The SaaS problem landscape
There is no shortage of IT cloud software services out there for businesses to choose from. Regardless of their business needs you can be sure there will be a myriad of solutions. Instead of a few grand does-it-all services, IT has become a swarm of inter-playing, inter-operating, and interconnecting services. It’s no surprise that services like zapier and IFTTT are thriving in this ecosystem where they can become the glue and automate the gap between them. The future is surely bright.
IT Vendor Risk Management is Real
This new golden era of SaaS solution business glue comes with its own set of problems. A growing set of issues around data security and vendor risk management has emerged. The above revolution is driven by management and the employees who are constantly exerting to get their jobs done ever more efficiently. This opens the possibility of turning to quick, cheap and cheerful SaaS tooling in abundance. In many cases companies do not even know, let alone manage, the myriad of SaaS tools that their employees use. This is often referred to as Shadow IT. It is a security nightmare.
What are the Major Shadow IT Security Risks?
Shadow IT refers to the software or hardware used within an organisation that is not supported by its main IT department. It often carries a negative undertone as it suggests that it has not gained approval from the department in terms of security. Earlier the term was limited to the people managing the security of an organisation, however due to the consumerisation of cloud computing, it now includes the personal technology used by all the employees of an organisation.
I see two major problems with Shadow IT today:
- Unmanaged security around how your employees are using various tools
- Unchecked security, quality and privacy of the vendors in question
While the first can be mitigated by good IT culture, policies and security tools, the second is a harder nut to crack, since the problems lie outside of your organisation. They lie with the vendors.
How can our business rely that our myriad of vendors are adhering to the same standards of quality, privacy and security that we are?
How can we ensure the quality of Cloud Security Software Vendors?
In some regulated sectors, for example pharma, there can be strict guidelines around vendors adhering to heavyweight standards such as ISO 9001, however, for the most part this approach is not practical since SaaS vendors may be too small and moving too fast to take on that mammoth task.
Instead, there needs to be a middle ground where we can make some assurances of vendor characteristics in this fast-paced SaaS world. In the absence of a good answer to this problem, the gap must be filled with diligence on behalf of the buyer and rigor & transparency on behalf of the vendors.
In the meantime, I find the following ways useful to assess and ensure the quality of your security as a service vendor:
Define your Desired Criteria
While pondering over this problem, I recently came across a great tool by ENISA (EU agency for Cyber Security). They are the EU equivalent of the cyber part of the US based NIST. The tool is called the SME Cloud Security Tool. It approaches the problem by looking at the various opportunities and risks across a variety of characteristics. There are a set of useful sliders where a buyer can come up with a set of quick selection criteria in areas like, for example, geographical spread, or security add-ons. The sliders let the buyer dictate in each case how important each characteristic is to them.
Approach Vendors who Meet the Quality Rigor
Once we know our criteria as a buyer, we can find the SaaS vendors who meet our selection criteria. However, this is where is gets a bit tricky and time consuming. We need to look at IT security vendors' quality and security standards and their privacy policies. While GPDR has ensured a great leveler of IT security policies, the assurance of quality rigor is harder to unfurl.
Choose the Most Transparent Vendor
Despite the enhanced security, a lack of transparency in quality rigor standards is a valid reason for businesses to not trust cloud security vendors. Invariably it will be the transparent SaaS vendors who rise to the top.
At Octiga, we treat this criterion with the utmost seriousness. Therefore, we have made all the information on our security and quality rigor easily accessible for our users. Our rigorous commitment to quality ensures that our clients receive the expected product functionality and service standards. Our product quality assurance stamps that businesses can use the product with confidence. It ensures the client’s data security, and that the product is safe to use.