Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Ignore cloud security assessment at your own risk

John Moore | March 14, 2013
Companies that deploy software-as-a-service often don't know everything about the security provisions their SaaS providers and partners have in place. Experts say it's because they don't know what to ask, they don't know what to test and they no longer know what's standard for a cloud service provider contract.

As a cloud service brokerage, Weinstein says Appirio fields client security questions. The company defers some inquires to the SaaS vendor involved in a particular customer engagement-questions regarding infrastructure, data centers and the layers of security around a given application, for example.

Appirio, meanwhile, directly addresses questions related to its own security process, Weinstein notes. The company, or its business partners, may need to access a SaaS application on the customer's behalf. This means clients are interested in how Appirio protects data from internal breaches.

Specifically, customers may ask how the company handles data in transit, or in the development environment, or when it is passed among consulting partners, Weinstein notes, adding that customers continue to grapple with what to ask of their cloud providers. "We are in the very early days," he says, "and the types of questions that customers ask about the cloud...will continue to change."

If anything, Weinstein would like to see more probing questions from customers. "We still see a lot of questions aimed at considerations that are pretty well shored up at this point."

An RFP might ask cloud vendors about penetration testing or distributed denial of service vulnerability, but Weinstein says the top enterprise providers have those issues well in hand. He'd prefer to see RFPs ask about configuration security, authentication options, and the provider's ability to control access to data among employees and third parties. He suggests that those questions more closely address the security surrounding cloud applications.

For SaaS vendors, customer questions may focus on security audits. builds cloud apps on's platform. Jeremy Roche, president and CEO of, says its larger customers in particular are not only interested in the security of the underlying platform, but also FinancialForce's application layer security.

In the last 12 months, Roche says, they have demanded certification "over and above what we get from the base platform itself." Customers are especially interested in SSAE 16 as a sign of a sound SaaS provider, he adds, noting that customers have asked for it "on multiple occasions." To that end, the company recently went through a SSAE 16 audit, which examines a service organizations' controls.

Industry Standards Offer SaaS Security Baseline

SSAE 16 is becoming a security baseline of sorts for cloud software providers, so much so that SANS' Bird says the audit standard "should be a requirement for any major SaaS solution."

That said, customers may look for evidence of SaaS security beyond SSAE 16. Roche specifically points to the U.S.-European Union Safe Harbor framework as one example. The program becomes relevant for European customers who subscribe to cloud services that host data in the U.S. American companies self-certify that they comply with the safe harbor framework.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.