In response to increased demand, publishers of cybersecurity solutions have expanded their offering to include a SaaS consumption model.
Several families of tools, hitherto distributed mainly in on-premise mode, have taken the plunge: antimalware, WAF, proxy, SIEM, etc. This trend towards moving security services to the cloud has many advantages, but there are also disadvantages that need to be taken seriously. Moving key security functions and the associated sensitive data to the cloud remains a leap into the unknown.
Countering this trend towards "cloud camouflage" means helping decision-makers to assert their demands for transparency about the level of security provided by the vendor, and enlightening businesses and organisations about the cloud products they consume. Without waiting for the legislator, here are the key questions you should be asking yourself when selecting a SaaS solution, as well as ways of ensuring that you obtain the essential information:
Location
Where is the hosting infrastructure for the SaaS service located?
- in France?
- in the European Union?
- on other continents?
➡️ These elements are sometimes communicated publicly by the publisher in its general terms and conditions of use (GTCU). However, it is sometimes necessary to ask the question explicitly.
Reputation
- What is the publisher's reputation?
- Has it been the target of data leaks or high-profile computer attacks?
- Are its products frequently affected by common vulnerabilities and exposures (CVEs)?
➡️ You'll usually find the answers on the public Internet. You simply need to take the time to do the research. If the publisher publishes references on its site, why not ask its customers for feedback?
Compliance
- How compliant is the publisher?
- What certifications and qualifications has it obtained?
- Are its certifications compatible with the legal and regulatory constraints that apply to you?
➡️ In general, it is in the publisher's interest to publicise its certifications or qualifications (ISO 27001, HDS, SecNumCloud, etc.) However, we recommend that you delve a little deeper into the subject:
- Ask for a copy of the certification and pay close attention to the scope covered. A common misuse is to hide the fact that the certification covers a very small area.
- If the publisher is ISO 27001 certified, ask for its Declaration of Applicability.
- Ask the publisher for audit reports, e.g. ISAE 3402 or SOC 2, ideally type 2.
- Ask them to present their data protection policy and the measures taken to ensure compliance with the RGPD.
- Check that the publisher is listed in the public registers maintained by qualification authorities such as ANSSI (in France) or ENISA (in Europe).
- Submit security questionnaires to the publisher, for example based on the CAIQ (Consensus Assessments Initiative Questionnaire) freely available from the CSA (Cloud Security Alliance).
- Negotiate the possibility of carrying out compliance audits
Maturity
- How mature is the publisher in the software development of its solution?
➡️ Part of the answer should be provided by the compliance elements we have already mentioned, but we recommend that you ask for additional elements:
- Do developers receive training or awareness-raising on computer code security?
- Has the publisher adopted DevSecOps practices?
- Does it regularly carry out penetration tests on its own solution? If so, does it agree to share at least executive summaries of its latest tests?
- Does the publisher allow customers to carry out penetration tests themselves?
Obtaining more information and transparency on SaaS security services is a legitimate expectation, and one that will become more pressing as security solutions migrate to the cloud. Encouraged by users, solution publishers will be more likely to raise the overall level of protection for information systems in France. In this way, we can collectively accelerate the fight against cyber-malware.