vendors might negatively affect our business too much. For these cases, we will evaluate the security controls that are in place and make sure that we are taking advantage of any built-in configuration settings. Many SaaS-based applications may not have all the security bells and whistles contained in my security checklist, but they typically have settings such as password complexity, session timeouts, multifactor authentication and other controls that may serve as a compensating control for weaknesses in other areas.

My checklist is still a work in progress, but it’s a step in the right direction to get a handle on existing and new corporate-sanctioned SaaS applications and services. My goal is to make this checklist easy to use so that even a non-security employee could complete the checklist with minimal assistance. We’ll see how that goes.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place