Security Must Haves in a SaaS Provider

The past year was a learning curve on Cloud Computing, especially on SaaS providers. More and more ASPs are coming back rebranded as SaaS provider. As a security practitioner, it would be good to have a must have check list that we need to use to assess them.

I prepared the following must have check list based on Cloud Computing Alliance Guide (v1.0) document. “SaaS Provider” mentioned is the vendor providing the cloud computing service and “Consumer” is the client or end user of the “SaaS Provider”.

Governance and Enterprise Risk Management

  1. SaaS Provider must provide at least SAS 70 Type II or equivalent certifications (e.g. Agreed Upon Procedures) SAS70 Type 2 is a mandatory requirement if the service is a SOX critical or within financial statement audit scope.  If Credit card information is involved, PCI DSS compliant certification is required.
  2. SaaS Provider must provide Consumer listings of all third party relationships that it have; and similar audit assurance requirements as above are applicable.  The vendor is expected to obtain such audit assurance from 3rd party subcontractors and provide to service consumer upon request.
  3. SaaS Provider must divulge policies, procedures and processes comprising its Information Security Management System (ISMS)


  1. Consumer must have authority to define Service Level Agreements with SaaS Provider
  2. SaaS Provider must incur all costs for both an expected and unexpected termination of the relationship and for an orderly return or secure disposal of Consumer assets.
  3. All of Consumer’s data must be destroyed from the SaaS Provider systems and environments upon the termination of the contract/services and upon completion of the transition and conversion to Consumer’s chosen platform and receipt of confirmation of the same from Consumer’s executive sponsor and/or legal counsel.
  4. Consumer information assets must not be used for secondary purpose including use of Consumer asset as test data.
  5. SaaS Provider must host all Consumer information assets in a country that Consumer is confortable with (based on regulations that Consumer is subjected to).
  6. SaaS Provider must accept all costs related to data breaches if possible including recovery costs
  7. SaaS Provider must not share Consumer information assets with a third party or government entity without prior consent.
  8. Consumer must have escrow arrangement of SaaS Provider software and applications

Electronic Discovery

  1. Consumer must have authority to define roles and responsibilities related to Electronic Discovery, including such activities as litigation hold, discovery searches, who provides expert testimony.
  2. Compliance and Audit
  3. Consumer must have authority to define type of control that will be applied to locations where data will be stored.
  4. Consumer must have authority to audit SaaS Provider on demand
  5. Consumer must have authority to perform external risk assessments, including a Privacy Impact Assessment on the SaaS Provider

Information Lifecycle Management

  1. SaaS Provider must retain and destroy Consumer information asset per Consumer security policies and standards.
  2. Consumer must have authority to perform regular backup and recovery tests to assure that logical segregation and controls are effective
  3. All regular backup must be received at a data warehouse owned by Consumer.
  4. SaaS Provider must have logical segregation of duties of personnel.

Portability and Interoperability

  1. Consumer must receive regular data extractions and backups to a format that is not proprietary and is reusable by Consumer
  2. Traditional Security, Business Continuity and Disaster Recovery
  3. Consumer must have authority to define business continuity and disaster recovery requirements
  4. Consumer must have authority to perform onsite inspections of SaaS Provider’s facilities whenever required
  5. Consumer must have authority to inspect SaaS Provider disaster recovery and business continuity plans

Continue reading “Security Must Haves in a SaaS Provider”

The Open Group Security Practitioners Conference Day 2

Jim Hietala of The Open Group made the opening remarks on Governance, Risk, Compliance and Audit followed presentation on Professional Trends in Governance, Risk, Compliance and Audit by David Foote of Foote Partners LLC.

Mr. Foote says there is lot of investment now happening in Security Architecture and there is growing demand for security architects. An average salary of 125K USD can be expected by Security Architect and 149K USD by a Security Director in the US.

Peter T. Davis of Peter Davis and Associates shared his thoughts on IT Governance and the various methodologies. He explained the need for organizations need to have goals and strategies; why they should have a process and how they need to monitor performance; why there is a need for continuous process improvement.

Joel Winterergg of NetGaurdians, Switzerland introduced the concept of XDAS Audit & Logging Standard for servicing today’s regulatory / compliance requirements. Today every vendor defines its own audit trails with their SIEM solutions. There are no standards followed. There is a strong need to have uniform format and taxonomy for audit trails. XDAS is not a logging standard, it is an auditing standard.

Tim Grance of NIST presented their view of standards on Compliance. He introduced the Security Content Automation Protocol (SCAP) used by National Vulnerability Database (NVD) to the community. It helps to standardize the communication of vulnerabilities.

Shawn Mullen shared his thoughts on how ACEML standard will meet compliance and Shawn Chanput from Privity Systems gave an overview on security in Cloud Computing from a Canadian perspective.

According to Shawn Chanput, there are few organizations that have done comprehensive data classification which is critical in securing the cloud. He says it’s important to understand where the data will reside and how it is duplicated. He explained the new effort for version 2.0 and invited participation in various domains.

What were they thinking?

At the start of the New Year, CIO magazine has data protection and governance at the top of the list for this year. I thought this was supposed to be taken care from day one! In this age when words are being patented, we are still trying to figure out to protect data.

It’s true we have information hidden everywhere consciously or not. It was very late until we realised the value of data that we carried for long. We found there is a lot of value in this dusted data that we had hard time archiving. We developed the concept of data warehouse and business intelligence. Even then, we forgot to protect it. Talk to some of the best data warehousing experts in the industry, you will be surprised when they start arguing your need to protect data! Any data that is archived for future purpose needs to be considered as an intellectual property and there needs to be proper controls in place to protect it. Many a times our analysts and developers have easy access to such type of information. We have flat networks without any segregation of the development and production environment. Sometimes a non-production environment is considered for failover for a production site! You will not be surprised if the custodian of the production data approve it to be used in non-production environment as test data. Every business wants an immediate, easy and quick solution to the market. In order to meet that, we tend to loose our common sense. We give direct access to our data warehouse using a excel program. The residual copy of any data accessed will be hidden somewhere in our desktop until it is fetched by an unknown.

While we are in the race of cutting cost and outsourcing, we do not realise the ramification of it until late. Initially outsourcing started with personnel coming onsite to do the work. However, it’s the opposite now. We tend to ship our data across the borders. We think our network is efficient, the personnel at the offshore site are efficient and skilled, and that they have enough due diligence to protect it. The reality is different. With a high churn over of IT personnel daily at some of the outsourcing vendors where the banners at their campus is “trespassers are recruited”, you cannot find committed, experienced and skilled personnel. Some of these personnel who work on our credit card numbers are ready to give out their personal credit card number, CVV and address. Most of these personnel are recruited directly from college, whose only concern is to get a job and take vacation to enjoy! The laws of the origin of the information are not applicable at the destination and as such some times it takes a while to resolve any data breach issues.

We are still not mature with the way we deal with data. Most organisations are still on their way to build a metadata repository that would contain data classification along with access control as mandated by the business. Some are still sleeping, while others are inventing their own “law of the jungle” instead of following an established set of industry standards.