QUESTION 3: What encryption policies will protect data as it is transferred, or when it is being stored?
For starters, you should look for and insist on the strongest encryption levels possible.
This was the deciding factor for Aimable Mugara, the IT and multimedia director for the nonprofit organization Free The Children in Toronto, which about a year ago opted to use the Mozy online data storage and backup service. While 128-bit SSL encryption is now fairly typical, Mozy--a division of EMC--offers 448-bit Blowfish on-disk encryption. "That is very rare," Mugara says. Mozy also has taken steps to ensure its service meets compliance standards of the Health Insurance Porta- bility and Accountability Act (HIPAA), which also gave Mugara a higher comfort level.
Prat Moghe, founder and chief technology officer for Tizor Systems, an enterprise data auditing and protection firm in Maynard, Mass., says it's also important to study how the provider stores each customer's data. "How strong is the security program when it comes to the data being stored. If there is a breach, how is that caught? And if the data gets out, is it encrypted?"
Another question worth asking: What breaches has the company had, if any, and how did it manage them?
One way to review the SaaS provider's data protection policies is to request a copy of its SAS 70 Audit Report (see "Up to Standard?," below). While SAS 70 is a just a "gross level" audit, it does provide a common ground for discussion, says John Pescatore, security analyst with research firm Gartner. "This forces companies to define things in a way that's meaningful to both sides," Pescatore says.
 |
|
|
|
|
|
|
|
|
|
SAS 70 |
|
|
|
|
|
|
|
|
|
|
Up to Standard?
SAS 70 audits verify data protection methods.
SAS 70 is by no means a guarantee of security, but it is helping shine a light on acceptable security processes around SaaS.
SAS is short for Statement on Accounting Standards. The SAS 70 report details exactly what measures someone is taking to protect your company's data. The Type I audit covers whether a SaaS provider has internal controls that are described in its disclosures to customers; Type II tests those controls in action.
John Pescatore, security analyst with research firm Gartner, says one good thing about SAS 70 is that it is recognized by corporate auditors. "If you use someone who doesn't use this measure, then you're always at risk," he says. "It sets a barrier to entry."
But Pescatore recommends adding a service-level agreement that outlines specific security measures, what will happen if something goes wrong and who is liable.
--HEATHER CLANCY
|
|
|
|
|
|
|
|
Shally Stanley, managing director of global services for Acumen Solutions, a security technology services provider, says her team forces its customers to step back and consider the type of data that would be stored.
"These questions are largely governed by the company's own risk posture and the type of data that is being handled,"?Stanley says.
"There are organizations that have very sensitive data that cannot, under any circumstances, be seen by anyone else. Their posture will be different than another company that has confidential information, but it isn't disastrous if it gets out," Stanley says.
|
