As a security administrator, I am concerned about the security of my company's data as it moves between two vendors' SaaS applications. Am I wrong to think that there's a weak link there? What steps can I take to test, monitor and strengthen security when data is en route?
For all the benefits of SaaS applications, they can introduce a number of potential security challenges and, at the very least, introduce some degree of security uncertainty (with regard to what data is stored and communicated) that must be addressed.
At a high level, there are several things you can do to help reduce ambiguity and increase your level of confidence in how your data is being handled by and between different SaaS vendors. A good place to start is with the legal agreements you have with your SaaS providers. Depending on the size of the provider and your negotiating position as a customer, these can be used to clarify how data will be handled, what controls should be in place, whom they are allowed to share data with or disclose data to, and under what conditions they do.
This can be a key area to negotiate especially if you have concerns about the legal jurisdiction or jurisdictions where your data may be stored. Service level agreements can also be negotiated to set out specific measures the provider must take to notify you in case of an unauthorized disclosure or other incident. Also remember that, in cases where SaaS providers will be sharing data with other partners, you will need them to enforce similar restrictions on those partners -- or understand situations where that is not possible.
Once you have an understanding of the legal controls in place to protect your data, you should also make sure to provide clear guidance to users in your organization about what data can and cannot be sent to SaaS providers. Depending on your organization and the provider, this might involve setting policies like, "Data for projects A, B and C can be loaded into this system, but data for projects X, Y and Z cannot."
In addition, you should examine the configuration of your instance of the SaaS application to make sure that features associated with data sharing are configured to your liking. If certain features are not needed, turning them off might make the SaaS provider less likely to manipulate and share data.
Finally, once you have the legal and policy controls in place, you can look at testing the SaaS applications to verify that they are behaving as desired. During contract negotiation, maintain the right to perform security testing. It is also useful to note that many SaaS vendors provide approved systems that allow for security testing -- these can be very helpful, assuming their rules of engagement for testing meet with your testing needs.
Security testing for SaaS vendors is typically done via dynamic scanning and manual application penetration testing, since the vendors will not be inclined to provide source code for analysis. In certain situations, you may also want to reserve the right to send testers on-site to talk with security engineers and other members of the SaaS provider's staff to better understand data flows and other specifics of application operation.
This was first published in October 2012