A Security Checklist for Deploying Software-as-a-Service

In recent years, software-as-a-service (SaaS) has emerged as a viable application delivery method, and most enterprises are now including some SaaS software in their portfolios. SaaS saves IT infrastructure and maintenance costs, not to mention the hassle of initial deployment, integration and customization common with licensed software.

However, SaaS brings with it a unique set of challenges for those responsible for security. The most important shift is looking at your software vendor not as a product company, but rather as a service provider. Sound vendor management practices dictate that any third-party software is at least as secure as in-house packages. This guide will help you compare your organization’s risk management and compliance priorities to the SaaS provider’s security policies and procedures.

When you convert to SaaS, your data will be transported across the Internet to the SaaS vendor site. If their application is not secure, your critical business information will potentially be exposed to anyone who can take advantage of such a vulnerability.

Unfortunately, some SaaS vendors who become aware of a security flaw in their service may not immediately patch it. If a security fix can be made on their server without a client patch being necessary, some vendors may never alert you that there was a problem at all.

Of course, many SaaS providers rise to the challenges of providing secure and reliable cloud-based services. However, as the person responsible for the security of your enterprise data, you need more than faith as assurance that they will follow through on their best intentions.

The checklist when negotiating terms with a SaaS vendor should include:

• Review the vendor’s service history, obtain customer references and ask them about their experiences with the vendor’s concern for privacy, reliability and security vulnerabilities.
• Be certain that application and infrastructure security requirements are written into your contract with any SaaS provider. Include an audit clause whereby you or a third-party can periodically verify that the required controls are in place.
• Get a solid Service Level Agreement (SLA). An SLA requires that the vendor provide a specified level of system reliability. A good vendor will strive for performance that meets Six Sigma levels of service quality (e.g., 99.9997% of security patches made within a set number of hours, not days, after public disclosure).
• Do not accept a policy of making silent fixes to their service.
• Insist that the vendor’s own software development process adheres to a robust software development life cycle model that includes tollgates that check for secure coding standards.
• Carefully examine the vendor’s policies for data recovery and find out how long it will take to retrieve your data if you decide to terminate the contract, as well as how long it will take them to make it inaccessible online.
• Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
• Be certain that your users are not the weak link in the security chain. Specify which Web browsers can be used to access services, and stay on top of browser security issues and updates. If possible, be certain that they must first log in to your network to access corporate information on the SaaS vendor site.
• Always maintain ownership of domain names and control domain access when services can be accessed by your users. That way, if you terminate a vendor relationship, you will not have to retrain your clients on the correct URL to use to find you.

Finally, you need to remember that software is secure only when it’s built that way, so when choosing a sound SaaS solution, be sure that the security has been checked for all vulnerabilities so that it’s secure for all of today’s distributed software portfolios.