The SaaS Security Standards Checklist for chief information security officers

Source: Internet
Author: User
Keywords Cloud computing cloud security cloud security
Tags access access control activity application applications business business applications checklist

  

Users still need to control potential compliance risks before the SaaS provider improves security standards (visible and controllable to customers). Clearly, security is the biggest problem in moving business applications out of the enterprise.

Without seeing user activity, monitoring, and restricting access control, SaaS is critical to the chief Information Security Officer (CISOS), especially compliance responsibilities. To reduce security issues, security teams (especially enterprises) have to do a lot of work, including:

Actively participate in sourcing, take proactive attitude and review all SaaS relationships.

Fully aware of data compliance issues, it revolves around each SaaS application.

Reject vendors that do not provide sufficient visibility, activity monitoring, or access control.

SaaS Security Standard Checklist

SaaS is still in its infancy and is developing rapidly, with different providers. Therefore, if a user wants to assess the security vulnerabilities or capabilities of a Third-party SaaS provider, a problem must be asked. For example:

How do different access controls form granular?

Clearly, for data disclosure, the current biggest problem with it is malicious or unintentional misuse of user credentials, especially logon information. Therefore, effective data protection requires understanding user activities, as well as managing changes.

What metrics are available for reporting?

Consider the possibility of creating a report that would satisfy the chief information officer, the auditor and the board? Can enterprise data security meet regulatory requirements? It should be.

Ask yourself whether the data obtained can be easily integrated into internal monitoring tools to prevent data silos. To ensure that it is foolproof, both internal and SaaS applications must be monitored (from a centralized management panel).

Finally, you must understand the business of SaaS applications, especially those involving data. In addition, you must know whether the application handles confidential information for the customer. The relevant compliance inventory can then be performed.

SaaS Security Issues

SaaS providers need to ensure that users cannot view each other's data. Here are some of the security standards and Measures for SaaS: Data security, data locality, network security, data isolation, data privacy, data disclosure, Web application security, and authentication and authorization.

Customer security concerns

From an industry perspective, computing needs to focus on a large number of attributes, especially security. At first, customers were looking very high for security. They will not allow data to be hosted into a shared environment. This means that the cloud provider must stop the public cloud scheme and focus on the private cloud.

In addition, customers are concerned about compliance and whether the provider complies with the audit standards (SAS 70, SOC 2, Soc 3, and Ssae 16). Sometimes they want to be able to check the physical facilities that some SaaS vendors are not allowed to do. This is a big taboo. In the long run, the more control the SaaS provider, the greater the risk. However, once you understand the requirements, you can work with a cloud provider to make the security level satisfying.

SaaS Security Dimension

The security of cloud computing may be one of the hottest topics today. Consider that SaaS security is multidimensional and complex. Therefore, focus on a larger, global environment (physical, application, network security). But IaaS, along with extensibility, availability, performance, and integration, also needs to be taken into account.

Rapid deployment and customization/recycling/multi-tenant are based on another dimension, and policies and procedures are one. Because it is virtually impossible to do the best in all of these areas, you can determine or define security based on user tolerance.

In fact, users usually choose the appropriate security technology or mechanism after comprehensive consideration, then define their own security metrics. Therefore, it is recommended that you try to provide best practices for cloud computing security.

Cloud security encompasses several facets and tools.

Some of the issues involved include:

Eavesdropping equipment (routers, computers, IoT equipment, etc.);

Failed change management;

Data manipulation and/or interception during transmission;

Social engineering

Illegal access to internal personnel

These are some (not all) areas. Unlike internal deployments of applications and clouds, the public cloud adds two security points, the Internet and the internal (but externally managed) cloud.

Today's Third-party cloud providers provide limited information to customers. Unfortunately, they cannot accurately answer questions about user access exceptions. For example, a SaaS provider cannot directly answer this key question: "Who in the organization can modify permissions?" However, this information is important when investigating internal attacks.

In addition, there is a lack of industry standards for properly booting SaaS vendors to simplify customer reporting. Even with log data, enterprise customers face challenges and high integration processes if they are not agreed in format.

Conclusion

SaaS providers have a daunting task, they must increase security visibility and controllability, and convince users that they have the ability to manage potential compliance risks. Moving business applications out of the enterprise is usually a loss of security.

The chief information Security Officer is therefore responsible for reducing security concerns. As a customer must have a security checklist, SaaS security standards are today's Hot topic, SaaS vendors to win customer trust must solve these problems.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.