Sergey Nivens - Fotolia

How should companies handle SaaS compliance?

SaaS cloud security presents extra challenges to enterprise compliance. Expert Mike Chapple offers some advice on how to cope with those challenges.

The growing rate of SaaS use means there is also a growing rate of compliance challenges for organizations using these cloud applications. Two big challenges include ensuring the use of SaaS services stays within the terms agreed upon with the SaaS provider, and ensuring the data associated with the app use is transmitted, used and stored in accordance to compliance regulations. What are some ways enterprises can deal with these SaaS compliance challenges?

The "cloud first" approach that many organizations adopted over the past few years drives IT shops to consider software as a service as one of the main IT service delivery mechanisms to meet business requirements. SaaS security raises new compliance obligations, particularly when it comes to the terms of service from SaaS providers and the security of data stored, processed and transmitted by SaaS providers.

License compliance has always been a difficult legal and operational challenge for IT organizations. It's hard to track SaaS compliance with the many details of license agreements, and the use of cloud services simply adds to the pile of requirements that enterprises must consider. One of the main SaaS compliance issues organizations must tackle is ensuring only authorized individuals gain access to the SaaS offering. For example, if a company purchases an enterprise license for a SaaS product that covers all full-time employees, it must ensure that its authorization mechanisms prevent part-time employees and others without full-time status from gaining access to the service.

SaaS offerings also extend the scope of compliance obligations for organizations that use those services to store, process or transmit regulated data. Enterprises pursuing this strategy must take steps to assure themselves, and sometimes regulators, that the SaaS provider is operating within the requirements of any applicable laws or contracts. For example, SaaS providers handling credit card data must do so within the constraints of the Payment Card Industry Data Security Standards (PCI DSS); the PCI Security Standards Council has more on the specific security requirements for SaaS providers. Merchants subject to PCI DSS may only use a SaaS offering for customer payment information if the provider certifies that it is also PCI DSS compliant.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why financial organizations need an especially strong cloud security strategy

Learn how to lessen the risk posed by neglected cloud app security

Check out how to craft an enterprise cloud change management policy

Some assembly still required for SaaS application pain points

This was last published in December 2015

Dig Deeper on Security audit, compliance and standards