7 Security Questions to Ask Your SaaS Provider


This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."

Download it now to read this article plus other related content.

QUESTION 1: Who handles penetration testing, and how is it done?
It stands to reason that if you would hire an outside company to test the effectiveness of on-site firewalls and other IT security measures, your SaaS pro-vider should do the same--regularly.

Chuck Mortimore, di-rector of platform services for Rearden Commerce, which offers the application Rearden Personal Assistant that helps coordinate various organizational tasks of your business and personal life such as booking travel, says his company employs someone to manage aspects of the vulnerability management process. The Foster City, Calif.-based company regularly runs both threat assessments as well as tests that verify its ability to withstand denial-of-service attacks. If a service provider doesn't invest in creating regular processes for penetration testing, its risk increases exponentially, Mortimore says.

Likewise, Xythos Software, which offers its enterprise document management system as a service, has hired several specialized service providers to help manage security functions. Jim Till, CMO for San Francisco-based Xythos, says many of the company's clients store highly sensitive information such as legal documents or logistics data in its application, which it first started selling as an on-premise option. For starters, the company has teamed

    Requires Free Membership to View

up with OpSource, which recently announced Level 1 compliance with the rigorous Payment Card Industry Data Security Standard.

"We would have been foolish if we thought we could do this ourselves," Till says.

Other providers of vulnerability assessment services for SaaS include Qualys (which itself offers its capabilities as a service); Akibia, a security services firm and Microsoft Gold Certified Partner; Perimeter eSecurity, which has been acquiring a slew of SaaS security integrators; and Computer Sciences, which offers a set of operational services for ISVs looking to turn themselves into SaaS providers.

QUESTION 2: What are the sign-on, access and authentication policies?
The most common way to get at an application via the Internet is via a username and password. "The normal way is to go to their front door," says Patrick Harding, chief technology officer for Ping Identity, a Denver company that makes identity federation software.

But a growing number of companies are working with their service providers to pull the SaaS sign-in process into the bounds of their firewall or VPN, providing a higher degree of authentication. Simply put, the user must first safely log in to the company's corporate intranet before he or she can sign on to the application in question. This ensures that the login conforms to the company's security policy. Later, if an employee leaves the company, it's easier to disable his or her account access.

Liz Herbert, an analyst with Forrester Research who follows SaaS, says this effectively puts the access policy back into the hands of a company's internal IT department. "Your company may have a password policy, but sometimes the SaaS application isn't being managed according to the same rules," she says. One thing to look for, she says, is whether the SaaS sign-in process can be tied into a single sign-on process (see "One & Done", below) or integrated with an LDAP directory service such as Active Directory.

"I've looked at some Web-based applications that I've rejected because of this," says Adam Sroczynski, CEO of eBusiness Technology, which uses SaaS to handle project management and business functions. The biggest issues for Sroczynski are the policies a SaaS provider has in place to protect the username and password. If there is no formal plan in place, a breach of the Salesforce.com sort is more likely to happen because internal personnel haven't put in the proper security measures to reduce the potential for human misjudgment. Businesses should consider maintaining control of this process themselves, he suggests. That means, however, if a password is lost, the SaaS provider won't be in a position to recover it on behalf of the customer.

One & Done
Single sign-on simplifies access control.

How many account passwords can the average human manage?

The holy grail of single sign-on, allowing a person to log in just once for multiple applications, is being accelerated by the move to SaaS accounts, says Adam Sroczynski, CEO of eBusiness Technology, an early user of TriCipher's new on-demand single sign-on software myOneLogin. The more passwords a person must remember, the better the chances that at least one will be lost or compromised, he says.

Chuck Mortimore, director of platform services for Rearden Commerce, a SaaS provider that offers a personal assistant service, says that single sign-on puts access control and authentication back into the hands of the IT department. "It's very important. It provides them with one set of information to worry about, which they already have control over."

Patrick Harding, chief technology officer for Ping Identity, says single sign-on also makes it simpler to disable access quickly if an employee leaves or is terminated. "Plus, organizations can add whatever authentication they feel is necessary. They can reuse things they already have like certificates and tokens. It takes the burden off the SaaS provider."


This was first published in May 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: