 |
| Courtesy Doug Cahill blog (ESG Research |
Any company selling SaaS will recognize this type of customer concern.
Of course the reality is that there is no one "cloud". Maturity and capability will vary across all organizations and industries. Unfortunately, many risk assessors mistake possession for security.
When assessing risk to adopt a SaaS product, consider..
SaaS provider VS on-premises
Technical control
- Is meaningful encryption provided by the SaaS provider? What about on-premises?
- What methods exist to prevent exploitation at the SaaS provider? How does this compare to on-premises?
- How well will the SaaS provider profile and understand expected application behavior? Are on-premises applications profiled and well understood?
- How quickly can the SaaS provider implement service updates? How quickly do you upgrade and patch complex on-premises applications?
Security Staff & Focus
- What is the SaaS provider's incentive and capability to prevent a breach? How does this compare with on-premises security commitment and capability?
- What percent of the SaaS organization is devoted to security and control? How about on-premises?
- Is the SaaS provider staffed to monitor, defend, and respond to attacks? On-premises?
Target & Incentive
- What incentive might an attacker have to breach the SaaS provider? How about on-premises?
- What capability to detect or prevent advanced or targeted attack does the SaaS provider have? How about on-premises?
- If the SaaS provider is breached, will you be notified? If on-premises is breached, will you be notified?
Businesses adopting a "Cloud" product are forging a strategic partnership. The partner must be both capable and trustworthy.
No different than any other potential business partnership, it requires due diligence to ensure mutual alignment.
References:
Doug Cahill: Squirrel! What to chase at Black Hat 2016
ESG Research Report: The Visibility and Control Requirements of Cloud Application Security
No comments:
Post a Comment
Share your thoughts.