With more and more organizations, institutions and corporations looking to social networking as a tool to help improve collaboration and knowledge sharing... BIG concerns have emerged around security, privacy and compliance - both corporate and regulatory. These concerns have become even more important when dealing with companies that offer their solutions using a software as a service model or more commonly known in the industry as SaaS.
In this four part series, I will discuss some of the concerns surrounding security as it pertains to SaaS offerings and how you can minimize your risk. As you most likely know, there are many levels of security and understanding how much or little you need is imperative when choosing the right solution. For simplicity, I have broken down security into the following four key areas which I will discuss separately in this series:
Physical Security refers to "how secure" is the location where your application and/or data is stored. As a consumer, you need to know what measures are in place to prevent or deter attackers from physically accessing the facility, resources, or information that is stored onsite. Most software companies like IGLOO that offer SaaS solutions have partnered with a Service Provider to provide data centre location services. For example, IGLOO Software contracts with a company called FusePoint who provides us with the necessary physical security infrastructure including explosion protection, environmental design, mechanical and electronic access control; intrusion protection and video monitoring.
A great way for you to quickly assess your service provider is to ensure that they have been audited and review the report.
There are two emerging standards in the industry for measuring the internal controls of a service organization providing outsourcing services - CICA 5970 is the Canadian standard administered by the Canadian Institute of Chartered Accountants and SAS 70 is the US-based equivalent developed by the American Institute of Certified Public Accountants. There are two types of reports:
- Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.
- Type II service auditor's report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
Some questions you might want to ask:
- Where are they located? How far away are they from you? Are they in a high rise (easy target for attackers) or in a basement (risk of flooding)?
- Are they connected to a main internet trunk or hub? (more hops = less speed)
- Do they offer managed services? i.e. change a drive or update hardware and software
- If they have been CICA 5970 or SAS 70 audited, when were they last audited, and by who?
- Are they PCI DSS compliant for managing credit card transactions? This standard was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
- Do they have any hardware or software certifications such as IBM, Microsoft or HP? Do they have ISO certifications?
- What is their disaster recovery plan? Escalation policy? Redundancy on mechanicals, power etc?
- How many outages and physical security attacks did they have over the last 2 years? Outcomes?
- What major customers are using their services?
It is very important to ensure that the physical environment that houses your sensitive consumer, business and/or employee data is secure. Please add you thoughts, comments and experiences to this article - I would love to hear from you.
Check out the next article in the serie to read about application security related to SaaS applications. I found this video on YouTube... this company is taking security to a whole new level. Enjoy.