How do you assess the security of SaaS?

Use two padlocks…

In procurement processes we see all sorts, including in relation to security:

  • long lists of questions created by IT departments who are often not deep experts in cloud computing security
  • out-of-date questionnaires of 300 questions from 3rd parties
  • an occasional request to conduct penetration testing
  • no reference to security at all

There is a growing acceptance that vendors solutions should be secure. But there is no consensus about how to assess this.

We are ISO 27001 accredited. But you can argue that ISO 27001 isn’t enough. Like all ISO accreditations, it identifies that processes exist. So it does not guarantee that information is secure, just as in the case of 9001 it doesn’t guarantee that products are of high quality.

And of course, it is people, not technology itself, who breach security. For this reason, we have started doing employee screening in line with relevant recommendations including:

Perhaps a simpler set of questions would be better with a view to determining whether security is likely to be high, medium or low:

  1. Provide evidence of how seriously you take security in relation to premises, people, process and technology (hardware and software end-to-end).
  2. How often do you undertake independent assessment of your security?
  3. Will you share the assessment’s findings with us, and explain how you have addressed those?
  4. How many breaches of security have you experienced in the last 3 years?

And this should be separated from questions about continuity of service and resilience, which are sometimes conflated with security.

This is a topic which would benefit from more thought, discussion, and collaboration between interested parties.