Ensure Cloud Security in a SaaS Environment
The devil’s in the details when realizing full value from a SaaS program.
Onsite Workshop
Ad hoc or immature SaaS security can cause:
- Insecure service-level agreements.
- Limited to no visibility to SaaS data security.
- Short-lived security controls.
Upfront determination of security requirements results in:
- Favorable service-level agreements.
- Visibility and transparency into SaaS vendor security operations.
- Continued security of SaaS hosted data and information.
Module 1: Determine Your SaaS Risk Profile
The Purpose
- Identify rationale for adopting a SaaS program to ensure security is not an impediment.
- Identify major changes to security obligations from the adoption of a SaaS program.
- Determine the risk profile of the organization’s new SaaS program.
Key Benefits Achieved
- Realize business benefits: Identify the business’s main rationale for adopting SaaS and ensure this is not impeded.
- Understand your security scope: Assessing the business processes being changed and respective changes to your security obligations will provide the scope of your responsibilities.
- Identified SaaS risk profile: Clearly identified and communicable risk profile.
Activities: | Outputs: | |
---|---|---|
1.1 | Identify the organization’s main benefits for adopting a SaaS program and prioritize these benefits. |
|
1.2 | Determine the importance of the assets being moved to the cloud. |
|
1.3 | Re-evaluate organization’s risk tolerance level and change accordingly. |
|
1.4 | Determine SaaS risk profile. |
|
Module 2: Determine Your SaaS Security Requirements
The Purpose
- Develop an understanding of how SaaS security can be achieved.
- Determine and document all security control requirements of the organization.
Key Benefits Achieved
- Select a safe SaaS vendor.
- Select an auditable SaaS vendor.
- Select a transparent SaaS vendor.
- Select a portable SaaS vendor.
Activities: | Outputs: | |
---|---|---|
2.1 | Understand how consumers can evaluate vendors’ security capabilities. |
|
2.2 | Perform a cloud security requirement completeness assessment. |
|
2.3 | Perform a cloud security auditability assessment. |
|
2.4 | Perform a cloud security governability assessment. |
|
2.5 | Perform a cloud security interoperability assessment. |
|
Module 3: Create Your SaaS Security Requirements Documents and Evaluate Vendors
The Purpose
- Document SaaS security requirements.
- Double check requirements.
- Evaluate SaaS vendors from a security perspective.
Key Benefits Achieved
- Communicate your security requirements to internal SaaS project team.
- Communicate your security requirements to external cloud vendor.
- Determine which vendors are appropriate for you.
- Determine which vendors support the security controls you require.
Activities: | Outputs: | |
---|---|---|
3.1 | Document your completeness, auditability, governability, and interoperability requirements into the SaaS Security SLA. |
|
3.2 | Double check SLA and prepare talking points with cloud vendors. |
|
3.3 | Identify vendors that satisfy security requirements. |
|
3.4 | Develop negotiation tactics with vendors. |
|
3.5 | Alter vendor sourcing process for SaaS vendor selection. |
|
Module 4: Build a SaaS Governance Program to Maintain and Measure Security
The Purpose
- Document SaaS security requirements.
- Double check requirements.
- Evaluate SaaS vendors from a security perspective.
Key Benefits Achieved
- Determine what ongoing procedures and policies are right for your organization.
- Customize all governing components for your organization.
Activities: | Outputs: | |
---|---|---|
4.1 | Build the organizational structure of your SaaS Security Governance Program. |
|
4.2 | Define the escalation process. |
|
4.3 | Build a SaaS Security Governance Committee. |
|
4.4 | Document IAM policies and procedures. |
|
4.5 | Develop communication management. |
|
4.6 | Overview of SaaS Security Governance Program suggested policies for customization. |
|
4.7 | Build a metrics program. |
|