Addressing SaaS Concerns

By Guest    July 9, 2009

This is the second part of a two part post on using SaaS (Software-as-a-Service) applications within your business. In the first part, Guest Author Vikram Prashar looked at the benefits of using SaaS and why it has become so popular. In this post, he will provide information on the potential risks of using this software and ways to mitigate those risks.

How do you make sure YOU are comfortable?

Ultimately, the most important point is for the accounting department- generally the CFO & Controllers to be comfortable that their valuable data is held somewhere secure and that privacy is maintained.  Any organization regardless of size should have an in-house security policy in place that addresses access levels, access control, password policy, etc.  Without an enforceable agreed upon policy the business is vulnerable to internal employees.  This would hold true for manufacturing or engineering applications as well, but financial data tends to draw greater security concerns.  To take this to a level where the CFO will be more comfortable a comprehensive list of items must be addressed regarding SAAS:

• What access controls are in place? Who can make changes to various user groups within the application and are those changes logged?
• What change control processes are in place? When can the systems be brought down for scheduled maintenance or patches? Does it require client approval or is it determined by the service provider?
• Does the service provider conduct regular external 3rd party security audits on their systems? The service provider should have a penetration test conducted by an external firm such as eEYE or Qualys.  These reports should be made accessible to the clients for their systems upon request.
• What kinds of backup and recovery methods exist? Can the service provider ensure that backups are done in manner consistent with company policy? Furthermore, can they restore data deleted either accidently or maliciously?  This MUST be tested before going live.
• If the application connects to your internal user directory (Active Directory), how is the connection? Is it a point to point VPN? How does that affect your access away from the office? Many applications offer single sign on, but that requires access to your network.  It is not unreasonable to ask for security certifications from the provider’s network engineers- CCIE, CCISP, or similar.
• Does the service provider have a Statement on Accounting Standards (SAS-70) certifications? This helps validate that they have adequate operational controls in place.
• Does the service provider give agreeable Service Level Agreements on all their services? It is imperative that clients get a detailed SLA in writing from any service provider but particularly for a financial application.  What are the consequences for clients not being able to access their systems- refunds, credits, ability to exit the contract?
• Just because the application is provided by an external service, it doesn’t mean the organization can ignore all the application specific security issues. They must make sure they have controls and methods to ensure password policy, account lock-outs, detailed log files that record unauthorized access, etc. One item to ask them is whether passwords are sent over the internet encrypted or clear-text.  This will provide a strong indication as to the security focus of the Application Service Provider.  If you get a blank look from them when asking them this question, that would be a major red flag.
• If the application can be accessed via a web browser, who is responsible for updating the security certificate?  Lastly, ask them about the tools used in their application and whether they routinely plug holes for their Java or similar tools.
• The ASP should be willing to provide you with a tour of their data center upon request. It need not be the exact data center where your applications are stored but it will give you a general idea of their operations.

Summary

In conclusion, SAAS can be as secure as any in-house application.  It requires a similar level of due diligence as the security of your office network, in fact more.  If the aforementioned items are covered and the service provider will give references for any of their clients (you select which ones you want from the service provider’s website) you should be able to enjoy the many benefits of SAAS.  Understand that you will be required to maintain a relationship with your service provider to make sure they continue to meet your needs in a secure and auditable manner.  Enlist the services of an experienced IT consultant or ensure that someone from within the organization does a comprehensive check on these and other organizational specific security concerns.  All application providers will swear that they have a secure and reliable infrastructure, but it is ultimately your responsibility to ensure that a sound policy and service level agreement exist and that these can be enforced.

For further information, Vikram Prashar can be contacted at vprashar@prasharconsulting.com.