Buying your next SaaS app: Get answers to 7 key InfoSec questions

With both high complexity and large volume, data within SaaS apps can be difficult to protect. Ensuring its privacy and security requires the proper infrastructure, people, processes, and practices in place. This is why security teams require SaaS security assessments. But what’s in them? Get answers to these 7 key InfoSec questions when buying your next SaaS app.

In this article, we explore:

• SaaS security threats 
• SaaS vendor and customer responsibilities 
• Main InfoSec questions in a complete vendor assessment
• How to limit risk and ensure a secure SaaS stack

SaaS introduces security risk

You need to understand the main SaaS security threats crucial to know which questions to ask. Ranging from inadvertent data loss to rogue actors exfiltrating data, selling it or demanding a ransom to decrypt it, SaaS data is a rich target. 

Here are 6 common threats that could lead to a SaaS app’s sensitive data exposure or loss:

1. Insider Threats. Employees or users with permissions to corporate resources, including apps data, are usually considered the largest security threat. Insider threats aren’t always a result of maliciousness. All too often, it’s a well-meaning employee who shares sensitive files indiscriminately or doesn’t think about sharing settings.  

2. Inconsistent or incorrect configurations.  An incorrect setting, like excessive privileges to an end user, can expose vulnerabilities, leading to unauthorized access and data loss. When configurations often change, like in cloud productivity suites, risks grow. Thus, there needs to be continuous monitoring, an immense task without automation. 

3. Cross-site scripting (XSS). Taking advantage of an app’s coding mistakes, rogue actors can inject malicious programming code into a web page that a user interacts with. It gives the bad actor access to a user’s browser, hijacks the session, and then redirects the user to malicious sites.

4. Lack of visibility into third-party risk. One of the strengths of SaaS is its ability to integrate with third-party systems, including other SaaS apps. This is usually done via a plug-in, which doesn’t require authentication, but needs to be maintained. A rogue actor can penetrate a SaaS app using an outdated or insecure integration.

5. Stolen credentials: Stealing user access permissions or exploiting weak passwords, is another threat to all organizations. This allows an outsider to impersonate an employee, enabling access to sensitive data. 

6. Compliance violations: Lack of compliance to documented security and privacy policy as well as legal and industry standards can result in legal fees, fines, and reputational damage.

So the stakes are high. Both SaaS vendors and the organizations that use them need to make security priority number one.

Securing SaaS is a shared responsibility

What happens after you choose a SaaS app and it moves onto legal and finance teams? Your company gets a contract that outlines SaaS security responsibilities. 

SaaS vendor obligation

Thanks to the shared security model, both the SaaS vendor and the customer have responsibility. On one hand, the SaaS app vendor assures a secure, highly available application service operating on its secure, physical infrastructure. 

When a SaaS vendor experiences a security breach or incident, the root cause is often related to software coding vulnerabilities and failures, natural disaster, power outages, physical intrusions.

Customer obligation

On the other hand, the customer agrees to secure user access, which includes identity management, app access management, and file and data security. 

This means that to maintain a high security posture, they particularly need to guard against human error, programming or configuration errors, insider threats, ransomware, viruses, and stolen credentials.

Securing sensitive data is a shared burden

Depending on the app and the kind of data it stores, the customer and the SaaS vendor may share the responsibility for securing the data within it. This is particularly true if a SaaS app involves sensitive data, like PII or health information. Vendors are responsible, and held liable for the data they collect, store, process, or transit, but so is the customer.

Without complete visibility and a defined SaaS buying process that includes strict SaaS vendor evaluation, Shadow IT is a risky inevitability. Unknown SaaS apps lurking around your SaaS environment jeopardize security posture and compliance with government and industry regulations.

The security assessment: Getting answers to 7 key InfoSec questions

It can be hard to determine how much you can trust a SaaS vendor. The level of assessment certainly depends on the app and the data involved. The greater the value of the data, the more thorough the security assessment. Regardless, when buying a new SaaS app, a full evaluation is essential. Here are 7 key InfoSec questions you should aim to answer.

1. Software-related questions: How does your SaaS vendor create and maintain secure applications?

InfoSec teams want answers about an app’s software development and security practices, like:

• Secure software development practices
• Use of zero-trust security model, including role-based access controls and least privilege access
• Integrations to other SaaS apps and platforms
• Integrations with single sign-on solutions 
• Most recent updates to integrations and plugins

2. Physical security: How do vendors secure their data centers and networking infrastructure?

Know how your SaaS vendor layers defense to include:

• Firewalls
• Network-based intrusion detection or threat detection systems 
• Host-based intrusion detection or threat detection systems
• Regular software updates and patch management processes
• Anti-virus/malware
• Automated monitoring, alerting, logging, and analysis
• Physical hardware redundancy
• Routine penetration testing
• Automated reporting on security performance and compliance

3. Data handling: How does your SaaS vendor keep data secure?

If the SaaS vendor stores highly sensitive information, like PII or other federally regulated data, InfoSec teams want to know how they handle data, like:

• Access controls on customer data
• Privacy enhancing technologies to anonymize data and ensure deletions
• Data segregation to make sure customer data is stored and processed in isolation from other tenants
• Data segregation method like database schemas or separate database instances 
• Data at rest is encryption, including protocols
• Data in transit encryption, including protocols
• Data retention policies
• Data backup protocol 
• Security of each backup vault

4. Service and support: What are the vendor’s service guarantees?

As a service, SaaS apps should come with service assurances for both the app and service and support, so InfoSec teams need to know:

• SaaS service’s monthly uptime and availability 
• Service level agreements
• Uptime monitoring and determination
• Customer support levels, like dedicated customer support
• Customer support availability and response time guarantees
• Disaster recovery guarantees

5. Incidence response plans: What does the vendor do in the event of a breach?

Security teams should assess a vendor based on its incident response protocol that includes details on: 

• Education, training, and drilling for response readiness.
• Incident or breach containment
• Remediation and recovery
• Customer communications plans
• Incident review, analysis, and steps to strengthen security

6. Compliance: Which certifications does a SaaS app have?

Third-party auditors validate a SaaS app’s security controls, policies, and processes. Some certifications are horizontal, and others apply only to certain industries. Nonetheless, compliance certifications are important indicators of trust, so InfoSec teams want to know both certifications and levels. 

Listed in a SaaS vendor’s trust center, some examples include:

• SOC2 – for SaaS and cloud providers that may store customer data in the cloud, certifications available within levels
• ISO 27001 – for organizations built around information security and data privacy
• PCI-DSS – for storing credit card payments
• HIPAA – for health care organizations with any kind of electronic transaction
• Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) – for security and operations in cloud environments

Finally, InfoSec teams require evaluating whether the software complies with regulations like General data protection regulation (GDPR) or the California Consumer Privacy Act (CCPA).

7. Contracts: What are key terms and conditions?

The job of any InfoSec team is to limit risk. Since contracts introduce risk, they may want to know about important SaaS contracts and spending T&Cs like:

• Key renewal dates
• Auto-renewal and termination provisions 
• Data ownership and migration rights

Ensure a secure SaaS stack

SaaS security should be at the forefront when buying a new SaaS app. Of course, completing your SaaS vendor assessment is an immense step toward it. 

But there’s one more important technology that can help: an all-in-one SaaS management platform that helps IT manage the entire SaaS lifecycle. 

Add an end-to-end SaaS management platform

By unifying SaaS spend, operations, data governance, SaaS file security, and compliance in an integrated platform, IT benefits in many ways. 

You get instant visibility across the entire SaaS stack, complete with app access usage monitoring. You can eliminate the need to grant excess admin privileges, control granular file sharing at both the individual and group-level, and continually scan content to monitor and remediate sensitive data sharing. 

With robust, no code automation capabilities, you can also automate offboarding. Because departing employees’ access to all corporate resources are instantly terminated, it reduces risk. Detailed logs that show workflow executions, file sharing alerts, and never expire make it fast to prove compliance. 

Finally, contracts and vendor management functionality tracks SaaS vendor compliance certifications and expiration dates, as well key renewal dates to eliminate costly auto-renewals.

Use secure SaaS vendors and BetterCloud

By selecting highly secure SaaS vendors and using BetterCloud in your IT tech stack, it’s easier than ever to adhere to security best practices and maintain a high SaaS security posture.

Ready to improve your SaaS stack security? Get a demo now.