Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Ensure Cloud Security in a SaaS Environment

The devil’s in the details when realizing full value from a SaaS program.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail

Your Challenge

  • The cloud is no longer a trend, but reality. Software as a Service (SaaS) offers major business and IT benefits that organizations are urgently trying to take advantage of.
  • For security professionals and leaders there are still major concerns. All too often an organization has decided to migrate some part of the business into a SaaS environment without major consultation or consideration of the security implications.
  • SaaS programs are of special concern due to the ambiguity of what vendors will provide for security controls and how a consumer can even begin to determine and validate any controls.
  • Security is the last and still largest obstacle to cloud adoption. Privacy and compliance concerns become exacerbated when control is lost.

Our Advice

Critical Insight

  • Handing off data doesn’t hand off responsibility. You must become your vendor’s auditor to get the security controls and confidence you need.
  • You can’t glue on security after the fact. Include security in SaaS negotiations.
  • Your SaaS vendor can often provide better security controls than you can.

Impact and Result

  • The business is adopting a SaaS program and that environment must be secured, which includes:
    • Ensuring business data cannot be leaked or stolen.
    • Securing the network connection points.
    • Maintaining privacy of data and other information.
  • Use the SaaS vendor to cover some security controls through contractual and configuration requirements to limit the internal controls that must be deployed.
  • This blueprint and associated tools are scalable for all types of organizations within various sectors.

Research & Tools

1. Determine SaaS risk profile

Gain an understanding of the major implications of adopting a SaaS program and what this means for the organization's security.

2. Determine SaaS security control requirements

Determine a customized list of security controls specific to the organization's needs.

3. Create SaaS security requirements documents

Prepare requirements documents for the internal SaaS project team and potential SaaS vendors.

4. Evaluate SaaS vendors from a security perspective

Determine which cloud vendors are most appropriate for security needs.

5. Implement the secure SaaS program

Communicate effectively with stakeholders to ensure proper implementation of security controls for the SaaS program.

6. Build a SaaS governance program

Ensure the continued maintenance of the SaaS program's security.

Guided Implementations

This guided implementation is a five call advisory process.

Call #1 - Determine your SaaS risk profile

Determine your SaaS risk profile based on your organization's variables.

Call #2 - Determine your SaaS vendor completeness

Evaluate security controls and establish SaaS vendors’ security capabilities to determine safety completeness.

Call #3 - Determine your SaaS vendor auditability and governability

Build criteria for evaluating SaaS vendors’ certification, accreditation and security testing to determine transparency and audit levels.

Call #4 - Determine your SaaS vendor interoperability

Establish evaluation attributes for SaaS vendors’ interoperability to determine portability levels.

Call #5 - Build your SaaS security governance program

Determine the continuing procedures and policies that should be developed and deployed for continual security.

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Determine Your SaaS Risk Profile

The Purpose

  • Identify rationale for adopting a SaaS program to ensure security is not an impediment.
  • Identify major changes to security obligations from the adoption of a SaaS program.
  • Determine the risk profile of the organization’s new SaaS program.

Key Benefits Achieved

  • Realize business benefits: Identify the business’s main rationale for adopting SaaS and ensure this is not impeded.
  • Understand your security scope: Assessing the business processes being changed and respective changes to your security obligations will provide the scope of your responsibilities.
  • Identified SaaS risk profile: Clearly identified and communicable risk profile.




Identify the organization’s main benefits for adopting a SaaS program and prioritize these benefits.

  • Identified your organization’s rationale for adopting a SaaS program and prioritized these benefits.

Determine the importance of the assets being moved to the cloud.

  • Assessed the business impact of a SaaS program.

Re-evaluate organization’s risk tolerance level and change accordingly.

  • Identified changes to your security obligations.

Determine SaaS risk profile.

  • Determined your SaaS risk profile.

Module 2: Determine Your SaaS Security Requirements

The Purpose

  • Develop an understanding of how SaaS security can be achieved.
  • Determine and document all security control requirements of the organization.

Key Benefits Achieved

  • Select a safe SaaS vendor.
  • Select an auditable SaaS vendor.
  • Select a transparent SaaS vendor.
  • Select a portable SaaS vendor.




Understand how consumers can evaluate vendors’ security capabilities.

  • Evaluated vendors’ security capability completeness based on your organization’s SaaS risk profile.

Perform a cloud security requirement completeness assessment.


Perform a cloud security auditability assessment.

  • Evaluated vendors’ auditable levels of their certifications and security testing.

Perform a cloud security governability assessment.

  • Evaluated vendors’ governability by assessing transparency.

Perform a cloud security interoperability assessment.

  • Evaluated vendors’ portability by assessing their interoperability.

Module 3: Create Your SaaS Security Requirements Documents and Evaluate Vendors

The Purpose

  • Document SaaS security requirements.
  • Double check requirements.
  • Evaluate SaaS vendors from a security perspective.

Key Benefits Achieved

  • Communicate your security requirements to internal SaaS project team.
  • Communicate your security requirements to external cloud vendor.
  • Determine which vendors are appropriate for you.
  • Determine which vendors support the security controls you require.




Document your completeness, auditability, governability, and interoperability requirements into the SaaS Security SLA.

  • Completed SaaS Security SLA Document.

Double check SLA and prepare talking points with cloud vendors.

  • Prepared communications with cloud vendor.

Identify vendors that satisfy security requirements.


Develop negotiation tactics with vendors.


Alter vendor sourcing process for SaaS vendor selection.

  • Documented evaluation of potential SaaS vendors.

Module 4: Build a SaaS Governance Program to Maintain and Measure Security

The Purpose

  • Document SaaS security requirements.
  • Double check requirements.
  • Evaluate SaaS vendors from a security perspective.

Key Benefits Achieved

  • Determine what ongoing procedures and policies are right for your organization.
  • Customize all governing components for your organization.




Build the organizational structure of your SaaS Security Governance Program.

  • Documented all policies and procedures that you will need to successfully ensure continued strong SaaS security.

Define the escalation process.


Build a SaaS Security Governance Committee.


Document IAM policies and procedures.


Develop communication management.

  • Communicated with your vendor on ongoing procedures.

Overview of SaaS Security Governance Program suggested policies for customization.


Build a metrics program.

Search Code: 76062
Published: September 22, 2014
Last Revised: October 2, 2014