Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Carefully evaluate providers' SaaS security model

Enterprises need to make sure a SaaS provider has the proper security controls to protect sensitive data before a contract is signed


As the director of IT for a non-profit, Richard Navarro needed an affordable network monitoring application that would allow his small staff to quickly hunt down the root cause of email outages and other problems. He found what he was looking for from AccelOps, delivered via an outsourcing model that would give most IT administrators pause: software-as-a-service.

Did he worry about security? Absolutely.

"Who had access to their environment? Where was the environment being stored? What was the change control around it?" These were questions that Navarro, of the Jewish Home of San Francisco, a skilled nursing facility specializing in services for seniors, was asking. His concerns were allayed after conducting an assessment of AccelOps, which included looking at who would be accessing data, how that access would be secured, and what data the vendor would store--no personal health information, only network traffic data. He also made sure data transported from the nonprofit to the vendor was encrypted.

SaaS is becoming increasingly attractive to enterprises looking to add resources and functionality without adding headcount. However, depending on the type of application and data involved, handing your data over to a provider's multitenant environment can be unnerving.

"There's a lot of co-mingling that goes on in the SaaS space and that's part of the problem," says Brian Koref, information security officer at KLA-Tencor, a Milpitas, Calif.-based supplier of process control and yield management products for the semiconductor and related industries. "You're comingling data. You're accessing the same URL for the same portal. There are security ramifications if that's not done properly."

SaaS is more like traditional outsourcing than other types of cloud computing, but with a big difference, says Jim Reavis, executive director and co-founder of the Cloud Security Alliance, a nonprofit that promotes best practices for security assurance within cloud computing: "You don't have the ability to have physical compartmentalization and controls you could have if you were strictly outsourcing, taking your servers and putting them in a different location. Everything's lumped together in systems that are architected and designed by other people."

So how does an enterprise go about ensuring their sensitive data is protected when they work with a SaaS vendor? Security experts say it comes down to asking a lot of questions about encryption, authentication policies, incident handling, and application security. Companies need to make sure security requirements are handled contractually before inking a deal--and monitor to see that promises are kept.

"There's not a lot you can to do to implement technical controls, so there's a heavy amount of reliance on procurement and audit," Reavis says. "It's asking for something and auditing to make sure you got it."

Survey Says: Security No. 1 Barrier to Cloud
Many organizations are still reluctant to outsource to a SaaS vendor, surveys show.


DESPITE ALL THE BUZZ about SaaS and cloud computing, security remains a sticking point that keeps many organizations from jumping on the bandwagon.

According to a study released in October by research firm Trust Catalyst, 52 percent of 600 IT security professionals surveyed cited data security concerns as being the No. 1 barrier preventing their organizations from adopting cloud computing. The study, sponsored by Thales, also showed that 42.6 percent of survey participants were not currently planning on moving to the cloud, according to Sausalito, Calif.-based Trust Catalyst.

An online poll conducted by Unisys earlier this year had similar findings: 51 percent of the 312 respondents cited security and data privacy concerns as the biggest barrier to moving to the cloud.

Chenxi Wang, principal analyst at Forrester Research, says a lot of companies using SaaS are outsourcing applications or data that aren't mission critical. In some cases, it might be a one-time use in order to obtain additional resources for a limited amount of time without investing in building internal resources.

"That said, there also is an increasing number of companies using SaaS providers for critical applications," she adds. "A lot of smaller companies use Salesforce.com to track sales data and CRM."

Brian Koref, information security officer at KLA-Tencor, a Milpitas, Calif.-based supplier of process control and yield management products for the semiconductor and related industries, says his company only uses a couple of SaaS providers and not for anything sensitive or critical.

However, security isn't the only reason KLA-Tencor doesn't use the on-demand model for more sensitive applications. The company has customization and international needs SaaS vendors may not be able to meet, he says.

--Marcia Savage

Encryption is a critical element for protecting sensitive data but don't assume a SaaS vendor provides it. Ideally, they should be able to demonstrate multiple layers of encryption for data in transit and at rest, experts say. Protecting data in transit typically is provided via SSL or TLS, but encrypting stored data on a SaaS platform can be complicated.

"The challenge for SaaS is that a lot of it is database driven and architected and it's still fairly difficult to do a lot of encryption in databases," Reavis says. "You might do field-level encryption but there are still some hurdles there."

There can be legitimate reasons for a SaaS vendor not to encrypt stored data, says Chenxi Wang, principal analyst at Forrester Research: "Because it's a multitenancy architecture typically, it's harder for the SaaS provider to have the data completely encrypted and still be able to do their optimization and redundancy backup."

Of course, encryption by a SaaS vendor that doesn't also implement strong key management isn't very useful. That means not having the same team that accesses the stored data being responsible for key management, Reavis notes.

Nils Puhlmann, co-founder of the Cloud Security Alliance, recalls a conversation in which a SaaS vendor advised him not to worry because the data was encrypted. Prodding them for more details, he found out that there was still plenty to worry about. "The encryption in my mind was useless because you have the keys and the encrypted data in the hands of the same people," Puhlmann says.

Corporate governance and segregation of duties are top concerns for Concur Technologies, a provider of on-demand employee spend management services, says Bruce Grenfell, senior director of governance, risk and compliance at the company, which has U.S. headquarters in Redmond, Wash. "A key component of this is to ensure that access to encrypted information is available to the smallest group possible and that the risk of unauthorized access to large swathes of sensitive information is minimized," he says.

To that end, Concur implemented a technique so that each individual record stored is dynamically encrypted with a unique key to protect against misuse and disclosure, the key components are stored in three separate locations. "Strict adherence and auditing of Concur's segregation of duties policies ensures that only a highly limited number of people are able to access any components of the key. No one has access to all of the components that derive the key," Grenfell says.

Client or trusted third-party key management that is enabled within applications is the long-term solution the Cloud Security Alliance would like to see in SaaS, Reavis says. Commercial SaaS providers don't currently provide hooks into their applications to allow the customer to manage encryption keys for data at rest for several reasons, including technical complexities, immature standards in how applications would interact with external key management systems and clients not asking for it.

"Customers generally seek to divest themselves of this type of operational management responsibility when they engage with SaaS providers," Reavis adds.

Strategy: Security helps drives SaaS sales
Concur Technologies makes security a big part of its sales strategy.


AT CONCUR TECHNOLOGIES, investing in security has paid off in client retention and shorter sales cycles, says Bruce Grenfell, senior director of governance, risk and compliance at the provider of on-demand employee spend management services.

"We have shortened our sales cycles based on our ability to provide our clients' IT shops and security experts with documented evidence that we are secure and continually looking to improve ourselves," he says.

The company also invites clients on an annual basis to review audit reports and corrective actions it has taken. "We believe in being very open with our clients," Grenfell says.

To ensure client data is secure, Concur developed what it calls its Trust Platform, which includes granular access control, audit logs, vulnerability management, security scanning and continuous monitoring. Information assurance controls in the Trust Platform are based on ISO 27001 and service management processes are based on ISO 20000.

The company undergoes multiple audits, including biannual ISO 27001 and ISO 20000 audits, biannual SAS 70 Type II audits, an annual assessments to maintain its compliance with the PCI Data Security Standard. Concur provides information about its security and privacy on its website http://www.concur.com/pdf/ConcurSecurityPrivacyOverview1.19.pdf, and Grenfell says it shares 40 documents under NDA with clients or prospective clients to demonstrate its security.

"Our security is better than yours because it's got to be," he says. "As we continue to want to persuade IT shops that are extremely cautious of allowing sensitive information out of the four walls they own and operate, we have to have first-class security."

--Marcia Savage

If a SaaS vendor doesn't encrypt the sensitive data it stores, enterprises need to know what other internal security controls it implements to protect information from unauthorized access or misuse by the vendor's staff and other clients.

"In a lot of cases, if you're a SaaS customer, you have to look for what are the substitute or alternative controls to encryption and key management," Reavis says. "The more difficult the encryption problem is, the more we need these compensating controls."

Alternative controls could include application firewalls, authorization servers that use the XACML protocol to provide fine-grained access control, and access policies that essentially create firewalls between people and processes.

"The policy and procedure questions are especially important if the data isn't encrypted," Wang says. "When it's not encrypted, you have to rely on other security such as who has access to this data and do employees have need-to-know access."

Enviance, a supplier of software to manage greenhouse gas emissions and other regulatory risks on the SaaS model, uses role-based access control, says Sergey Blyashov, CTO at the Carlsbad, Calif.-based company. "Anything that requires security access is audited," he said. "We can track it down to the user and IP [address]."

The vendor doesn't encrypt stored data for performance reasons but each customer's data is isolated and the Enviance environment uses multiple firewalls, he says.

KLA-Tencor's Koref says one of his many concerns with the SaaS model is how user account management is handled.

"Think about how applications are installed in corporate enterprises. There are certain features like single sign-on that allow for orderly account creation and more importantly, account termination," he says. "If you haven't tied your Active Directory or your single sign-on or your authentication and authorization infrastructure to the SaaS vendor's application, then there has to be a systematic way to ensure that when an employee no longer has the need to access that application, the access is removed."

Juniper Networks tracks internal use of Jive Software's on-demand collaboration tool by tying the application to its LDAP directory. Anytime a Juniper employee accesses the Jive application, "the authentication for that database is sitting off of Juniper LDAP directory," says Bobby Guhasarkar, director of product marketing for the company's high-end security systems business unit.

Security controls aside, a breach is always possible, making it critical that companies find out what would happen in the event of an incident before contracting with a SaaS vendor.

If an organization needs to comply with particular state breach notification laws, it needs to make sure the SaaS provider can help meet those compliance requirements if there is an incident, says Ernie Hayden, a volunteer domain leader at the Cloud Security Alliance. "You need to make that part of your agreement, especially to ensure that everyone is talking the same language during the breach," he says.

Enterprises that must notify customers of a breach within a certain timeframe must ensure the vendor provides timely data, Wang says: "You have to make sure they can turn around with proper information for you to perform your own incident-handling procedures."

Of course, a data breach could become more complicated on a multitenant platform. That makes it critical that a SaaS vendor have strong logging capabilities, experts say.

"The real fear there is you have a SaaS provider that has thousands of customers and one customer gets breached," Reavis says. "How is there assurance that I didn't get breached?"

Log file data needs to be granular enough so that it's possible to see which customers were impacted, he says. "It's a matter of checking with the cloud provider and asking, 'Do you have the logging framework and incident response procedures to be able to differentiate between customers?' Ask for evidence of that beforehand and get that into contracts. [If there's a breach] you want to have that right to demand log files."

Koref says SaaS vendors should be able to provide customers with logs that allow it to manage an incident and if necessary, discharge an employee for maliciously changing or deleting data. "If an employee has access to a financial application and made changes, you need to know what happened," he says.

Third Parties: BITS Shared Assessments Updates with Cloud Security Evaluations
Two free assessment tools from the Financial Services Roundtable's BITS division can help organizations evaluate service provider security controls.


Shared Assessments, a program of the Financial Services Roundtable's BITS division, recently updated its tools with additions that can help companies assess the security of cloud computing and SaaS providers. The free tools, the Standardized Information Gathering questionnaire (SIG) and Agreed Upon Procedures (AUP), aim to give organizations a way to streamline the process of evaluating service provider security controls.

Version 5.0 of the Shared Assessments tools includes an enhanced AUP with additional procedures that address application security relative to cloud computing and SaaS environments, says Robert Jones, senior consultant at the Santa Fe Group, a consulting firm based in Santa Fe, N.M. that manages the program. Questions relevant to cloud computing and SaaS also have been added to the SIG.

In addition, version 5.0 includes a new tool called Target Data Tracker, which is designed to be used before an audit or assessment to help a company understand where a service provider keeps data; data location can have implications on a company's regulatory compliance.

"Essentially, the idea of cloud computing is the ability to share systems and capabilities. One of the issues is where that capability is physically [located]," Jones says.

Jim Reavis, executive director and co-founder of the nonprofit Cloud Security Alliance, says Target Data Tracker appears to be a promising step but he added that data location can be complicated in the cloud.

"Many of the data location issues that are fundamental to risk management and compliance can be learned by asking the right questions, so from that perspective the data tracking tool seems to be a step in the right direction. Oftentimes cloud providers lack the transparency in their business and operations needed to answer data location questions, but at the very least we need to agree that transparency is needed," he says. "In some cases, the cloud architectures are so complex that the cloud provider could not tell you where your data is, even if they wanted to."

The Shared Assessments assessment tools are available for download on the program's website.

--Marcia Savage

When Koref's company builds or buys an application, it puts the software through rigorous testing to make sure it's not vulnerable to SQL injection, cross-site scripting, and many other flaws that can plague applications. SaaS vendors need to prove they take the same precautions, he says.

"They should have some means to prove to you that they've taken security seriously into account when designing their application and installing the application onto a server," Koref says. "Falling short of allowing the customer to do a pen test on the application, which I don't think they'll allow, they should have had a pen test done and the results, or some sort of attestation, should be provided."

If a SaaS vendor runs a Web server to which customers upload data, customers need to make sure that Web server application is secure, Wang says. "Does the Web server application have vulnerabilities in it? Can someone break in and get your data?"

At Concur, code is tested with IBM's Rational's AppScan tool during the software delivery cycle and the company also contracts with a third party to conduct an application vulnerability assessment, Grenfell says. "We have a well documented remediation process," he adds.

Enterprises should make sure a SaaS vendor uses a secure software development lifecycle, says Georg Hess, CEO and founder of Art of Defence, a European Web application security vendor: "Does the vendor have a concrete process in place that he or she uses through all phases, including production, change management and end of life of an application?"

They also should ask about the vendor's defense in depth practices, including security controls within the application itself, and whether the application has been tested both internally and externally by a third-party specialist, he said. Hess, co-leader of the German chapter of the Open Web Application Security Project (OWASP), cites the project's guidelines for penetration testing and source code analysis review http://www.owasp.org/index.php/Web_Application_Penetration_Testing and http://www.owasp.org/index.php/Source_Code_Analysis_Tools.

ASK QUESTIONS ABOUTAUDITS AND ASSESSMENTS [Maureen, the Strategy sidebar goes with this section]
Enterprises evaluating a SaaS vendor's security can look for various audits such as SAS 70 reports, PCI Data Security Standard certifications, and ISO 27000 assessments, but experts caution that they still need to ask many questions.

Some SaaS vendors are getting ISO 27000 certified, but "you want to examine what the scope was, what the certification covered, and if they left anything out," Reavis says.

Companies that need to comply with the PCI Data Security Standard can look at a list Visa Inc. maintains of service providers that are PCI compliant, but still need to do due diligence, says Branden Williams, senior director of consulting services at AT&T.

"I'd say, 'So I see you're on the list. What does that mean? What did you have certified? Send me the executive summary from your ROC [Report on Compliance] or the scoping box from your ROC so I know what areas were included in the assessment and which ones weren't'," he says.

Many SaaS providers obtain a Statement on Auditing Standards (SAS) 70 Type II audit, which enterprises can examine and map to their own regulatory requirements to determine if the vendor can meet its compliance requirements, Reavis says.

Brandon Gage, senior vice president of technology at United Capital Financial Advisers looks for vendors that have SAS 70 audits but still conducts his own assessments. The fast-growing Newport, Calif.-based national network of financial advisory firms relies heavily on SaaS in order to be scalable without adding headcount every time it adds an office, but Gage acknowledges the security issues with the outsourcing model.

"A lot of people are averse to moving into SaaS," he says. "You need to make sure the courtship process is good. It has to be extended to because you want to make sure they are who they say they are. We never sign a vendor until we physically walk through their data center. You can tell me you're SAS 70 all day long, but until we can physically check that the proper protocols are being followed, how do we really know?

His firm conducts annual audits of key service providers, which includes data security as well as the vendor's financial stability, and also meets regularly on an informal basis with many of its vendors. "You have to be prepared to spend some time to work on that relationship…The SaaS provider's team is replacing the team you would have hired internally, so you need to have those regular meetings," Gage says.

United Capital Partners also looks for vendors that have expertise in financial services or health care because they're better suited to understanding the firm's privacy and security needs, he adds. For example, Smarsh, which provides the firm with hosted email archiving services, was well-versed in the regulatory demands of the financial sector, he says.

Getting a SaaS vendor to provide details about its security isn't always easy. Oftentimes, vendors can be reluctant to discuss policy and procedure issues for privacy or competitive reasons, Wang notes. Yet transparency is critical, says the CSA's Puhlmann.

"If you want to manage risk, you have to understand how and what's the process," he says. "The push for transparency will weed out the ones [cloud vendors] that have something to hide."

The Jewish Home of San Francisco's Navarro says he was pleased with AccelOps' response to his organization's review process. "They were very open to the point where our network engineer was able to sit down with AccelOps and review exactly what they do," he says.

"In the end, it's all about risk management," Puhlmann says. "Can you exclude anything happening? No, just as you can't in your own enterprise. But you can manage the risks by understanding what is done and how it's done."

Marcia Savage is Features Editor of Information Security. Send comments on this article to [email protected].

Dig Deeper on Secure SaaS: Cloud application security