5 steps to security of SaaS

Practically any business function supported by information technologies of the enterprise potentially can be delivered as service and is placed on external host machines. The software as service (SaaS) is popular approach to the organization of work of IT systems.

The analytical research of the InformationWeek edition demonstrates that the percent of the companies using SaaS grew from 47% to 60% in only 11 months. However, suppliers of SaaS, as a rule, evade from discussion of the sphere of security. They speak about practical security, your rights as client or security of data of your company very little.

InformationWeek predicts that growth of SaaS and other cloud services will lead finally to collapse as risks of security risk of data will be studied. At this moment suppliers of cloud services will be forced to disclose more information. Until then users should show discretion before permitting placement of important data outside the company.

The large company with own security service has a privileged position in the opinion of suppliers of services. It is easier for such company to receive answers to questions, to hold testing of service. For example, when third-party consultants for information security started a pilot project of G Suite (before Google Apps) in several small divisions of Walt Disney, they got information support of Google because the customer of Disney. Google was ready to share information.

In a case with the companies it is less, everything is differently. Then there is a serious question: why should trust you the data and reputation of the company if you do not trust them to documents or capability to understand a subject?

Unfortunately, for the vast majority of the companies, it is difficult to obtain the official information necessary for decision making on risk value. In such cases it is necessary to take case in own hand. Adam Ely, the security director of TiVo company, shared with the InformationWeek edition the vision of interaction with SaaS providers and made several recommendations.

1. Use third-party information sources. Take an interest around. Use social networks. Often to you will suggest to get acquainted with the person who will help in obtaining official and unofficial answers.

2. Do not trust links of clients. Instead look for present or former clients on the discretion and ask them to share with you any relevant information what they can give, without violating confidentiality agreements. Never trust vendor only because it has a name, or clients who as you consider are close to you on security systems and on spirit.

3. Look on the Internet for information on suppliers and answers to any previous incidents in the field of security. Some providers, such as Google, publish messages about their views of security and risk management. Reading can tell them to you a lot of new.

4. Ask to carry out control tests. To you will never allow to estimate each control important, but scanning of several vulnerabilities and verification of the code can provide understanding of practice of the supplier of SaaS. Most of authoritative suppliers allows clients to carry out some tests with the prior notice. If the provider shows weak control over the simplest elements, there is a sense to think that more advanced protection is necessary.

5. Use your influence to the full extent. Suppliers of SaaS, as well as the others, try to build the business, they always need marketing fertilizing. Even if your company not in Fortune 500, your special case of use of services of this vendor, or your industry can serve as the valuable link for the supplier. Use it as a change to receive deeper understanding of security and other information.

Sometimes case reaches the sixth sense. If the seller does not inspire trust, or reasons for doubts in quality of its work on risk management from your name are noticeable, move further, the expert says. New suppliers appear constantly.