Processes

High Security SaaS

We have all heard that the chief impediment to the adoption of cloud services is security. While that is certainly a consideration, organizations (and CISOs in particular, based on anecdotal data) are starting to accept that:

  1. Security is just one factor that must be considered, and others such as cost may be larger impediments to cloud adoption; and
  2. Cloud vendors recognize the importance of security and, due to economies of scale, many can provide better security than the average organization can on its own.

In particular, cloud users are starting to gain a strong understanding of how to securely use IaaS and PaaS offerings. SaaS offerings, on the other hand, are typically presented as a black box, leaving questions as to whether they can be used securely. It is certainly possible but requires due diligence. In this post we discuss what high security applications are, considerations for using SaaS solutions for high security applications including an approach to evaluate the SaaS solution, and some high-level examples of organizations that are already doing this. We have a few key points:

  1. Do not treat all your data as high security data.
  2. It can be advantageous from a security standpoint to outsource processing of certain types of high security data to a vendor who specializes in that type of data.
  3. When evaluating SaaS solutions, consider how you would secure the data and then ensure that the vendor provides equivalent controls to protect your data.
  4. It’s your data, so ensure that the vendor provides the transparency you need to evaluate them, including appropriate documentation from certification or similar audits conducted by a trustworthy third party.
  5. If the vendor can provide necessary and sufficient protection for your data, consider the cost savings to the security program when evaluating whether to move to a SaaS solution.

High Security Data

An application is a program that processes data, so a high security application is a program that processes high security data. All data has some degree of sensitivity — even public data that you find across the web is susceptible to integrity and availability attacks. High security data is data that if compromised would irreparably harm the user (individual or organization). Everyone has some high security data, such as bank account numbers. Sometimes the data becomes high security data because of who or what it pertains to: my physical location is much less sensitive than that of a political dissident. Some types of data are intrinsically high security, such as much military data.

This brings us to our first point: not all data is high security data, so do not hamstring your operations by treating all data as high security data. For example, an organization that develops pharmaceuticals has a lot of high security data, but they should not let that preclude them from using a SaaS offering for their employees to coordinate extracurricular activities. That said, security awareness training is critical here to ensure that employees do not discuss R&D information when coordinating extracurricular activities, just as they need to be careful not to discuss it on social media.

Outsourcing High Security Data Processing

Now then, can SaaS applications be used with high security data? Absolutely! Sometimes this is even preferable. Before we had SaaS and cloud computing, we used terms like service bureaus and application service providers. One of the oldest examples of such a firm is Automated Data Processing (ADP), which processes payroll for numerous organizations. This, of course, involves a lot of sensitive financial information. Generally speaking, if you have to deal with high security data for something that is not your core competency, there is a good chance that you are better off outsourcing that function entirely — at least from a security perspective — to someone who has a demonstrated track record of working with that data in a secure fashion. You should still consider reviewing the vendor’s security controls, as we describe below, as well as considering if — since they specialize in this type of data — if they might be more specifically targeted by attackers.

Evaluating SaaS Security

What about high security data that is part of your core function? SaaS applications that you may want to use with your high security data range from core infrastructure such as email and group collaboration systems, to specialized systems such as continuous integration for code or automated tolerance testing on technical drawings. Regardless of the type of processing being done, it is important to think of the SaaS as being an extension of an organization’s infrastructure, particularly from a security perspective. That means

  1. You need to know how you would protect that data, and ensure that the vendor offers an equivalent set of controls, and
  2. The vendor needs to be transparent in both how they are securing your data and provide validation that what they are telling you is true.

For ensuring that the SaaS vendor is securing your data properly, you first need to consider how you would secure it, everything from technical controls like multi-factor authentication to administrative controls like background checks. As you are doing this, you should keep in mind the different levels of access control you would use for users versus administrators, as well as controls to ensure that users cannot see each other’s data. Only once you know how it should be secured should you work with the vendor to see how they do it. It can be tempting to just look at what the vendor provides on how they secure your data, but that can easily lead you “down the garden path” and cause you to overlook essential controls that the vendor may have neglected. Now, as you are comparing what you would do with what they have done, you should keep an open mind and when controls do not match up exactly, ask yourself if what the vendor has done meets your security goals. At the same time, consider their controls holistically to ensure that they provide sufficient defense in depth and do not rely too heavily on any particular controls. A classic example of this is a provider who claims they do not need to patch their internal systems because they have a firewall.

Doing the above described comparison requires that the vendor be transparent about their security practices. Many vendors will balk at such transparency. Some will claim that such transparency will undermine their security, others consider it a competitive advantage, and many don’t want to discuss it because frankly, theirs is not very good. Keep in mind that 1) it’s your data, and 2) obscurity is not security. Even if a vendor does not openly publish their security controls, you can often have success in talking to your account representative or getting in touch with the sales team (increasingly SaaS vendors have on-line web chat systems you can use for this purpose). If they do not want to give you the information you need, there are likely other vendors that will, or you can continue process the data in-house.

The next consideration is how you can verify that they are doing what they said they are doing? This is where external validation or certification is useful. The two most common certifications are System and Organization Controls (commonly called SOC) reports and ISO 27000.

SOC reports have replaced the SAS70 reports, so if anyone is still using that term, they are dangerously out of date. SOC reports come at different versions and types. SOC1 reports cover financials, and SOC3 reports lack any detail on security controls, so look for a SOC2 report. The SOC type indicates whether just the design (type 1) or both design and implementation (type 2) were audited, so look for a type 2 report. SOC reports can only be issued by an accounting firm under the purview of a CPA, so look at the firm that performed the SOC audit and ensure they have the information security expertise to make a sound assessment.

ISO 27000 (colloquially, “27k”) is the International Organization of Standards family for information security (which evolved from ISO 17799 — another extremely dated term by now). The key to ISO 27000 is that security processes are documented and followed. Consequently, compliance by itself does not mean the subject is secure. Someone could (as an extreme theoretical example) say that their security process is to only type with their left hands, and if they follow that process, they can be certified. More realistically, the above example of not patching systems because there is a firewall is perfectly acceptable under ISO 27k, so if a vendor you are reviewing is ISO 27000 certified, you need a copy of not just the certificate, but of the auditor’s letter of attestation, which is where they state exactly what it was that they reviewed and certified. ISO 27000 certification can only be performed by certification bodies that have been accredited to do so — in the United States at the time of this writing, there are only 14 accredited certification bodies.

Cloud Security Alliance Logo
The Cloud Security Alliance develops and shares valuable security information such as threat information and control recommendations for cloud vendors, providing a great basis for cloud vendors to provide secure systems.

Absent a formal certification, the vendor may have simply had an audit performed with a written report; this may be sufficient for your purposes. Ensure that the validation is performed by an external party, who is qualified to perform such an audit and impartial — that is, the vendor did not use the same contractor to implement their controls and then audit them. The validation report should cover what was actually reviewed to ensure the vendor is not telling you one thing and showing their auditor something else. Any of the above approaches can be used in conjunction with the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR), which establishes best practices for cloud providers — the external certification or validation occurs at level 2, with level 3 providing continuous monitoring of their controls.

SaaS Security Savings

All that might seem like a lot of work, so is it worth it? One factor to consider when moving to the cloud is not only the CapEx savings, but the OpEx savings in security. While the above might seem like a fair amount of work, it is far less work than what you would need to do to implement and operate all those security controls yourself. Also consider that many cloud vendors have heard about the importance of security from their customers and have gone to great lengths to implement robust security programs. Microsoft is an excellent example of this: where Windows security was considered a joke 20 years ago, Microsoft has invested heavily into security, particularly for Azure, and now operates, in our opinion, one of the finest security operations teams on the planet.

Brief Case Studies

Given all this, are others buying in with their high security data? Definitely. A prime example of this is the US Government’s Federal Risk and Authorization Management Program (FedRAMP), which authorizes cloud providers to operate on US Government data at various levels of sensitivity, up to High risk data. (Bringing this together with the previous point, Microsoft is the only vendor with a SaaS offering authorized at the High level.) It is important to note that often the US Government will require that its high security data be processed in a dedicated data center as part of their controls. The US Military even goes so far as to use cloud services that are on private networks, not accessible from the Internet. Even if you are not the largest enterprise in the world, you can often negotiate with cloud providers to have your instance operated on dedicated hardware, but be sure you examine other areas that your data may co-mingle with other customers (databases, network hardware, etc.).

Summary

To recap our key take aways:

  1. Do not treat all your data as high security data.
  2. It can be advantageous from a security standpoint to outsource processing of certain types of high security data to a vendor who specializes in that type of data.
  3. When evaluating SaaS solutions, consider how you would secure the data and then ensure that the vendor provides equivalent controls to protect your data.
  4. It’s your data, so ensure that the vendor provides the transparency you need to evaluate them, including appropriate documentation from certification or similar audits conducted by a trustworthy third party.
  5. If the vendor can provide necessary and sufficient protection for your data, consider the cost savings to the security program when evaluating whether to move to a SaaS solution.

There are always risks in outsourcing but rest assured that you are not alone in making this move. If you need help in this process, BuboWerks has extensive experience in designing appropriate security controls for information of all security levels, as well as vendor management including assessment and comparing the vendor’s controls to your security needs. Contact us if we can help you in these areas.

Leave a Reply

Your email address will not be published. Required fields are marked *