- The cloud is no longer a trend, but reality. Software as a Service (SaaS) offers major business and IT benefits that organizations are urgently trying to take advantage of.
- For security professionals and leaders there are still major concerns. All too often an organization has decided to migrate some part of the business into a SaaS environment without major consultation or consideration of the security implications.
- SaaS programs are of special concern due to the ambiguity of what vendors will provide for security controls and how a consumer can even begin to determine and validate any controls.
- Security is the last and still largest obstacle to cloud adoption. Privacy and compliance concerns become exacerbated when control is lost.
Our Advice
Critical Insight
- Handing off data doesn’t hand off responsibility. You must become your vendor’s auditor to get the security controls and confidence you need.
- You can’t glue on security after the fact. Include security in SaaS negotiations.
- Your SaaS vendor can often provide better security controls than you can.
Impact and Result
- The business is adopting a SaaS program and that environment must be secured, which includes:
- Ensuring business data cannot be leaked or stolen.
- Securing the network connection points.
- Maintaining privacy of data and other information.
- Use the SaaS vendor to cover some security controls through contractual and configuration requirements to limit the internal controls that must be deployed.
- This blueprint and associated tools are scalable for all types of organizations within various sectors.
Workshop: Ensure Cloud Security in a SaaS Environment
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Determine Your SaaS Risk Profile
The Purpose
- Identify rationale for adopting a SaaS program to ensure security is not an impediment.
- Identify major changes to security obligations from the adoption of a SaaS program.
- Determine the risk profile of the organization’s new SaaS program.
Key Benefits Achieved
- Realize business benefits: Identify the business’s main rationale for adopting SaaS and ensure this is not impeded.
- Understand your security scope: Assessing the business processes being changed and respective changes to your security obligations will provide the scope of your responsibilities.
- Identified SaaS risk profile: Clearly identified and communicable risk profile.
Activities
Outputs
Identify the organization’s main benefits for adopting a SaaS program and prioritize these benefits.
- Identified your organization’s rationale for adopting a SaaS program and prioritized these benefits.
Determine the importance of the assets being moved to the cloud.
- Assessed the business impact of a SaaS program.
Re-evaluate organization’s risk tolerance level and change accordingly.
- Identified changes to your security obligations.
Determine SaaS risk profile.
- Determined your SaaS risk profile.
Module 2: Determine Your SaaS Security Requirements
The Purpose
- Develop an understanding of how SaaS security can be achieved.
- Determine and document all security control requirements of the organization.
Key Benefits Achieved
- Select a safe SaaS vendor.
- Select an auditable SaaS vendor.
- Select a transparent SaaS vendor.
- Select a portable SaaS vendor.
Activities
Outputs
Understand how consumers can evaluate vendors’ security capabilities.
- Evaluated vendors’ security capability completeness based on your organization’s SaaS risk profile.
Perform a cloud security requirement completeness assessment.
Perform a cloud security auditability assessment.
- Evaluated vendors’ auditable levels of their certifications and security testing.
Perform a cloud security governability assessment.
- Evaluated vendors’ governability by assessing transparency.
Perform a cloud security interoperability assessment.
- Evaluated vendors’ portability by assessing their interoperability.
Module 3: Create Your SaaS Security Requirements Documents and Evaluate Vendors
The Purpose
- Document SaaS security requirements.
- Double check requirements.
- Evaluate SaaS vendors from a security perspective.
Key Benefits Achieved
- Communicate your security requirements to internal SaaS project team.
- Communicate your security requirements to external cloud vendor.
- Determine which vendors are appropriate for you.
- Determine which vendors support the security controls you require.
Activities
Outputs
Document your completeness, auditability, governability, and interoperability requirements into the SaaS Security SLA.
- Completed SaaS Security SLA Document.
Double check SLA and prepare talking points with cloud vendors.
- Prepared communications with cloud vendor.
Identify vendors that satisfy security requirements.
Develop negotiation tactics with vendors.
Alter vendor sourcing process for SaaS vendor selection.
- Documented evaluation of potential SaaS vendors.
Module 4: Build a SaaS Governance Program to Maintain and Measure Security
The Purpose
- Document SaaS security requirements.
- Double check requirements.
- Evaluate SaaS vendors from a security perspective.
Key Benefits Achieved
- Determine what ongoing procedures and policies are right for your organization.
- Customize all governing components for your organization.
Activities
Outputs
Build the organizational structure of your SaaS Security Governance Program.
- Documented all policies and procedures that you will need to successfully ensure continued strong SaaS security.
Define the escalation process.
Build a SaaS Security Governance Committee.
Document IAM policies and procedures.
Develop communication management.
- Communicated with your vendor on ongoing procedures.
Overview of SaaS Security Governance Program suggested policies for customization.
Build a metrics program.