May 7, 2018
What is a Saas Security Audit?
In the past, when companies purchased software solutions, it was the IT department that did all of the leg work to negotiate, procure and deploy the new system, whether it was intended for finance, human resources or marketing.
In the cloud-based era we're living in today, technology is far more accessible to less technical departments and teams. It's entirely possible for a CMO or a CFO to purchase and implement a new software solution without involving the CIO or IT team at all (not that this is always recommended).
Line of business leaders who haven't yet been through a couple dozen software deployments may not be aware of the ins and outs of a security audit: what it is, why you need one, how long it takes, and generally what to expect.
Enter Chris Henderson, Manager of Operations for Security Services at Workfront. We asked Chris a few basic questions that will help you navigate a SaaS security audit of your own.
Q: What is a SaaS security audit?
A: When you're considering purchasing a new SaaS (software as a service) solution for your business, it's important to ensure each vendor follows proper security protocols, so whatever data you'll be saving or sharing in their cloud-based system remains protected and private. A simple audit process will allow you, preferably with the involvement of your in-house IT or security team, to ask a series of questions that will help you gauge the risks and rewards of working with this vendor.
Obviously, the goal is for the system to be simple and accessible for authorized individuals but impenetrable to everyone else. It's a delicate balance. Realize that 100% security means 100% inaccessibility. If no one can get in without submitting a DNA sample, it won't be very usable. Simplicity is essential if you want your team to willingly use this thing. While no system is perfect, there are questions you can ask to make sure your potential vendor strikes the right balance between security and usability.
Q: Why perform a SaaS security audit?
A: If CYA isn't reason enough, think of protecting the business as a whole. You don't want to be responsible for selecting the one cloud-based vendor that puts your company's compliance audits in jeopardy or, heaven forbid, causes a security breach that damages the health or reputation of your company.
While it is true that most cloud-based companies have developed systems that match or exceed the security delivered by on-premises software—and yes many of these firms eat, sleep and breathe security all day long—you should still never take a vendor's word for it. Get your IT team's inherent paranoia on your side so you can ask the right kinds of questions.
Q: Who should be involved in the audit?
A: The person who wants the solution, whether that's the head of marketing or finance, should take the lead on the SaaS security assessment. You want one individual to be gathering the data and acting as the go-between. But to protect yourself and your company as a whole, you'll want to also involve the most paranoid individuals in your company—namely, the IT and security team. They may not wear their tin foil hats to work, but they know what can happen; they've seen too much. Depending on how your company is structured, you may also involve your procurement team and your legal department.
You don't have to know the difference between SAS 70 and SSAE 16 to manage this process. Your IT team has been through this before. Ask them to help you prepare your list of questions, and have them review the responses you receive back. If issues occur with this vendor in the future, you definitely want to have a record that you consulted your in-house security experts at the right time in the process.
Q: When is the best time for an audit?
A: Definitely complete your security assessment before you seal the deal. Your vendor will be far more eager to answer all of your questions before you've given them your money. But don't wait until the day you're signing the contract. Start talking security as soon as you've narrowed down your final list of potential solutions. If you have just one candidate you're considering, get going on your security discussion as soon as you determine this is a viable option for you.
Q: How long will it take?
A: The entire process will usually take a couple of weeks. A lot of big companies have crazy RFP (request for proposal) security questionnaires that they send to all potential SaaS vendors as a matter of course. At Workfront, we just finished and returned a 38-page RFP from a potential client that had 20-25 questions per page.
If you're not sharing data of a particularly sensitive nature, you won't need to go that far. There's a big difference between meeting minutes and calendars and the top-secret ingredients of your company's secret sauce. You can and should expect strong security no matter what you're storing in the vendor's cloud, but not every type of data needs to be subjected to the same internal security requirements.
Q: What questions should I ask in my audit?
A: The questions will vary based on the type of data you'll be storing, but here are some general questions to get you started:
- Do they support encryption at rest?
- Do they support encryption in transit?
- Do they support SSO (single sign on)?
- Do they do regular penetration tests?
- What compliances and certifications do they have?
- Do they have an incident response plan?
- Do they have a disaster recovery policy and plan?
No Need for a Decoder Ring
If you're a line of business leader who finds yourself in charge of a security assessment for a new cloud-based service provider, don't feel like you have to invest in a decoder ring. Just because you're the one asking the questions, that doesn't necessarily mean you have to fully understand all of the answers. After all, the SaaS industry is rife with inscrutable acronyms—SSO, LDAP, AICPA, SAML, SOC 1 Type 2, SOC 2 Type 2.
Just seek the help of the right internal teams (the ones with the tinfoil hats). If they give you the thumbs up on both the questions you're asking and the responses you receive back, then you can proceed with confidence.