Selecting a Software as a Service or Cloud provider can't be approached the same way as buying a...
The Cloud Shared Responsibility Model
When you sign on with a Software as a Service (SaaS) provider, you can't "set it and forget it", even though your SaaS provider controls your software, data and the infrastructure it resides on.
You still have responsibilities, too.
The Shared Responsibility Model stipulates which party is responsible for the various parts of the SaaS relationship.
For instance, if a data breach occurs, you can't throw up your hands, shrug your shoulders, and say, "Well, that's my SaaS provider's problem."
You share the responsibility for data security with your SaaS provider, including ensuring that your clients and vendors are contacted about the breach in a timely manner that conforms to your jurisdiction's regulations.
Thus, during the Vendor Risk Assessment for potential SaaS providers, you want to see the contenders' Cyber Security policy, including their timeliness in reporting breaches to all affected parties.
If the contending providers' reporting policies don't match yours, you need to ask them to do so in their contract, or look elsewhere.
Case in point -- while performing a VRA for an insurance client, I discovered that one of the three finalists settled a lawsuit for $20 million for not reporting a data breach to its clients in a timely manner. In fact, it didn't report the breach for six months and that resulted in the lawsuit more than the breach itself. That made the insurance client uncomfortable enough to dismiss that finalist from consideration.
What things might you be responsible for?
-
Security of your workstations and devices used to access the software in the Cloud
-
User credentials and their security (i.e., password strength requirements)
-
Security on your internal network
-
Your custom configurations of the software
What are some things your SaaS provider might be responsible for?
-
The Cloud networking infrastructure its software is deployed on
-
Maintaining the network per the terms of the Contract and the Service Level Agreement (i.e., uptime guarantee)
-
Security of its network
-
Technical support
Look over the Contract and Service Level Agreement thoroughly. Ideally, all responsibilities will be assigned to one party and not both.
Also,
make sure you are comfortable with your provider's policies and corporate culture before signing a two- to three-year contract that will be difficult to escape without financial penalty, not to mention having to go through the SaaS selection process again.
To learn how a Vendor Risk Assessment can smooth the SaaS selection process, contact me at 302-537-4198, ericm@edminfopro.com or our Contact form.
You can also download a copy of our FREE e-Book, "Find Your Cloud 9's", to learn more about what's involved in properly performing such assessments, or request an online meeting.