This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
QUESTION 1: Who handles penetration testing, and how is it done?|
It stands to reason that if you would hire an outside company to test the effectiveness of on-site firewalls and other IT security measures, your SaaS pro-vider should do the same--regularly.
Chuck Mortimore, di-rector of platform services for Rearden Commerce, which offers the application Rearden Personal Assistant that helps coordinate various organizational tasks of your business and personal life such as booking travel, says his company employs someone to manage aspects of the vulnerability management process. The Foster City, Calif.-based company regularly runs both threat assessments as well as tests that verify its ability to withstand denial-of-service attacks. If a service provider doesn't invest in creating regular processes for penetration testing, its risk increases exponentially, Mortimore says.
Likewise, Xythos Software, which offers its enterprise document management system as a service, has hired several specialized service providers to help manage security functions. Jim Till, CMO for San Francisco-based Xythos, says many of the company's clients store highly sensitive information such as legal documents or logistics data in its application, which it first started selling as an on-premise option. For starters, the company has teamed
| up with OpSource, which recently announced Level 1 compliance with the rigorous Payment Card Industry Data Security Standard.
"We would have been foolish if we thought we could do this ourselves," Till says.
Other providers of vulnerability assessment services for SaaS include Qualys (which itself offers its capabilities as a service); Akibia, a security services firm and Microsoft Gold Certified Partner; Perimeter eSecurity, which has been acquiring a slew of SaaS security integrators; and Computer Sciences, which offers a set of operational services for ISVs looking to turn themselves into SaaS providers.
QUESTION 2: What are the sign-on, access and authentication policies? The most common way to get at an application via the Internet is via a username and password. "The normal way is to go to their front door," says Patrick Harding, chief technology officer for Ping Identity, a Denver company that makes identity federation software.
But a growing number of companies are working with their service providers to pull the SaaS sign-in process into the bounds of their firewall or VPN, providing a higher degree of authentication. Simply put, the user must first safely log in to the company's corporate intranet before he or she can sign on to the application in question. This ensures that the login conforms to the company's security policy. Later, if an employee leaves the company, it's easier to disable his or her account access.
Liz Herbert, an analyst with Forrester Research who follows SaaS, says this effectively puts the access policy back into the hands of a company's internal IT department. "Your company may have a password policy, but sometimes the SaaS application isn't being managed according to the same rules," she says. One thing to look for, she says, is whether the SaaS sign-in process can be tied into a single sign-on process (see "One & Done", below) or integrated with an LDAP directory service such as Active Directory.
"I've looked at some Web-based applications that I've rejected because of this," says Adam Sroczynski, CEO of eBusiness Technology, which uses SaaS to handle project management and business functions. The biggest issues for Sroczynski are the policies a SaaS provider has in place to protect the username and password. If there is no formal plan in place, a breach of the Salesforce.com sort is more likely to happen because internal personnel haven't put in the proper security measures to reduce the potential for human misjudgment. Businesses should consider maintaining control of this process themselves, he suggests. That means, however, if a password is lost, the SaaS provider won't be in a position to recover it on behalf of the customer.
This was first published in May 2008