Lithium Technologies, a Emeryville, Calif.-based company that focuses on social customer experience solutions, takes a multi-layered approach to assessing SaaS vendor security. The company runs a significant portion of its business in the cloud, tapping Box for collaboration, Okta for identify management and Salesforce.com for customer relationship management.
Misha Logvinov, Lithium's senior vice president and chief customer officer, says the company has established a security evaluation process. One component is finding out how a product is architected and whether it incorporates security in its design, he notes. Typically, Lithium will meet with the cloud vendor's product management and engineering personnel to discuss the architecture issue.
Logvinov says the company also wants to know whether a vendor has a security program in place and whether security is integrated into the software development lifecycle. Lithium also looks for audit and security standards such as SSAE 16 and ISO 27001. "[Since] we essentially delegate more risk to the cloud providers," he says, "we want to make sure we can fully trust the cloud providers."
SaaS Testing Misunderstood, Not to Mention Difficult
It's generally agreed that customers should test. So why aren't more stepping up?
Lack of clarity is one issue. Deb Radcliff, executive editor of the SANS Analyst Program, says organizations don't necessarily understand what they need to do in SaaS testing. "There is a lot of confusion about what type of vetting they need to do with a SaaS provider, how to conduct the vetting and then how to maintain the visibility they need when using hosted applications," she says.
The nested nature of cloud services further complicates testing. A SaaS provider's software may run in another company's hosting facility, for example. Hill says an enterprise shouldn't stop with an assessment of the cloud service vendor; it must also evaluate the vendor's third parties, such as colocation facilities and cloud infrastructure services.
"An enterprise should also know about those relationships and what types of assessments the primary cloud service provider has performed when selecting those providers," he says.
Budget practices and economics also play a role in limiting SaaS testing. Glenn Weinstein, co-founder and CIO at Appirio, a cloud services provider based in San Francisco, says IT organizations may lack a formal budget line item for SaaS testing and instead rely on the vendor to provide security. "It's still not top of mind in the budgeting process. You don't see it broken out as a separate line of the security budget."
There Are No Dumb Cloud Security Questions
Just because an enterprise lacks a formal SaaS testing budget doesn't mean it isn't asking security questions, Weinstein notes. He's seen IT security teams invest significant time with cloud vendors as part of the RFP process.
Sign up for CIO Asia eNewsletters.