Securely Implement Your Sofware as a Service ProgramThe devil’s in the details when securing your SaaS program. Security is the largest obstacle to adoption of software-as-a-service. Software-as-a-Service leads the three delivery models of cloud computing (Software-as-a-Service, Infrastructure as a Service, Platform-as-a-Service). Of the three it has been around the longest (most mature) and adoption continues to grow ahead of IaaS and PaaS. User convenience, application flexibility and scalability, and increased functionality are just some of the benefits that lead organizaitons to adopting a SaaS program. If your organization has already adopted a SaaS program or you are about to move to one, you must systematically ensure that you can achieve strong, objective security controls from your vendor in what is a very subjective world.The Chief Information Security Officer (CISO) must ensure security receives the attention it needs and work to eliminate security as a business impediment. Security includes ensuring business data cannot be leaked or stolen and maintaining privacy of data and other information. Cloud security today is a complex issue and at times overwhelming. A whole spectrum of new risks and threats exist in the cloud that were not present on traditional premise-based networks. Although the security capabilities for a SaaS program have developed greatly and are constantly changing, the bulk of the security requirements are in the control of the SaaS provider. Moving software from traditional internal hosting and management to the cloud means transfer of many aspects of control to the SaaS provider. But handing off control does not mean handing off your responsibility and accountability for security. Major Insight: You must become your vendor’s auditor to get the security controls and confidence you need. Secondary Insight: You can’t glue on security after the fact. Include security in SaaS negotiations through contractual and configuration requirements.Secondary Insight: Your SaaS vendor can often provide better security controls than you can. Today, the new challenge is to apply the same level of enterprise-class security controls available internally to the cloud.Consumers should expect to see a report of the cloud provider's operations by independent auditors. Unfettered access to essential audit information is a key consideration of contracts and SLA terms with any cloud provider. As part of any terms, cloud providers should offer timely access to and self-management of audit event, log, and report information relevant to a consumer's specific data or applications.The role of the CISO is changing. Traditional responsibilities of securing on-premise infrastructure, applications, people, and processes are moving into hybrid and cloud environments requiring different strategies and techniques. The CISO must be adaptive and knowledgeable with these changing forces.CIOs aspire to spend their time:54% driving business innovation.45% developing and refining business strategy.41% identifying opportunities for competitive differentiation.Source: 2013 State of the CIO Survey, CIO Magazine With increased control comes increased responsibility. Organizations must readily adopt the auditor role of their providers to ensure security requirements are being met. Through all these cloud risks and threats, cloud SaaS is not fundamentally insecure; it just needs to be managed and accessed in a secure way. The popular perception that the cloud is inherently insecure is wrong. It seems to imply this relationship with the cloud is untrustworthy or higher risk.

Wade Baker, Managing Principal of Research and Intelligence at VerizonSource: RSA Security Conference, February 2014

SaaS programs arrived a while ago. The security requirements that most organizations have in order to secure an on-premise network and infrastructure can be met by cloud providers. Security can no longer be used as an excuse not to take advantage of cloud offerings. SaaS security is contingent upon proper and effective communication. You need to express your security requirements to two parties: First, your SaaS provider needs to know your requirements so these can be met and verified. Second, your internal SaaS project team needs to know the security requirements for project approval/sign off as well as appreciate the need for security. A SaaS program has its own unique risk profile. When adopting a SaaS program and determining what security requirements are needed you are only concerned about your SaaS Risk Profile This measure provides a level of risk your organization faces when adopting a SaaS program. It is a representation of the risks and threats faced by an organization when moving some process and associated data into a SaaS program.The risk profile may include the probability of resulting negative effects and an outline of the potential costs and level of disruption for each risk.Insight: Ensuring security is appreciated by the organization is hard enough as it is. It becomes harder when it directly degrades major business initiatives or benefits. Take into account the business rationale for adopting a SaaS program so that security won’t be an impediment. Insight: Due to the shared nature of SaaS where one organization's applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the cloud. Insight: Today, consumers are limited by what they can internally deploy that will secure both on-premise and SaaS cloud environments. Vendors control the cloud pretty tightly and like it that way. For SaaS programs today, there is not much you can deploy that will enable control to the level of conventional on premise controls. From your risk profile, determine what security controls your SaaS program needs. Base this on completeness, auditability, governability, and interoperability (CAGI). - Evaluate vendors’ security capability completeness based on your organization’s SaaS risk profile. - Evaluate vendors’ auditable levels of their certifications and security testing.- Evaluate vendors’ governability by assessing transparency. - Evaluate vendors’ portability by assessing their interoperability.• Document your security control requirements: completeness, auditability, governability, and interoperability. • Perform a double check on your requirements. • Determine your cloud vendor solicitation plan. Now that you have determined all your SLA requirements and documented them into your Security SLA – it’s time to identify vendors that have satisfied these requirements and start talking. • Overall vendor selection and relationship management is an extremely long process with many inputs from various origins. • Start talking now to get things going!You will:Determine which vendors are appropriate for you.Determine which vendors support the security controls you require.Develop communication plans to ensure proper implementation. Determine your identity and access controls through access provisioning and determining your authentication techniques. In the evolving world of cloud computing, there is a need for an effective management process for any problems that may arise. Today’s reality is that cloud SLAs contain very limited information on consumer-provider management processes except possibly for large enterprises that are capable of negotiating unique terms. Implementing an effective management process is an important step to ensuring internal and external user satisfaction with cloud-based service(s).Purpose of this program:• Communicate the approach for vendor governance.• Communicate the relationship management between yourself and your CSP.Scope of this program includes:• The methods for formal communication of defined information. • High-level description of the nature of information to be distributed.

http://www.infotech.com/research/ss/securely-implement-a-saas-program