IT security for SaaS solutions – what to consider

3 important things to consider before purchasing a SaaS solution

1. Distribution of responsibilities
Start by finding out who is responsible and for what to get a good overview of the solution. Cloud has many different models, Private Cloud where you set up your own environment, run, and manage your own machines. Infrastructure as a Service where you as a customer are responsible for certain parts and the supplier for certain parts. Then there is Platform as a Service, where the supplier handles most of it, and Software as a Service, which we talk about in this article.

It’s your responsibility to ensure that you purchase a product that can handle the security classification of data that the solution will handle. Like buying a car, Volvo is responsible for making sure you can drive the car safely and that it doesn’t crash, but should you crash and get hurt, It’s your problem.

2. Requirements
When evaluating suppliers and during the purchase, it’s important that you have the requirements for security clear so that you can ensure that your data is completely safe with the one you choose.

What a statement of requirements should contain is individual, always start from what kind of data you have in the solution when you set your statement of requirements. For example, if you have credit card information, the solution must be able to handle PCI DSS, and if you have personal data, the solution must follow the GDPR law.

Even though the requirements are individual, the vast majority usually ensure that penetration tests are carried out. Something that’s usually done by the supplier. One tip is to ensure that the supplier brings in a pentester from an independent party. To be extra safe, you should also be required to use your own independent testers when you buy a solution, which almost always is okay. At the end of this article, you will find a list of the most important general things you should include in a security statement.

The suppliers are usually very positive about bringing in an external party and paying for the security tests, but I think you should make sure that the supplier covers that cost. After all, you are the customer and will pay for the product. It’s like buying a car and then taking it to a garage to check if it’s safe, you don’t.

Depending on the SaaS solution you may make customized configurations and integrations. If so, you carry out the tests at your own expense.

Most of the time it is good to ensure your requirements with the supplier during evaluation/before purchase, but unfortunately many find this out too late. This makes you end up in a situation without customized data requirements, which makes the whole thing more complex. Number one is to look at the solution, assess how critical it is for your information and see if there’s something you must/can change. The second is to find out if the supplier is willing to make these changes, which they usually are. From there, you develop a set of requirements that you go through together, looking at what exists today and what needs to be fixed.

The SaaS providers are almost always amenable to change work, but you need to understand that it’s not something that will happen overnight but takes time. If you were to receive a no, you simply have to make a decision whether it is possible to live with the risk or start looking for a new platform.

3. The supplier’s processes around security and testing
Before a purchase is made, it is also important to find out what the supplier’s testing process looks like and how they work with security. You don’t want to have a product owner who prioritize other things but security and its measures.

Find out if they do security testing and, if so, what security testing they do. Find out how they do the tests, who performs the tests, how often they perform them, and what the process looks like to resolve vulnerabilities should they occur. Feel free to ask for evidence to review what the reports look like and how they have resolved previous vulnerabilities (if any).

There should be continuity in their security work, tests should not only be done when someone asks or every three years.

Summary
As more companies have started moving towards different SaaS solutions, the supplier side has completely exploded. Regardless of whether you choose to operate your own or run with SaaS solutions, it is extremely important to ensure that the application, infrastructure, and data are adequately protected. The problem is we often expect security to be in place without verifying or making demands during the purchase, which can lead to fatal consequences in the event of an attack.

We have therefore compiled a checklist of what you should include in your requirements during the purchase phase of a SaaS solution. You’ll find the checklist here.