As a cloud service brokerage, Weinstein says Appirio fields client security questions. The company defers some inquires to the SaaS vendor involved in a particular customer engagement-questions regarding infrastructure, data centers and the layers of security around a given application, for example.
Appirio, meanwhile, directly addresses questions related to its own security process, Weinstein notes. The company, or its business partners, may need to access a SaaS application on the customer's behalf. This means clients are interested in how Appirio protects data from internal breaches.
Specifically, customers may ask how the company handles data in transit, or in the development environment, or when it is passed among consulting partners, Weinstein notes, adding that customers continue to grapple with what to ask of their cloud providers. "We are in the very early days," he says, "and the types of questions that customers ask about the cloud...will continue to change."
If anything, Weinstein would like to see more probing questions from customers. "We still see a lot of questions aimed at considerations that are pretty well shored up at this point."
An RFP might ask cloud vendors about penetration testing or distributed denial of service vulnerability, but Weinstein says the top enterprise providers have those issues well in hand. He'd prefer to see RFPs ask about configuration security, authentication options, and the provider's ability to control access to data among employees and third parties. He suggests that those questions more closely address the security surrounding cloud applications.
For SaaS vendors, customer questions may focus on security audits. FinancialForce.com builds cloud apps on Salesforce.com's Force.com platform. Jeremy Roche, president and CEO of FinancialForce.com, says its larger customers in particular are not only interested in the security of the underlying platform, but also FinancialForce's application layer security.
In the last 12 months, Roche says, they have demanded certification "over and above what we get from the base platform itself." Customers are especially interested in SSAE 16 as a sign of a sound SaaS provider, he adds, noting that customers have asked for it "on multiple occasions." To that end, the company recently went through a SSAE 16 audit, which examines a service organizations' controls.
Industry Standards Offer SaaS Security Baseline
SSAE 16 is becoming a security baseline of sorts for cloud software providers, so much so that SANS' Bird says the audit standard "should be a requirement for any major SaaS solution."
That said, customers may look for evidence of SaaS security beyond SSAE 16. Roche specifically points to the U.S.-European Union Safe Harbor framework as one example. The program becomes relevant for European customers who subscribe to cloud services that host data in the U.S. American companies self-certify that they comply with the safe harbor framework.
Sign up for CIO Asia eNewsletters.