Get Instant Access
to This Blueprint

Security icon

Ensure Cloud Security in a SaaS Environment

The devil’s in the details when realizing full value from a SaaS program.

  • The cloud is no longer a trend, but reality. Software as a Service (SaaS) offers major business and IT benefits that organizations are urgently trying to take advantage of.
  • For security professionals and leaders there are still major concerns. All too often an organization has decided to migrate some part of the business into a SaaS environment without major consultation or consideration of the security implications.
  • SaaS programs are of special concern due to the ambiguity of what vendors will provide for security controls and how a consumer can even begin to determine and validate any controls.
  • Security is the last and still largest obstacle to cloud adoption. Privacy and compliance concerns become exacerbated when control is lost.

Our Advice

Critical Insight

  • Handing off data doesn’t hand off responsibility. You must become your vendor’s auditor to get the security controls and confidence you need.
  • You can’t glue on security after the fact. Include security in SaaS negotiations.
  • Your SaaS vendor can often provide better security controls than you can.

Impact and Result

  • The business is adopting a SaaS program and that environment must be secured, which includes:
    • Ensuring business data cannot be leaked or stolen.
    • Securing the network connection points.
    • Maintaining privacy of data and other information.
  • Use the SaaS vendor to cover some security controls through contractual and configuration requirements to limit the internal controls that must be deployed.
  • This blueprint and associated tools are scalable for all types of organizations within various sectors.

Ensure Cloud Security in a SaaS Environment Research & Tools

1. Determine SaaS risk profile

Gain an understanding of the major implications of adopting a SaaS program and what this means for the organization's security.

Storyboard: Ensure Cloud Security in a SaaS Environment
Cloud Security CAGI Tool

2. Determine SaaS security control requirements

Determine a customized list of security controls specific to the organization's needs.

3. Create SaaS security requirements documents

Prepare requirements documents for the internal SaaS project team and potential SaaS vendors.

SaaS Service Level Agreement Template

4. Evaluate SaaS vendors from a security perspective

Determine which cloud vendors are most appropriate for security needs.

5. Implement the secure SaaS program

Communicate effectively with stakeholders to ensure proper implementation of security controls for the SaaS program.

6. Build a SaaS governance program

Ensure the continued maintenance of the SaaS program's security.

SaaS Security Governance Program
Secure Cloud Usage Policy

Workshop: Ensure Cloud Security in a SaaS Environment

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Determine Your SaaS Risk Profile

The Purpose

  • Identify rationale for adopting a SaaS program to ensure security is not an impediment.
  • Identify major changes to security obligations from the adoption of a SaaS program.
  • Determine the risk profile of the organization’s new SaaS program.

Key Benefits Achieved

  • Realize business benefits: Identify the business’s main rationale for adopting SaaS and ensure this is not impeded.
  • Understand your security scope: Assessing the business processes being changed and respective changes to your security obligations will provide the scope of your responsibilities.
  • Identified SaaS risk profile: Clearly identified and communicable risk profile.

Activities

Outputs

1.1

Identify the organization’s main benefits for adopting a SaaS program and prioritize these benefits.

  • Identified your organization’s rationale for adopting a SaaS program and prioritized these benefits.
1.2

Determine the importance of the assets being moved to the cloud.

  • Assessed the business impact of a SaaS program.
1.3

Re-evaluate organization’s risk tolerance level and change accordingly.

  • Identified changes to your security obligations.
1.4

Determine SaaS risk profile.

  • Determined your SaaS risk profile.

Module 2: Determine Your SaaS Security Requirements

The Purpose

  • Develop an understanding of how SaaS security can be achieved.
  • Determine and document all security control requirements of the organization.

Key Benefits Achieved

  • Select a safe SaaS vendor.
  • Select an auditable SaaS vendor.
  • Select a transparent SaaS vendor.
  • Select a portable SaaS vendor.

Activities

Outputs

2.1

Understand how consumers can evaluate vendors’ security capabilities.

  • Evaluated vendors’ security capability completeness based on your organization’s SaaS risk profile.
2.2

Perform a cloud security requirement completeness assessment.

2.3

Perform a cloud security auditability assessment.

  • Evaluated vendors’ auditable levels of their certifications and security testing.
2.4

Perform a cloud security governability assessment.

  • Evaluated vendors’ governability by assessing transparency.
2.5

Perform a cloud security interoperability assessment.

  • Evaluated vendors’ portability by assessing their interoperability.

Module 3: Create Your SaaS Security Requirements Documents and Evaluate Vendors

The Purpose

  • Document SaaS security requirements.
  • Double check requirements.
  • Evaluate SaaS vendors from a security perspective.

Key Benefits Achieved

  • Communicate your security requirements to internal SaaS project team.
  • Communicate your security requirements to external cloud vendor.
  • Determine which vendors are appropriate for you.
  • Determine which vendors support the security controls you require.

Activities

Outputs

3.1

Document your completeness, auditability, governability, and interoperability requirements into the SaaS Security SLA.

  • Completed SaaS Security SLA Document.
3.2

Double check SLA and prepare talking points with cloud vendors.

  • Prepared communications with cloud vendor.
3.3

Identify vendors that satisfy security requirements.

3.4

Develop negotiation tactics with vendors.

3.5

Alter vendor sourcing process for SaaS vendor selection.

  • Documented evaluation of potential SaaS vendors.

Module 4: Build a SaaS Governance Program to Maintain and Measure Security

The Purpose

  • Document SaaS security requirements.
  • Double check requirements.
  • Evaluate SaaS vendors from a security perspective.

Key Benefits Achieved

  • Determine what ongoing procedures and policies are right for your organization.
  • Customize all governing components for your organization.

Activities

Outputs

4.1

Build the organizational structure of your SaaS Security Governance Program.

  • Documented all policies and procedures that you will need to successfully ensure continued strong SaaS security.
4.2

Define the escalation process.

4.3

Build a SaaS Security Governance Committee.

4.4

Document IAM policies and procedures.

4.5

Develop communication management.

  • Communicated with your vendor on ongoing procedures.
4.6

Overview of SaaS Security Governance Program suggested policies for customization.

4.7

Build a metrics program.

Unlock This Blueprint
Ensure Cloud Security in a SaaS Environment visualization

The devil’s in the details when realizing full value from a SaaS program.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 1-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

  • Call 1: Determine your SaaS risk profile

    Determine your SaaS risk profile based on your organization's variables.

  • Call 2: Determine your SaaS vendor completeness

    Evaluate security controls and establish SaaS vendors’ security capabilities to determine safety completeness.

  • Call 3: Determine your SaaS vendor auditability and governability

    Build criteria for evaluating SaaS vendors’ certification, accreditation and security testing to determine transparency and audit levels.

  • Call 4: Determine your SaaS vendor interoperability

    Establish evaluation attributes for SaaS vendors’ interoperability to determine portability levels.

  • Call 5: Build your SaaS security governance program

    Determine the continuing procedures and policies that should be developed and deployed for continual security.

Authors

Alan Tang

Wesley McPherson

Related Content: Secure Cloud & Network Architecture

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019
© Info-Tech Research Group | Terms of Use | Privacy Policy