SaaS brings with it a unique set of challenges for those responsible for security. Barmak Meftah, senior vice president at Fortify Software, says the most important shift is looking at your software vendor not as a product company, but rather as a service provider in a guest commentary over at our CTO Edge site. Sound vendor management practices dictate that any third-party software is at least as secure as in-house packages, Meftah advises.
We’ve taken his checklist of steps to ensure that a SaaS vendor’s solution is secure and listed them in this handy slideshow, but do be sure to check out Meftah’s full column.
His final piece of advice? Remember that software is secure only when it’s built that way.
Click through for nine key tactics for ensuring that security is built into your SaaS solution.
Review the vendor’s service history, obtain customer references and ask them about their experiences with the vendor’s concern for privacy, reliability and security vulnerabilities.
Be certain that application and infrastructure security requirements are written into your contract with any SaaS provider. Include an audit clause whereby you or a third-party can periodically verify that the required controls are in place.
Get a solid Service Level Agreement (SLA). An SLA requires that the vendor provide a specified level of system reliability. A good vendor will strive for performance that meets Six Sigma levels of service quality (e.g., 99.9997% of security patches made within a set number of hours, not days, after public disclosure).
Do not accept a policy of making silent fixes to their service.
Insist that the vendor’s own software development process adheres to a robust software development life cycle model that includes tollgates that check for secure coding standards.
Carefully examine the vendor’s policies for data recovery and find out how long it will take to retrieve your data if you decide to terminate the contract, as well as how long it will take them to make it inaccessible online.
Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
Be certain that your users are not the weak link in the security chain. Specify which Web browsers can be used to access services, and stay on top of browser security issues and updates. If possible, be certain that they must first log in to your network to access corporate information on the SaaS vendor site.
Always maintain ownership of domain names and control domain access when services can be accessed by your users. That way, if you terminate a vendor relationship, you will not have to retrain your clients on the correct URL to use to find you.