Ignore Cloud Security Assessment at Your Own Risk
Companies that deploy software-as-a-service often don't know everything about the security provisions their SaaS providers and partners have in place. Experts say it's because they don't know what to ask, they don't know what to test and they no longer know what's standard for a cloud service provider contract.
Wed, March 13, 2013
CIO — As more enterprises embrace software-as-a-service (SaaS), a nagging question has begun to surface: Who's on the hook for assessing and validating cloud security?
The sometimes-complicated world of cloud computing makes that questions tricky to answer. A SaaS deployment involves the customer, the software provider and, possibly, another party that hosts the cloud software. Some projects may also involve a cloud services broker as an intermediary.
SaaS apps cover a lot of ground these days, including business-critical functions from email to ERP, yet many cloud customers appear to simply accept whatever a SaaS provider says about its level of security.
Last year, the SANS Institute, an IT security training organization, reported that only 22 percent of the organizations it surveyed rely on extensive testing and validation before putting a outsourced or cloud-based application into production.
Vetting SaaS Providers No Easy Task
SANS analysts contend it's not enough to take SaaS providers at their word. At the same time, probing SaaS security can prove difficult for enterprises.
Jim Bird, a SANS analyst and co-author of the study, cites a lack of good guidelines for how to vet a SaaS provider. Tight budgets and limited resources are also considerations. "Most organizations are fighting for resources to secure their own solutions, never mind their suppliers," Bird says.
Industry executives suggest that SaaS buyers conduct a security assessment of vendors before they buy and annually once they start using the software. Third-party reviews of SaaS vendors, however, may lighten that load somewhat.
Auditing standards such as the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and security frameworks such as ISO 27001 provide buyers with some clues to a cloud provider's security commitment. In addition, the recently launched Federal Risk and Authorization Management Program (FedRAMP) establishes a cloud security assessment standard for cloud software providers in the government space.
John Keese, CEO of Autonomic Resources, the first FedRAMP-approved cloud service provider, believes this cloud vetting approach may move beyond the government space. "We think this is probably a model that will flow into commercial."