As more enterprises embrace software-as-a-service (SaaS), a nagging question has begun to surface: Who's on the hook for assessing and validating cloud security?
The sometimes-complicated world of cloud computing makes that questions tricky to answer. A SaaS deployment involves the customer, the software provider and, possibly, another party that hosts the cloud software. Some projects may also involve a cloud services broker as an intermediary.
SaaS apps cover a lot of ground these days, including business-critical functions from email to ERP, yet many cloud customers appear to simply accept whatever a SaaS provider says about its level of security.
Last year, the SANS Institute, an IT security training organization, reported that only 22 percent of the organizations it surveyed rely on extensive testing and validation before putting a outsourced or cloud-based application into production.
Vetting SaaS Providers No Easy Task
SANS analysts contend it's not enough to take SaaS providers at their word. At the same time, probing SaaS security can prove difficult for enterprises.
Jim Bird, a SANS analyst and co-author of the study, cites a lack of good guidelines for how to vet a SaaS provider. Tight budgets and limited resources are also considerations. "Most organizations are fighting for resources to secure their own solutions, never mind their suppliers," Bird says.
Industry executives suggest that SaaS buyers conduct a security assessment of vendors before they buy and annually once they start using the software. Third-party reviews of SaaS vendors, however, may lighten that load somewhat.
Auditing standards such as the Statement on Standards for Attestation Engagements No. 16 ( SSAE 16) and security frameworks such as ISO 27001 provide buyers with some clues to a cloud provider's security commitment. In addition, the recently launched Federal Risk and Authorization Management Program ( FedRAMP) establishes a cloud security assessment standard for cloud software providers in the government space.
John Keese, CEO of Autonomic Resources, the first FedRAMP-approved cloud service provider, believes this cloud vetting approach may move beyond the government space. "We think this is probably a model that will flow into commercial."
Cloud Security Assessment Tough But Necessary Job
Paul Hill, a consultant with SystemExperts, a Sudbury, Mass.-based security consulting firm, says customers should step up to the assessment task. "When an enterprise is thinking about using a SaaS vendor or cloud service, it has the responsibility to assess the vendor and determine the risks, liabilities, and responsibilities."
Hill says an assessment could take the form on an onsite visit and in-depth interviews to review the services. Alternatively, an enterprise may opt to let the vendor perform a self-assessment through a questionnaire. A security review from an independent auditor also contributes to the overall security picture.
Sign up for CIO Asia eNewsletters.