Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

7 Security Questions to Ask Your SaaS Provider

Outsourcing software as a service (SaaS) puts control over an organization's applications in the hands of others. Learn what questions to ask your provider, how to define security policies, how to understand how service providers handle security and ensure enforcement of policies.

Outsourcing an application means your organization relinquishes some control; don't, however, loosen your grip...

on security.

In a bizarre way, the high-profile phishing attack against Salesforce.com last fall suggests the software-as-a-service (aka SaaS) model has come of age.

In that attack, a spoofed email message was apparently used to lure a Salesforce.com employee to release certain customer information, which was in turn used to launch a secondary phishing campaign. While the breach was certainly embarrassing, it illustrates the power of the Salesforce.com brand.

It also reminds businesses of all sizes that just because they've outsourced an application doesn't mean they can be any less vigilant about defining a security policy. The difference is now they'll need to entrust enforcement to someone else.

"A lot of time, I find I'm putting myself in the role of a chief security officer," says Mathew Hegarty, director of infrastructure and security for [email protected], an IT services firm in New York that often recommends the SaaS approach to its customers. There are certain fundamental things you need to study--from authentication policy to infrastructure redundancy to how often the SaaS provider invests in independent penetration testing--especially when you're talking about a single-tenant service where all customers share the same instance of the software, Hegarty says.

"The biggest thing we focus on with all of this is control of the data," says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. "We have complete access to the data, and we are the only ones with control of the authentication," Mucha says. "The point is that you need a consistent approach to all these situations."

The Salesforce.com breach, which the company acknowledged in an email last November, offers a perfect example of why this is critical. In that message, the SaaS giant acknowledged that data purloined from Salesforce.com was later used to compromise accounts at some of its customers, and Salesforce.com moved to disclose its exposure. Salesforce. com declined to comment on its security policy for this story, but in its email last fall, it made several suggestions for how its customers could protect themselves in the future, including ignoring potential phishing messages, activating IP range restrictions so that the software could only be used on a specified internal network or VPN, or using two-factor authentication.

Building on those ideas, we offer seven questions you should resolve with your provider before investing in SaaS.

QUESTION 1: Who handles penetration testing, and how is it done?

It stands to reason that if you would hire an outside company to test the effectiveness of on-site firewalls and other IT security measures, your SaaS pro-vider should do the same--regularly.

Chuck Mortimore, di-rector of platform services for Rearden Commerce, which offers the application Rearden Personal Assistant that helps coordinate various organizational tasks of your business and personal life such as booking travel, says his company employs someone to manage aspects of the vulnerability management process. The Foster City, Calif.-based company regularly runs both threat assessments as well as tests that verify its ability to withstand denial-of-service attacks. If a service provider doesn't invest in creating regular processes for penetration testing, its risk increases exponentially, Mortimore says.

Likewise, Xythos Software, which offers its enterprise document management system as a service, has hired several specialized service providers to help manage security functions. Jim Till, CMO for San Francisco-based Xythos, says many of the company's clients store highly sensitive information such as legal documents or logistics data in its application, which it first started selling as an on-premise option. For starters, the company has teamed up with OpSource, which recently announced Level 1 compliance with the rigorous Payment Card Industry Data Security Standard.

"We would have been foolish if we thought we could do this ourselves," Till says.

Other providers of vulnerability assessment services for SaaS include Qualys (which itself offers its capabilities as a service); Akibia, a security services firm and Microsoft Gold Certified Partner; Perimeter eSecurity, which has been acquiring a slew of SaaS security integrators; and Computer Sciences, which offers a set of operational services for ISVs looking to turn themselves into SaaS providers.

QUESTION 2: What are the sign-on, access and authentication policies?

The most common way to get at an application via the Internet is via a username and password. "The normal way is to go to their front door," says Patrick Harding, chief technology officer for Ping Identity, a Denver company that makes identity federation software.

But a growing number of companies are working with their service providers to pull the SaaS sign-in process into the bounds of their firewall or VPN, providing a higher degree of authentication. Simply put, the user must first safely log in to the company's corporate intranet before he or she can sign on to the application in question. This ensures that the login conforms to the company's security policy. Later, if an employee leaves the company, it's easier to disable his or her account access.

Liz Herbert, an analyst with Forrester Research who follows SaaS, says this effectively puts the access policy back into the hands of a company's internal IT department. "Your company may have a password policy, but sometimes the SaaS application isn't being managed according to the same rules," she says. One thing to look for, she says, is whether the SaaS sign-in process can be tied into a single sign-on process (see "One & Done", below) or integrated with an LDAP directory service such as Active Directory.

"I've looked at some Web-based applications that I've rejected because of this," says Adam Sroczynski, CEO of eBusiness Technology, which uses SaaS to handle project management and business functions. The biggest issues for Sroczynski are the policies a SaaS provider has in place to protect the username and password. If there is no formal plan in place, a breach of the Salesforce.com sort is more likely to happen because internal personnel haven't put in the proper security measures to reduce the potential for human misjudgment. Businesses should consider maintaining control of this process themselves, he suggests. That means, however, if a password is lost, the SaaS provider won't be in a position to recover it on behalf of the customer.


One & Done
Single sign-on simplifies access control.

How many account passwords can the average human manage?

The holy grail of single sign-on, allowing a person to log in just once for multiple applications, is being accelerated by the move to SaaS accounts, says Adam Sroczynski, CEO of eBusiness Technology, an early user of TriCipher's new on-demand single sign-on software myOneLogin. The more passwords a person must remember, the better the chances that at least one will be lost or compromised, he says.

Chuck Mortimore, director of platform services for Rearden Commerce, a SaaS provider that offers a personal assistant service, says that single sign-on puts access control and authentication back into the hands of the IT department. "It's very important. It provides them with one set of information to worry about, which they already have control over."

Patrick Harding, chief technology officer for Ping Identity, says single sign-on also makes it simpler to disable access quickly if an employee leaves or is terminated. "Plus, organizations can add whatever authentication they feel is necessary. They can reuse things they already have like certificates and tokens. It takes the burden off the SaaS provider."


QUESTION 3: What encryption policies will protect data as it is transferred, or when it is being stored?

For starters, you should look for and insist on the strongest encryption levels possible.

This was the deciding factor for Aimable Mugara, the IT and multimedia director for the nonprofit organization Free The Children in Toronto, which about a year ago opted to use the Mozy online data storage and backup service. While 128-bit SSL encryption is now fairly typical, Mozy--a division of EMC--offers 448-bit Blowfish on-disk encryption. "That is very rare," Mugara says. Mozy also has taken steps to ensure its service meets compliance standards of the Health Insurance Porta- bility and Accountability Act (HIPAA), which also gave Mugara a higher comfort level.

Prat Moghe, founder and chief technology officer for Tizor Systems, an enterprise data auditing and protection firm in Maynard, Mass., says it's also important to study how the provider stores each customer's data. "How strong is the security program when it comes to the data being stored. If there is a breach, how is that caught? And if the data gets out, is it encrypted?"

Another question worth asking: What breaches has the company had, if any, and how did it manage them?

One way to review the SaaS provider's data protection policies is to request a copy of its SAS 70 Audit Report (see "Up to Standard?," below). While SAS 70 is a just a "gross level" audit, it does provide a common ground for discussion, says John Pescatore, security analyst with research firm Gartner. "This forces companies to define things in a way that's meaningful to both sides," Pescatore says.

SAS 70

Up to Standard?
SAS 70 audits verify data protection methods.

SAS 70 is by no means a guarantee of security, but it is helping shine a light on acceptable security processes around SaaS.

SAS is short for Statement on Accounting Standards. The SAS 70 report details exactly what measures someone is taking to protect your company's data. The Type I audit covers whether a SaaS provider has internal controls that are described in its disclosures to customers; Type II tests those controls in action.

John Pescatore, security analyst with research firm Gartner, says one good thing about SAS 70 is that it is recognized by corporate auditors. "If you use someone who doesn't use this measure, then you're always at risk," he says. "It sets a barrier to entry."

But Pescatore recommends adding a service-level agreement that outlines specific security measures, what will happen if something goes wrong and who is liable.


QUESTION 4: Is there a single-tenant hosting option separated from that of other customers?

Another complicating factor is that in a true SaaS multi-tenant deployment, your company's data may be side-by-side with another company's data.

So it's important to understand how things are kept separate.

"The risk is that your data could leak out of your environment and be seen by other customers, potentially even their competitors," says Acumen's Stanley.

There are several ways in which customer data can be separated, and it's important to understand which method your SaaS provider uses, she says. For example, if the division occurs within the application itself, a bug within the application could cause a failure of separation, meaning your data could be exposed to other customers or, in a worst-case scenario, to the outside world. Another way of keeping customers separate involves working with separate Web servers running on shared hardware.

The rise of virtualization, with customers potentially hosted on different virtual machines, should make separation easier. But Burton Group cautions that while this will cut down on risks, these virtual operating systems are subject to the same risks. Moreover, the hypervisor management layer adds a level of vulnerability.

Stanley says your provider should run regular tests for data leaks. If it is not, you might be better off insisting on a single-tenant data storage option (closer to outsourcing) or looking for a provider that offers this choice, she says.

QUESTION 5: Who manages the application on the back end, and what policies are in place to thwart insider breaches?

As the Salesforce.com breach illustrates, many security issues are tied more to the flaws of human nature than to some technical weakness.

"A lot of SaaS providers offer optional 128-bit encryption on the fly, but this hasn't always been made mandatory," says Jay Elder, managing director of service development for Incentra Solutions, a security services firm in Boulder, Colo. "Users really need to be trained to log in using [the toughest] encryption and to be aware of the social vulnerabilities of giving away their passwords."

The matter of user administration rights once you're inside the application also can't be underestimated. Gregg Bostick, vice president of transportation at Pinnacle Foods, uses the SaaS application LeanLogistics On-Demand TMS to manage transportation arrangements between his team and various shipping partners. Bostick closely controls who has the right to view certain types of data, such as the carrier rate tables or the accounts payable information.

"This is really process-oriented security," Bostick says. "It's only a problem if you allow it to be a problem."

A bigger problem, perhaps, comes in management of an application back at the provider. Forrester's Herbert says it's important to understand who will be able to modify the application, along with the rules and access rights. From the customer standpoint, this should remain under the control of the business' internal IT team, which can interface with the technical contacts at the service provider, she says. There needs to be strong measures in place to ensure that account information cannot easily be shared or accessed by personnel at the service provider. The company should also have specific policies related to spoofing of accounts and phishing.

QUESTION 6: What is the backup and recovery plan?

One thing that doesn't get talked about as much when it comes to SaaS security is business continuity--how the provider protects its customers against potential denial-of-service attacks or in the event of a natural or man-made disaster.

But that was a major consideration for Michael Roseman, vice president of finance and strategy at Astadia, a 155-person management consulting firm that uses several different SaaS applications including Salesforce.com, Workday and Cornerstone on Demand.

"These companies can make much better investments in security than we can," says Roseman. "If we did this on-premise, we would have to provide backup and redundancy. How can my company hope to offer the same levels as these providers?"

Gartner's Pescatore says businesses should also be concerned with the physical location of the hosting facility, requesting an on-site inspection if possible. Geography also matters: If the service provider hosts the data in another country, the business should acquaint itself with privacy and data ownership laws of those jurisdictions. "You have to worry a lot more if something goes wrong," he says. Plus, it may be tougher to enforce service-level agreements.

QUESTION 7: How well does the provider's security policy match my company's (if my company has one)?

If your company already has a security policy in place, it should be relatively simple to compare the vision of a would-be SaaS pro-vider against your own. A SaaS company's ability to provide security measures could actually be more sophisticated and thorough than a customer's capabilities, especially if you're talking about a small business or midsized account. That doesn't supercede the need for the customer to vet the provider's policy, but it makes it simpler to justify going with SaaS.

"This really saves us a lot of money," says Mike Stump, director of information technology for Roundtable Corp., which owns 46 Dairy Queen franchises that use various SaaS applications to manage their operations. "For us, that is the biggest advantage."

For other companies, it comes down to focus--and scale. Dan Nadir, vice president of product strategy for ScanSafe in San Mateo, Calif., which offers managed services for Web security, says many of his company's customers have few IT staffers to handle issues like security.

"We make their headaches go away. ...We use multiple engineers, which they can't. We've got tons of techniques they can't use. We're able to react. The more users we have, the more traffic, and the better off everyone ends up being."

Dig Deeper on Productivity apps and messaging security