This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
QUESTION 3: What encryption policies will protect data as it is transferred, or when it is being stored?|
For starters, you should look for and insist on the strongest encryption levels possible.
This was the deciding factor for Aimable Mugara, the IT and multimedia director for the nonprofit organization Free The Children in Toronto, which about a year ago opted to use the Mozy online data storage and backup service. While 128-bit SSL encryption is now fairly typical, Mozy--a division of EMC--offers 448-bit Blowfish on-disk encryption. "That is very rare," Mugara says. Mozy also has taken steps to ensure its service meets compliance standards of the Health Insurance Porta- bility and Accountability Act (HIPAA), which also gave Mugara a higher comfort level.
Prat Moghe, founder and chief technology officer for Tizor Systems, an enterprise data auditing and protection firm in Maynard, Mass., says it's also important to study how the provider stores each customer's data. "How strong is the security program when it comes to the data being stored. If there is a breach, how is that caught? And if the data gets out, is it encrypted?"
Another question worth asking: What breaches has the company had, if any, and how did it manage them?
One way to review the SaaS provider's data protection policies is to request a copy of
| its SAS 70 Audit Report (see "Up to Standard?," below). While SAS 70 is a just a "gross level" audit, it does provide a common ground for discussion, says John Pescatore, security analyst with research firm Gartner. "This forces companies to define things in a way that's meaningful to both sides," Pescatore says.
Shally Stanley, managing director of global services for Acumen Solutions, a security technology services provider, says her team forces its customers to step back and consider the type of data that would be stored.
"These questions are largely governed by the company's own risk posture and the type of data that is being handled,"?Stanley says.
"There are organizations that have very sensitive data that cannot, under any circumstances, be seen by anyone else. Their posture will be different than another company that has confidential information, but it isn't disastrous if it gets out," Stanley says.
This was first published in May 2008