The seven goals a SaaS security review should address by Ken Asher, Sales Engineer, Security, Smartsheet
Enterprises have made many attempts to standardise the security evaluation of SaaS applications, including establishing certifications to improve clarity and normalise risk, purchasing compliance suites, and building frameworks to keep all of the information aligned, but none of these attempts have succeeded in establishing consistency. Organisations need a model that will effectively assess every type of SaaS application so comparisons can be made across the board.
In order to develop a comprehensive understanding of risk, there are a few key elements that must be fulfilled. Without these elements, it will be much more challenging for to develop a thorough understanding of risk. Unfortunately, these elements are often the most difficult to fulfill.
The first is corroborating data. Most IT departments conduct vendor security assessment in a vacuum without adequate information. Each auditor may have a piece of the overall puzzle, but none actually see the bigger picture because they rarely collaborate and typically only assess vendor security once before purchasing a solution, meaning that they make risk conclusions with what amounts to single data points on vendor controls.
The second element is a comprehensive view of the SaaS vendor’s security practices. Some SaaS vendors are reluctant to provide auditors the full details of their security practice for fear it may lead to reduced efficacy of their security controls. For example, exposing the details about an encryption implementation might allow attackers to devise a plan to break the encryption, so vendors are often hesitant to reveal this information. As a result, IT departments don’t have a complete understanding of the security controls the vendor has in place.
The final element that is often missing is the means to measure the effectiveness of audit control questions, assessment frameworks, and the auditors themselves. Currently, the only surefire feedback assessors receive is a vendor data breach.
SaaS vendors’ perspective on security assessment
SaaS vendors’ business often hinges on a successful security assessment outcome so it’s in their best interest that their prospects have available an effective evaluation process for security practices. Such a process is likely to lead to appropriate, well-informed risk decisions by buyers. Conversely, inconsistent assessment questions, auditor inefficacy, and inaccurate risk conclusions will be detrimental to widespread SaaS adoption.
In addition, many SaaS vendors are impacted by a lack of a standard method for assessing vendor security, meaning that every assessment has unique questions that must be carefully reviewed and answers must be crafted and considered. This makes the process much more tedious and labor intensive.
Clearly, it is in the best interest of both SaaS vendors and organisations’ IT departments to establish a consistent risk-evaluation process. So how can this be accomplished? First, let’s consider the key goals:
- Relieve some of the vendors’ labor burden to complete security assessments
- Make more data available to the assessors
- Standardise and improve the quality of audit questions
- Measure and improve assessor capabilities
- Transform stand-alone audit into consensus audit
- Reduce the cost of a high-quality audit
- Improve the ability of small businesses to make informed risk decisions
The most effective solution would be one that accomplishes all seven goals. The solution could be developed in a variety of different environments, say within an existing GRC (governance, risk management, and compliance) tool, or in an Excel document, a Smartsheet, or even simply as a security audit list in Microsoft Word.
It can be accomplished by using a method that would enable IT departments to collaborate on their assessment of vendors with their peers. The solution should include assessment and assessor peer review, assessment question categorisation and rate-and-comment capabilities, and a means to protect vendor security practice while making collaborative assessment information available to the public. This information would give auditors much-needed corroborating evidence to help them understand the risk for each functional control area.
This approach (simplified here for brevity) would also give customers the ability to compare their own results against the established community baseline for each functional control area. That would allow them to draw conclusions related to the efficacy of their own auditors and the relative strength of their assessment process. Additionally, making collaborative assessment information public allows small businesses that don’t have sophisticated information security departments to make informed risk decisions when purchasing software.
Everyone from SaaS vendors to potential buyers of every stripe can benefit from increased collaboration and vendor transparency. Implementing a collaborative solution would significantly improve the security assessment process and provide benefits for enterprises, small businesses, and SaaS vendors by allowing IT departments to enable their line-of-business leaders to find and purchase business enablement solutions with confidence knowing that their data is protected.