We will focus this discussion on SaaS (Software-as-a-Service) vendors since they are being utilized by 80% of businesses. It’s no mystery why the SaaS model is so popular. It’s cost-effective, the onboarding process is far easier than an on-premise product, and the maintenance of the application is not your responsibility.
While that may sound incredibly convenient, the last point, in particular, can present some horrors for you and your organization. We’ll get to those shortly.
Leading SaaS application providers like Cisco, Salesforce, GitHub, Workday, and ServiceNow all have one thing in common, they maintain their reputation through acts of transparency; most notably being transparent when there is a change that may impact your business.
This includes patching to minimize vulnerabilities, breach notifications, and other situations that require customer notification. If processes are not in place to inform you when necessary, consider this your first red flag and tread carefully. To sign up for ThousandEyes notifications to privacy and subprocessor changes, contact us at firstname.lastname@example.org or email@example.com. To request ThousandEyes information security and privacy documentation, visit the Cisco Trust Portal and search for ThousandEyes.
Most SaaS applications require the handling and/or processing of PII (personally identifiable information). Common examples are usernames, passwords, and email addresses. If this is the case, you must be notified when a new subprocessor is being brought into the equation. ThousandEyes maintains a publicly available list of their subprocessors here, which includes a log of any notable changes. If your SaaS provider does not provide a notification method for new subprocessors, this is another red flag.
Some services you acquire will take priority over others. In a similar fashion, your review of their controls and operations should receive more attention. Applications that are critical to your business must have appropriate Service Level Agreements (SLAs) in place to ensure that your operations are not jeopardized in the event of a disruption. If your SaaS provider does not provide SLA commitments for uptime, this is another red flag. Visit the ThousandEyes Support Services Policy, which addresses relevant SLA details you may want to be informed about.
This post is largely about vendors and their effectiveness in being visible, secure, and a reliable source of the services you require. There are things that you can and should be doing to take it a step further in your due diligence for ones that are critical to your infrastructure. Research tools on the web, such as LinkedIn, are a great place to get to know how much staffing is dedicated to a vendor's security team. Do they have sufficient members and resources to keep your data protected? Take advantage of free information that is publicly available to you. Another example is SSL Labs; it does not hurt to run a test on a potential vendor’s application portal. Lastly, Mozilla observatory scans are a quick and harmless way to look into TLS, SSH, and HTML configurations on a website and provide valuable insight into the security of a website or application portal.
While being SOC 2 and ISO 27001 certified is great evidence of a decent security program, these things do not come close to painting the full picture of the security of an environment. So, if your SaaS provider does not have a SOC 2 and/or ISO certification, amongst other things, this is another red flag. While certifications do not tell you everything you need to know, it’s comforting to know and see that there is an effort being made to become certified in not only security but data privacy as well (i.e. Privacy Shield and ISO 27018).
Another aspect you may want to consider is the controls in place related to business continuity. Nobody is happy when things break or shut off, and you will want to know how well and how quickly the recovery process is handled. While the previously mentioned certifications incorporate business continuity controls, be on the lookout for specific programs such as ISO 22301 and NIST 800-53.
Aside from those above, other notable mentions include CSA STAR for cloud service providers, EU Cloud Code of conduct for Privacy obligations in European operating businesses, and FedRAMP, which applies to cloud products for the United States Federal Government. ThousandEyes maintains a publicly available page here to let you stay up to date on presently valid certifications. More badges are to be added soon!
ThousandEyes has an intensive assessment process to identify and mitigate potential risks in engaging any organization for services. It’s not as simple as security awareness training, encryption, and other security controls. Does the vendor provide any security white papers or other documentation about system security? Do they let you know what you should be doing as a customer to secure your systems through something like a description of user entity controls? If your vendor cannot provide a security white paper that gives a better picture of their security operations, that is yet another red flag. If the vendor cannot answer reasonable questions about things not covered by their assessments or documentation, then that is another red flag.
Now that we have covered many red flags when reviewing a potential vendor, be sure to incorporate them into your next discussion as a means to mitigate risk and possible harm to your organization.
At ThousandEyes, we take pride in our ability to maintain a strong security posture to not only keep our environment safe but our customers and their data as well. We continue to pursue ways to demonstrate our privacy and security commitment to our customers, so keep an eye out for future announcements about new ways we will do this.
While we covered many topics in this article, it is important to acknowledge that not every vendor you engage will be as established and may not have the ideal documentation or controls in place to maintain your confidence where it is relevant to their posture. While it is not ideal, it does happen. Should these kinds of engagements be avoided completely? When do you draw the line and decide that a product or service exposes you to too much risk?