To meet the increased demand, cybersecurity solution vendors have expanded their offerings to a SaaS consumption model. Several families of tools, previously distributed mainly in “on premise” mode, have taken the plunge: antimalware, WAF, proxy, SIEM, etc. This trend to move security services to the cloud has many advantages, but also disadvantages that should be taken seriously. Moving key security functions and associated sensitive data to the cloud is a leap into the unknown. 

Countering this trend of “cloud camouflage” means helping decision-makers assert their demands for transparency about the vendor’s level of security and enlightening businesses and organizations about the cloud products they consume. Without waiting for the legislature, here are the key questions you should ask yourself when selecting a SaaS solution, as well as some pointers to ensure you get the information you need:

Localization

Where is located the hosting infrastructure that carries the SaaS service?  

? in France  ? 

? in the European Union  ? 

? on other continents  ? 

➡️ These elements are sometimes communicated publicly by the publisher in its general terms of use (GTU). It is however sometimes necessary to ask the question explicitly. 

Reputation

? What is the reputation of the publisher?  

? Has it been the subject of data leaks or high-profile computer attacks?  

? How often are its products affected by common vulnerabilities and exposures (CVEs)? 

➡️ You can usually find the answers on the public Internet. You just need to take the time to do the research. If the publisher lists references on their site, why not ask their customers for feedback? 

Compliance

? What is the publisher’s level of compliance?

? What certifications and qualifications has it obtained?  

? Are its certifications compatible with the legal and regulatory constraints that apply to you?

➡️ In general, it is in the editor’s best interest to advertise his certifications or qualifications (ISO 27001, HDS, SecNumCloud…) However, we recommend that you dig a little deeper into the subject:

? Ask for a copy of the certification and pay attention to the scope of the certification. A frequent abuse consists in hiding the fact that the certification covers a very small perimeter

? If the publisher is ISO 27001 certified, ask them for their Declaration of Applicability 

? Ask the publisher for audit reports, e.g. ISAE 3402 or SOC 2, ideally type 2

? Ask them to present their data protection policy, as well as the measures taken to ensure compliance with the GDPR

? Check if the editor appears in the public registers maintained by the qualification authorities such as ANSSI (in France) or ENISA (in Europe) 

? Submit security questionnaires to the vendor, for example based on the Consensus Assessments Initiative Questionnaire (CAIQ) which is freely available from the Cloud Security Alliance (CSA)

? Negotiate the possibility of conducting compliance audits

Maturity

? What is the maturity of the editor in the software development of its solution?

➡️ Part of the answer should be provided by the compliance items we have already cited, but we recommend that you ask for additional items:

? Do developers receive training or awareness of computer code security?

? Has the vendor adopted DevSecOps practices?

? Do they regularly perform penetration tests on their own solution? If so, do they agree to share at least executive summaries of their latest tests?

? Does the vendor allow customers to perform penetration tests on their own? 

Getting more information and transparency about SaaS security services is a legitimate expectation, and one that will become more pressing as security solutions migrate to the cloud. Driven by users, solution providers will be more likely to raise the overall level of protection of information systems in France. This will enable us to collectively accelerate the fight against cyber-malware.


Keep in mind

Newsletter

Stay informed of all the latest Cloud Temple news by subscribing to our newsletter now.