Sergey Nivens - Fotolia
The growing rate of SaaS use means there is also a growing rate of compliance challenges for organizations using these cloud applications. Two big challenges include ensuring the use of SaaS services stays within the terms agreed upon with the SaaS provider, and ensuring the data associated with the app use is transmitted, used and stored in accordance to compliance regulations. What are some ways enterprises can deal with these SaaS compliance challenges?
The "cloud first" approach that many organizations adopted over the past few years drives IT shops to consider software as a service as one of the main IT service delivery mechanisms to meet business requirements. SaaS security raises new compliance obligations, particularly when it comes to the terms of service from SaaS providers and the security of data stored, processed and transmitted by SaaS providers.
License compliance has always been a difficult legal and operational challenge for IT organizations. It's hard to track SaaS compliance with the many details of license agreements, and the use of cloud services simply adds to the pile of requirements that enterprises must consider. One of the main SaaS compliance issues organizations must tackle is ensuring only authorized individuals gain access to the SaaS offering. For example, if a company purchases an enterprise license for a SaaS product that covers all full-time employees, it must ensure that its authorization mechanisms prevent part-time employees and others without full-time status from gaining access to the service.
SaaS offerings also extend the scope of compliance obligations for organizations that use those services to store, process or transmit regulated data. Enterprises pursuing this strategy must take steps to assure themselves, and sometimes regulators, that the SaaS provider is operating within the requirements of any applicable laws or contracts. For example, SaaS providers handling credit card data must do so within the constraints of the Payment Card Industry Data Security Standards (PCI DSS); the PCI Security Standards Council has more on the specific security requirements for SaaS providers. Merchants subject to PCI DSS may only use a SaaS offering for customer payment information if the provider certifies that it is also PCI DSS compliant.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out why financial organizations need an especially strong cloud security strategy
Learn how to lessen the risk posed by neglected cloud app security
Check out how to craft an enterprise cloud change management policy
Some assembly still required for SaaS application pain points
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading