Securing New Ground
 
Security-as-a-Service: What to Look for in a Provider
By Steve Van Till, President & CEO, Brivo Systems

With more and more vendors beginning to offer Security-as-a-Service or "cloud" applications, it's important for buyers to be aware that not all services are created equal, particularly when it comes to protecting your data.

To help this situation, we've put together our own top five guidelines, below, to help those who are looking into this important new delivery model

  1. What controls are in place for access to your data?

The question here is not if your SaaS vendor's employees can access your data—they probably can, and should, under certain circumstances—but whether there are controls and audits in place that can tell you about it. A common scenario when you may want a SaaS vendor's employee to access your data is in a technical support context. Or perhaps in the case of responding to an alarm or emergency event. Other than these or any other specifics in your vendor's Service Level Agreement, there should be no unauthorized access whatsoever, and there should be external audit reports to prove it.
Continue Reading Here

  1. Information System Audits or Standards

Your vendor should be able to provide an external audit report regarding information security practices and controls. Names of audit standards to look for include SAS-70, SysTrust, WebTrust, or ISO 27001, to name just a few. If a vendor has not bothered to have their practices audited to at least one of these standards, you are assuming far more risk than is reasonable.

  1. Data center location. Redundancy. Disaster recovery.

Physical security of the data center used by a SaaS vendor is critical to the protection of your data. First and foremost, it should be a secure, dedicated data center, not just some servers in a back closet. At a minimum, it should have 24x7 guards, perimeter access control, positive photographic ID and other restrictions on who may enter the facility and when. In addition, there should be not just one such facility, but several, with redundancy and disaster recovery spread across a sufficiently wide geographic area that their services can withstand disasters.

  1. Dedicated network

As part of maintaining a secure data center, the network used by the SaaS vendor's equipment should be a dedicated network. It should have no "end users" on it, and carry no other traffic other than that needed for providing the stated services. Most malware and threat vectors are carried by "office" traffic, which is why the SaaS service should never be part of the vendor's own local area network.

  1. Is data encrypted? How?

Data may be encrypted while in motion and/or while at rest. Both are important, and you should discuss both with your vendor. For Web-based service providers, data in motion is most commonly protected with SSL encryption. You also need to think about what happens to your data when it gets to where it's going—usually a hard drive somewhere—and whether it's safe once it gets there.

 
     
 

Securing New Ground: 10100 Sherman Road   •   Chardon, Ohio 44024
Tel: 440-285-4444   •   Fax: 440-337-3442
www.SecuringNewGround.com